Edit tour

Windows Analysis Report
Documento de confirmacion de orden de compra OC 1580070060.exe

Overview

General Information

Sample name:	Documento de confirmacion de orden de compra OC 1580070060.exe
Analysis ID:	1392765
MD5:	244606adb1918cd7f50048a8ec6f5d1c
SHA1:	4cac8a6114ec36b361f76510f8614408c8c091ae
SHA256:	8a75a7116ae80c077d8d4674fa044bd40670844116f200337bbbcef5ae3ee9a1
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Unusual Parent Process For Cmd.EXE

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Documento de confirmacion de orden de compra OC 1580070060.exe (PID: 7844 cmdline: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe MD5: 244606ADB1918CD7F50048A8EC6F5D1C)

powershell.exe (PID: 8096 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Documento de confirmacion de orden de compra OC 1580070060.exe (PID: 8112 cmdline: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe MD5: 244606ADB1918CD7F50048A8EC6F5D1C)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

wlanext.exe (PID: 7244 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: 0D5F0A7CA2A8A47E3A26FB1CB67E118C)

cmd.exe (PID: 5688 cmdline: /c del "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rdlva.com/pz08/"], "decoy": ["deespresence.com", "fanyablack.com", "papermoonnursery.com", "sunriseclohting.store", "jenstandsforarkansas.com", "lkhtalentconsulting.com", "baerana.com", "hyperphit.com", "davidianbrant.com", "itkagear.com", "web-findmy.site", "liveforwardventures.com", "skyenglearn.online", "studio-sticky.store", "yassa-hany.online", "tacoshack479.com", "bigtexture.xyz", "erxkula.shop", "go-bloggers.com", "qwdlwys.site", "taylorpritchett.com", "yobo-by.com", "trendsdrop.com", "boostyourselftoday.com", "taxibactrungnam.com", "sgzycp.net", "anti-theft-device-82641.bond", "ytytyt016.xyz", "loveyourhome.style", "ithinkmoney.com", "bertric.info", "permanentday.space", "kxn.ink", "onlythumbs.online", "techrihno.com", "washing-machine-46612.bond", "phdop.xyz", "nordens-media.com", "gourmetfoodfactory.com", "ketoalycetiworks.buzz", "amplilim.site", "usetruerreview.com", "inprime.xyz", "aloyoga-uae.com", "quickfiuserers.com", "primadesignerhomes.com", "greatlifehacks.online", "thewipglobal.com", "tobegoodlife.net", "hotelfincamalvasia.com", "trevts.com", "ae-skinlab.com", "grammarhome.com", "cld005.com", "first-solution.online", "keylabcerrajeria.com", "besttravelsgate.com", "friskiwear.com", "hedrickmanufactory.com", "pinewell.world", "5819995.com", "c2help.live", "kai3.center", "plantasdasminas.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3788521267.0000000010F75000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa32:$a2: pass 0xa38:$a3: email 0xa3f:$a4: login 0xa46:$a5: signin 0xa57:$a6: persistent 0xc2a:$r1: C:\Users\user\AppData\Roaming\65P499SE\65Plog.ini
00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6831:$a1: 3C 30 50 4F 53 54 74 09 40 0x34c51:$a1: 3C 30 50 4F 53 54 74 09 40 0x62071:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d190:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b5b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x789d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xaf9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x393bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x667df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15e87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x442a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x716c7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9ee8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa152:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38308:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38572:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65728:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15c85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x440a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x714c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15771:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43b91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x70fb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15d87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x441a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x715c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15eff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x4431f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7173f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xab6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x38f8a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x663aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e19:$sqlite3step: 68 34 1C 7B E1 0x18f2c:$sqlite3step: 68 34 1C 7B E1 0x47239:$sqlite3step: 68 34 1C 7B E1 0x4734c:$sqlite3step: 68 34 1C 7B E1 0x74659:$sqlite3step: 68 34 1C 7B E1 0x7476c:$sqlite3step: 68 34 1C 7B E1 0x18e48:$sqlite3text: 68 38 2A 90 C5 0x18f6d:$sqlite3text: 68 38 2A 90 C5 0x47268:$sqlite3text: 68 38 2A 90 C5 0x4738d:$sqlite3text: 68 38 2A 90 C5 0x74688:$sqlite3text: 68 38 2A 90 C5 0x747ad:$sqlite3text: 68 38 2A 90 C5 0x18e5b:$sqlite3blob: 68 53 D8 7F 8C 0x18f83:$sqlite3blob: 68 53 D8 7F 8C 0x4727b:$sqlite3blob: 68 53 D8 7F 8C 0x473a3:$sqlite3blob: 68 53 D8 7F 8C 0x7469b:$sqlite3blob: 68 53 D8 7F 8C 0x747c3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Documento de confirmacion de orden de compra OC 1580070060.exe PID: 7844	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Documento de confirmacion de orden de compra OC 1580070060.exe PID: 7844	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3ec8e:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: Documento de confirmacion de orden de compra OC 1580070060.exe PID: 8112	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x31617:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: wlanext.exe PID: 7244	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xd00af:$a1: 3C 30 50 4F 53 54 74 09 40 0x176b3e:$a1: 3C 30 50 4F 53 54 74 09 40 0x1782e2:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, ParentImage: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, ParentProcessId: 7844, ParentProcessName: Documento de confirmacion de orden de compra OC 1580070060.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, ProcessId: 8096, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Unusual Parent Process For Cmd.EXE

Source: Process started

Author: Tim Rauch: Data: Command: /c del "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe", CommandLine: /c del "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\wlanext.exe, ParentImage: C:\Windows\SysWOW64\wlanext.exe, ParentProcessId: 7244, ParentProcessName: wlanext.exe, ProcessCommandLine: /c del "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe", ProcessId: 5688, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, ParentImage: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, ParentProcessId: 7844, ParentProcessName: Documento de confirmacion de orden de compra OC 1580070060.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe, ProcessId: 8096, ProcessName: powershell.exe

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.10 - Destination IP: 172.104.233.69

Timestamp:	192.168.2.10172.104.233.6949718802031412 02/15/24-12:08:33.578230
SID:	2031412
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	192.168.2.103.33.130.19049714802031412 02/15/24-12:07:10.035583
SID:	2031412
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.10 - Destination IP: 91.195.240.117

Timestamp:	192.168.2.1091.195.240.11749717802031412 02/15/24-12:08:12.279647
SID:	2031412
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.10 - Destination IP: 104.247.82.92

Timestamp:	192.168.2.10104.247.82.9249715802031412 02/15/24-12:07:31.796089
SID:	2031412
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.10 - Destination IP: 103.224.212.213

Timestamp:	192.168.2.10103.224.212.21349719802031412 02/15/24-12:08:53.961818
SID:	2031412
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.10 - Destination IP: 104.18.118.41

Timestamp:	192.168.2.10104.18.118.4149716802031412 02/15/24-12:07:52.346420
SID:	2031412
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.10 - Destination IP: 13.248.169.48

Timestamp:	192.168.2.1013.248.169.4849720802031412 02/15/24-12:09:35.485729
SID:	2031412
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	192.168.2.103.33.130.19049721802031412 02/15/24-12:09:55.854946
SID:	2031412
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.first-solution.online	Avira URL Cloud: Label: malware
Source: http://www.deespresence.com	Avira URL Cloud: Label: malware
Source: http://www.deespresence.com/pz08/?mzrPV4R=mxdTlzLD7R2wREPHHt3at4Gpr92+eFouLLpunB54pJiVolXtAgiSpNVnugXBmdY6T59Y&Rl=8pFP0r98Chvt5p5P	Avira URL Cloud: Label: malware
Source: http://www.phdop.xyz/pz08/www.gourmetfoodfactory.com	Avira URL Cloud: Label: phishing
Source: http://www.deespresence.com/pz08/www.first-solution.online	Avira URL Cloud: Label: malware
Source: http://www.deespresence.com/pz08/	Avira URL Cloud: Label: malware
Source: http://www.first-solution.online/pz08/www.anti-theft-device-82641.bond	Avira URL Cloud: Label: malware
Source: http://www.first-solution.online/pz08/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rdlva.com/pz08/"], "decoy": ["deespresence.com", "fanyablack.com", "papermoonnursery.com", "sunriseclohting.store", "jenstandsforarkansas.com", "lkhtalentconsulting.com", "baerana.com", "hyperphit.com", "davidianbrant.com", "itkagear.com", "web-findmy.site", "liveforwardventures.com", "skyenglearn.online", "studio-sticky.store", "yassa-hany.online", "tacoshack479.com", "bigtexture.xyz", "erxkula.shop", "go-bloggers.com", "qwdlwys.site", "taylorpritchett.com", "yobo-by.com", "trendsdrop.com", "boostyourselftoday.com", "taxibactrungnam.com", "sgzycp.net", "anti-theft-device-82641.bond", "ytytyt016.xyz", "loveyourhome.style", "ithinkmoney.com", "bertric.info", "permanentday.space", "kxn.ink", "onlythumbs.online", "techrihno.com", "washing-machine-46612.bond", "phdop.xyz", "nordens-media.com", "gourmetfoodfactory.com", "ketoalycetiworks.buzz", "amplilim.site", "usetruerreview.com", "inprime.xyz", "aloyoga-uae.com", "quickfiuserers.com", "primadesignerhomes.com", "greatlifehacks.online", "thewipglobal.com", "tobegoodlife.net", "hotelfincamalvasia.com", "trevts.com", "ae-skinlab.com", "grammarhome.com", "cld005.com", "first-solution.online", "keylabcerrajeria.com", "besttravelsgate.com", "friskiwear.com", "hedrickmanufactory.com", "pinewell.world", "5819995.com", "c2help.live", "kai3.center", "plantasdasminas.com"]}

Multi AV Scanner detection for submitted file

Source: Documento de confirmacion de orden de compra OC 1580070060.exe	ReversingLabs: Detection: 65%
Source: Documento de confirmacion de orden de compra OC 1580070060.exe	Virustotal: Detection: 73%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Joe Sandbox ML: detected

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000009.00000003.1424111215.0000000002D28000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000009.00000003.1421913080.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Documento de confirmacion de orden de compra OC 1580070060.exe, Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000009.00000003.1424111215.0000000002D28000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000009.00000003.1421913080.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422651001.0000000001128000.00000004.00000020.00020000.00000000.sdmp, Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422817149.0000000001450000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3767596988.0000000000830000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422651001.0000000001128000.00000004.00000020.00020000.00000000.sdmp, Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422817149.0000000001450000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3767596988.0000000000830000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 4x nop then pop esi		6_2_00417312
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop esi		9_2_02867312

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.10:49714 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.10:49715 -> 104.247.82.92:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.10:49716 -> 104.18.118.41:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.10:49717 -> 91.195.240.117:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.10:49718 -> 172.104.233.69:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.10:49719 -> 103.224.212.213:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.10:49720 -> 13.248.169.48:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.10:49721 -> 3.33.130.190:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 13.248.169.48 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.104.233.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.117 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.92 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.rdlva.com/pz08/

Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=mxdTlzLD7R2wREPHHt3at4Gpr92+eFouLLpunB54pJiVolXtAgiSpNVnugXBmdY6T59Y&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.deespresence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=etofVVeG6jH3REbkxKWYpV64ElMartPom1s3O4G0OaAMWkudRp1A+A5HBO7QLbRw3W/6&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.first-solution.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=w4iQQzmLgtkynP17ZMB2mbFkkIU6TbnESYYIzY5jx7ngWWHQ4I+nKrEmnl21fB9XO+Mu&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.anti-theft-device-82641.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=rNKgyUfibZYi2jFMK108bKnky+14wNxwM8NnE8KsHa7VIqkijrw0P4oWcpuZrVGnm++1&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.tobegoodlife.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN2AdDBFU3yO&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.boostyourselftoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.yassa-hany.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=YXUHyuzV9xL0ASV6xbcNd1qnDMoomLXuS1YqahB0JTuNzOlGIgIKnXH69pHGKPL64RNK&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.gourmetfoodfactory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPFCVlt2AKTz&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.rdlva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 91.195.240.117 91.195.240.117
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=mxdTlzLD7R2wREPHHt3at4Gpr92+eFouLLpunB54pJiVolXtAgiSpNVnugXBmdY6T59Y&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.deespresence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=etofVVeG6jH3REbkxKWYpV64ElMartPom1s3O4G0OaAMWkudRp1A+A5HBO7QLbRw3W/6&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.first-solution.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=w4iQQzmLgtkynP17ZMB2mbFkkIU6TbnESYYIzY5jx7ngWWHQ4I+nKrEmnl21fB9XO+Mu&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.anti-theft-device-82641.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=rNKgyUfibZYi2jFMK108bKnky+14wNxwM8NnE8KsHa7VIqkijrw0P4oWcpuZrVGnm++1&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.tobegoodlife.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN2AdDBFU3yO&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.boostyourselftoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.yassa-hany.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=YXUHyuzV9xL0ASV6xbcNd1qnDMoomLXuS1YqahB0JTuNzOlGIgIKnXH69pHGKPL64RNK&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.gourmetfoodfactory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?mzrPV4R=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPFCVlt2AKTz&Rl=8pFP0r98Chvt5p5P HTTP/1.1Host: www.rdlva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.deespresence.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 15 Feb 2024 11:07:31 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 15 Feb 2024 11:09:35 GMTContent-Type: text/plainContent-Length: 0Connection: closeETag: "65ca405c-0"

Source: explorer.exe, 00000007.00000002.3779275161.0000000009559000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078069193.0000000009559000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2164187497.0000000009558000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3777035401.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000002.3779275161.0000000009559000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078069193.0000000009559000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2164187497.0000000009558000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3777035401.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.3779275161.0000000009559000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078069193.0000000009559000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3777035401.0000000009519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2164187497.0000000009558000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3777035401.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.0000000009519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000002.3788080356.0000000010BAF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3770571332.00000000039AF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: explorer.exe, 00000007.00000002.3779275161.0000000009559000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078069193.0000000009559000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2164187497.0000000009558000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3777035401.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.3770390587.000000000305D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078340043.000000000305D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074676550.000000000305D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1363775067.000000000305D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000002.3775616334.0000000007B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3775547148.0000000007AF0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3770049273.0000000002C00000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000002.00000002.1363884469.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anti-theft-device-82641.bond
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anti-theft-device-82641.bond/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anti-theft-device-82641.bond/pz08/www.erxkula.shop
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anti-theft-device-82641.bondReferer:
Source: explorer.exe, 00000007.00000003.2161201978.00000000096A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boostyourselftoday.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boostyourselftoday.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boostyourselftoday.com/pz08/www.yassa-hany.online
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boostyourselftoday.comReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.deespresence.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.deespresence.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.deespresence.com/pz08/www.first-solution.online
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.deespresence.comReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erxkula.shop
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erxkula.shop/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erxkula.shop/pz08/www.tobegoodlife.net
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erxkula.shopReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fanyablack.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fanyablack.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fanyablack.com/pz08/www.yobo-by.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fanyablack.comReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.first-solution.online
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.first-solution.online/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.first-solution.online/pz08/www.anti-theft-device-82641.bond
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.first-solution.onlineReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go-bloggers.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go-bloggers.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go-bloggers.com/pz08/www.hotelfincamalvasia.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go-bloggers.comReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gourmetfoodfactory.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gourmetfoodfactory.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gourmetfoodfactory.com/pz08/www.rdlva.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gourmetfoodfactory.comReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hotelfincamalvasia.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hotelfincamalvasia.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hotelfincamalvasia.com/pz08/www.fanyablack.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hotelfincamalvasia.comReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.liveforwardventures.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.liveforwardventures.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.liveforwardventures.com/pz08/www.go-bloggers.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.liveforwardventures.comReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nordens-media.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nordens-media.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nordens-media.com/pz08/www.liveforwardventures.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nordens-media.comReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyz
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyz/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyz/pz08/www.gourmetfoodfactory.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyzReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.com/pz08/www.nordens-media.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.comReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tobegoodlife.net
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tobegoodlife.net/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tobegoodlife.net/pz08/www.boostyourselftoday.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tobegoodlife.netReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.online
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.online/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.online/pz08/www.phdop.xyz
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.onlineReferer:
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yobo-by.com
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yobo-by.com/pz08/
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yobo-by.com/pz08/r
Source: explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yobo-by.comReferer:
Source: explorer.exe, 00000007.00000003.2161248237.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppin
Source: explorer.exe, 00000007.00000003.2161248237.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.3777035401.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/$
Source: explorer.exe, 00000007.00000002.3777035401.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/X
Source: explorer.exe, 00000007.00000003.3074676550.0000000002FB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1363775067.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3767640508.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078340043.0000000002FBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1362634820.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3770390587.0000000002FC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.3777035401.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&oc
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074676550.0000000002FB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1363775067.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3770353382.0000000002FB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.3777035401.0000000009390000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.0000000009390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comWzE
Source: explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000007.00000003.2161248237.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076400890.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3783880264.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comE
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15G9PH.img
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hJkDs.img
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000007.00000003.2161248237.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076400890.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3783880264.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comNaP0B
Source: explorer.exe, 00000007.00000003.2161248237.000000000D0B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3783880264.000000000D073000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076400890.000000000D046000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3079426229.000000000D072000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcemberZ
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.3779782500.0000000009734000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074357398.0000000009734000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2160822500.0000000009715000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 00000007.00000003.2161248237.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076400890.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3783880264.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com576
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvW
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-w
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/one-dead-several-wounded-after-drive-by-shootings-in-south-la/a
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000007.00000002.3788080356.0000000010BAF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3770571332.00000000039AF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.rdlva.com/pz08/?mzrPV4R=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPFCVlt2
Source: explorer.exe, 00000007.00000002.3788080356.0000000010BAF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3770571332.00000000039AF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: wlanext.exe, 00000009.00000002.3770571332.00000000039AF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.tucowsdomains.com/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3788521267.0000000010F75000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Documento de confirmacion de orden de compra OC 1580070060.exe PID: 7844, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Documento de confirmacion de orden de compra OC 1580070060.exe PID: 8112, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wlanext.exe PID: 7244, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.2d9a150.11.raw.unpack, Architectural.cs	Large array initialization: : array initializer size 17982
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.6d60000.18.raw.unpack, Architectural.cs	Large array initialization: : array initializer size 17982
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.2c5bc38.1.raw.unpack, Architectural.cs	Large array initialization: : array initializer size 17982
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.2c1bb48.5.raw.unpack, Architectural.cs	Large array initialization: : array initializer size 17982

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Documento de confirmacion de orden de compra OC 1580070060.exe

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041A350 NtCreateFile,	6_2_0041A350
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041A400 NtReadFile,	6_2_0041A400
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041A480 NtClose,	6_2_0041A480
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041A530 NtAllocateVirtualMemory,	6_2_0041A530
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041A47C NtClose,	6_2_0041A47C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041A52A NtAllocateVirtualMemory,	6_2_0041A52A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2B60 NtClose,LdrInitializeThunk,	6_2_015F2B60
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_015F2BF0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2AD0 NtReadFile,LdrInitializeThunk,	6_2_015F2AD0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_015F2D10
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_015F2D30
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_015F2DD0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_015F2DF0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_015F2C70
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_015F2CA0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2F30 NtCreateSection,LdrInitializeThunk,	6_2_015F2F30
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2FE0 NtCreateFile,LdrInitializeThunk,	6_2_015F2FE0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_015F2F90
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2FB0 NtResumeThread,LdrInitializeThunk,	6_2_015F2FB0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_015F2E80
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_015F2EA0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F4340 NtSetContextThread,	6_2_015F4340
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F4650 NtSuspendThread,	6_2_015F4650
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2BE0 NtQueryValueKey,	6_2_015F2BE0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2B80 NtQueryInformationFile,	6_2_015F2B80
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2BA0 NtEnumerateValueKey,	6_2_015F2BA0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2AF0 NtWriteFile,	6_2_015F2AF0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2AB0 NtWaitForSingleObject,	6_2_015F2AB0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2D00 NtSetInformationFile,	6_2_015F2D00
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2DB0 NtEnumerateKey,	6_2_015F2DB0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2C60 NtCreateKey,	6_2_015F2C60
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2C00 NtQueryInformationProcess,	6_2_015F2C00
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2CC0 NtQueryVirtualMemory,	6_2_015F2CC0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2CF0 NtOpenProcess,	6_2_015F2CF0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2F60 NtCreateProcessEx,	6_2_015F2F60
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2FA0 NtQuerySection,	6_2_015F2FA0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2E30 NtWriteVirtualMemory,	6_2_015F2E30
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2EE0 NtQueueApcThread,	6_2_015F2EE0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F3010 NtOpenDirectoryObject,	6_2_015F3010
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F3090 NtSetValueKey,	6_2_015F3090
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F35C0 NtCreateMutant,	6_2_015F35C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F39B0 NtGetContextThread,	6_2_015F39B0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F3D70 NtOpenThread,	6_2_015F3D70
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F3D10 NtOpenProcessToken,	6_2_015F3D10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42AD0 NtReadFile,LdrInitializeThunk,	9_2_02F42AD0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_02F42BF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42BE0 NtQueryValueKey,LdrInitializeThunk,	9_2_02F42BE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42B60 NtClose,LdrInitializeThunk,	9_2_02F42B60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_02F42EA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42FE0 NtCreateFile,LdrInitializeThunk,	9_2_02F42FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42F30 NtCreateSection,LdrInitializeThunk,	9_2_02F42F30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_02F42CA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_02F42C70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42C60 NtCreateKey,LdrInitializeThunk,	9_2_02F42C60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_02F42DF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42DD0 NtDelayExecution,LdrInitializeThunk,	9_2_02F42DD0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_02F42D10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F435C0 NtCreateMutant,LdrInitializeThunk,	9_2_02F435C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F44340 NtSetContextThread,	9_2_02F44340
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F44650 NtSuspendThread,	9_2_02F44650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42AF0 NtWriteFile,	9_2_02F42AF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42AB0 NtWaitForSingleObject,	9_2_02F42AB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42BA0 NtEnumerateValueKey,	9_2_02F42BA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42B80 NtQueryInformationFile,	9_2_02F42B80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42EE0 NtQueueApcThread,	9_2_02F42EE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42E80 NtReadVirtualMemory,	9_2_02F42E80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42E30 NtWriteVirtualMemory,	9_2_02F42E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42FB0 NtResumeThread,	9_2_02F42FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42FA0 NtQuerySection,	9_2_02F42FA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42F90 NtProtectVirtualMemory,	9_2_02F42F90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42F60 NtCreateProcessEx,	9_2_02F42F60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42CF0 NtOpenProcess,	9_2_02F42CF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42CC0 NtQueryVirtualMemory,	9_2_02F42CC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42C00 NtQueryInformationProcess,	9_2_02F42C00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42DB0 NtEnumerateKey,	9_2_02F42DB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42D30 NtUnmapViewOfSection,	9_2_02F42D30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F42D00 NtSetInformationFile,	9_2_02F42D00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F43090 NtSetValueKey,	9_2_02F43090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F43010 NtOpenDirectoryObject,	9_2_02F43010
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F439B0 NtGetContextThread,	9_2_02F439B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F43D70 NtOpenThread,	9_2_02F43D70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F43D10 NtOpenProcessToken,	9_2_02F43D10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0286A350 NtCreateFile,	9_2_0286A350
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0286A480 NtClose,	9_2_0286A480
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0286A400 NtReadFile,	9_2_0286A400
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0286A530 NtAllocateVirtualMemory,	9_2_0286A530
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0286A47C NtClose,	9_2_0286A47C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0286A52A NtAllocateVirtualMemory,	9_2_0286A52A

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_010883E2	2_2_010883E2
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_01086FE0	2_2_01086FE0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_01087318	2_2_01087318
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_01088491	2_2_01088491
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_01088718	2_2_01088718
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_01087306	2_2_01087306
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_01087352	2_2_01087352
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_0108784D	2_2_0108784D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_04FC4778	2_2_04FC4778
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_04FC7748	2_2_04FC7748
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_04FC476A	2_2_04FC476A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_04FCCE20	2_2_04FCCE20
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_04FCBF54	2_2_04FCBF54
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_04FCBF48	2_2_04FCBF48
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_0703C699	2_2_0703C699
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_07035050	2_2_07035050
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_07038480	2_2_07038480
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_07038038	2_2_07038038
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_0703503F	2_2_0703503F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_07038048	2_2_07038048
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_07039F60	2_2_07039F60
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_07037C10	2_2_07037C10
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_07039B28	2_2_07039B28
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041E84B	6_2_0041E84B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041D9B6	6_2_0041D9B6
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041EB6E	6_2_0041EB6E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041DCA1	6_2_0041DCA1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_00409E4C	6_2_00409E4C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_00409E50	6_2_00409E50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041D770	6_2_0041D770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01648158	6_2_01648158
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B0100	6_2_015B0100
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165A118	6_2_0165A118
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016781CC	6_2_016781CC
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016801AA	6_2_016801AA
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016741A2	6_2_016741A2
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01652000	6_2_01652000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167A352	6_2_0167A352
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016803E6	6_2_016803E6
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CE3F0	6_2_015CE3F0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016402C0	6_2_016402C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0535	6_2_015C0535
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01680591	6_2_01680591
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01672446	6_2_01672446
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01664420	6_2_01664420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166E4F6	6_2_0166E4F6
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E4750	6_2_015E4750
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BC7C0	6_2_015BC7C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DC6E0	6_2_015DC6E0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D6962	6_2_015D6962
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0168A9A6	6_2_0168A9A6
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CA840	6_2_015CA840
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C2840	6_2_015C2840
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE8F0	6_2_015EE8F0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A68B8	6_2_015A68B8
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167AB40	6_2_0167AB40
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01676BD7	6_2_01676BD7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BEA80	6_2_015BEA80
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CAD00	6_2_015CAD00
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165CD1F	6_2_0165CD1F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BADE0	6_2_015BADE0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D8DBF	6_2_015D8DBF
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0C00	6_2_015C0C00
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B0CF2	6_2_015B0CF2
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660CB5	6_2_01660CB5
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01634F40	6_2_01634F40
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01602F28	6_2_01602F28
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01662F30	6_2_01662F30
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E0F30	6_2_015E0F30
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B2FC8	6_2_015B2FC8
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CCFE0	6_2_015CCFE0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163EFA0	6_2_0163EFA0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0E59	6_2_015C0E59
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167EE26	6_2_0167EE26
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167EEDB	6_2_0167EEDB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D2E90	6_2_015D2E90
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167CE93	6_2_0167CE93
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0168B16B	6_2_0168B16B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AF172	6_2_015AF172
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F516C	6_2_015F516C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CB1B0	6_2_015CB1B0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167F0E0	6_2_0167F0E0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016770E9	6_2_016770E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C70C0	6_2_015C70C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166F0CC	6_2_0166F0CC
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AD34C	6_2_015AD34C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167132D	6_2_0167132D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0160739A	6_2_0160739A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016612ED	6_2_016612ED
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DB2C0	6_2_015DB2C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C52A0	6_2_015C52A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01677571	6_2_01677571
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016895C3	6_2_016895C3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165D5B0	6_2_0165D5B0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B1460	6_2_015B1460
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167F43F	6_2_0167F43F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B17EC	6_2_015B17EC
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167F7B0	6_2_0167F7B0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01605630	6_2_01605630
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016716CC	6_2_016716CC
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C9950	6_2_015C9950
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DB950	6_2_015DB950
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01655910	6_2_01655910
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162D800	6_2_0162D800
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C38E0	6_2_015C38E0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167FB76	6_2_0167FB76
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01635BF0	6_2_01635BF0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015FDBF9	6_2_015FDBF9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DFB80	6_2_015DFB80
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01633A6C	6_2_01633A6C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01677A46	6_2_01677A46
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167FA49	6_2_0167FA49
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166DAC6	6_2_0166DAC6
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01605AA0	6_2_01605AA0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01661AA3	6_2_01661AA3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165DAAC	6_2_0165DAAC
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01677D73	6_2_01677D73
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C3D40	6_2_015C3D40
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01671D5A	6_2_01671D5A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DFDC0	6_2_015DFDC0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01639C32	6_2_01639C32
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167FCF2	6_2_0167FCF2
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167FF09	6_2_0167FF09
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01583FD2	6_2_01583FD2
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01583FD5	6_2_01583FD5
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C1F92	6_2_015C1F92
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167FFB1	6_2_0167FFB1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C9EB0	6_2_015C9EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0DB232	7_2_0E0DB232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0D5B30	7_2_0E0D5B30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0D5B32	7_2_0E0D5B32
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0DA036	7_2_0E0DA036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0D1082	7_2_0E0D1082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0D2D02	7_2_0E0D2D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0D8912	7_2_0E0D8912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0DE5CD	7_2_0E0DE5CD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F902C0	9_2_02F902C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FB0274	9_2_02FB0274
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F1E3F0	9_2_02F1E3F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FD03E6	9_2_02FD03E6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCA352	9_2_02FCA352
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FA2000	9_2_02FA2000
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC81CC	9_2_02FC81CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FD01AA	9_2_02FD01AA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC41A2	9_2_02FC41A2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F98158	9_2_02F98158
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FAA118	9_2_02FAA118
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F00100	9_2_02F00100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F2C6E0	9_2_02F2C6E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F0C7C0	9_2_02F0C7C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F10770	9_2_02F10770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F34750	9_2_02F34750
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FBE4F6	9_2_02FBE4F6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC2446	9_2_02FC2446
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FB4420	9_2_02FB4420
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FD0591	9_2_02FD0591
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F10535	9_2_02F10535
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F0EA80	9_2_02F0EA80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC6BD7	9_2_02FC6BD7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCAB40	9_2_02FCAB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F3E8F0	9_2_02F3E8F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02EF68B8	9_2_02EF68B8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F1A840	9_2_02F1A840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F12840	9_2_02F12840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F129A0	9_2_02F129A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FDA9A6	9_2_02FDA9A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F26962	9_2_02F26962
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCEEDB	9_2_02FCEEDB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F22E90	9_2_02F22E90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCCE93	9_2_02FCCE93
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F10E59	9_2_02F10E59
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCEE26	9_2_02FCEE26
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F1CFE0	9_2_02F1CFE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F02FC8	9_2_02F02FC8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F8EFA0	9_2_02F8EFA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F84F40	9_2_02F84F40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F30F30	9_2_02F30F30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FB2F30	9_2_02FB2F30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F52F28	9_2_02F52F28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F00CF2	9_2_02F00CF2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FB0CB5	9_2_02FB0CB5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F10C00	9_2_02F10C00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F0ADE0	9_2_02F0ADE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F28DBF	9_2_02F28DBF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FACD1F	9_2_02FACD1F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F1AD00	9_2_02F1AD00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FB12ED	9_2_02FB12ED
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F2B2C0	9_2_02F2B2C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F152A0	9_2_02F152A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F5739A	9_2_02F5739A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02EFD34C	9_2_02EFD34C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC132D	9_2_02FC132D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC70E9	9_2_02FC70E9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCF0E0	9_2_02FCF0E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F170C0	9_2_02F170C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FBF0CC	9_2_02FBF0CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F1B1B0	9_2_02F1B1B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FDB16B	9_2_02FDB16B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F4516C	9_2_02F4516C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02EFF172	9_2_02EFF172
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC16CC	9_2_02FC16CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F55630	9_2_02F55630
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F017EC	9_2_02F017EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCF7B0	9_2_02FCF7B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F01460	9_2_02F01460
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCF43F	9_2_02FCF43F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FD95C3	9_2_02FD95C3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FAD5B0	9_2_02FAD5B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC7571	9_2_02FC7571
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FBDAC6	9_2_02FBDAC6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F55AA0	9_2_02F55AA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FADAAC	9_2_02FADAAC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FB1AA3	9_2_02FB1AA3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F83A6C	9_2_02F83A6C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCFA49	9_2_02FCFA49
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC7A46	9_2_02FC7A46
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F85BF0	9_2_02F85BF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F4DBF9	9_2_02F4DBF9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F2FB80	9_2_02F2FB80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCFB76	9_2_02FCFB76
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F138E0	9_2_02F138E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F7D800	9_2_02F7D800
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F19950	9_2_02F19950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F2B950	9_2_02F2B950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FA5910	9_2_02FA5910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F19EB0	9_2_02F19EB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02ED3FD5	9_2_02ED3FD5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02ED3FD2	9_2_02ED3FD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCFFB1	9_2_02FCFFB1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F11F92	9_2_02F11F92
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCFF09	9_2_02FCFF09
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FCFCF2	9_2_02FCFCF2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F89C32	9_2_02F89C32
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F2FDC0	9_2_02F2FDC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC7D73	9_2_02FC7D73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02FC1D5A	9_2_02FC1D5A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F13D40	9_2_02F13D40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0286EB6E	9_2_0286EB6E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0286E84B	9_2_0286E84B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02852FB0	9_2_02852FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02852D87	9_2_02852D87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02852D90	9_2_02852D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02859E4C	9_2_02859E4C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02859E50	9_2_02859E50

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 02EFB970 appears 283 times
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 02F57E54 appears 109 times
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 02F8F290 appears 105 times
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 02F45130 appears 58 times
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 02F7EA12 appears 86 times
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: String function: 0163F290 appears 105 times
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: String function: 01607E54 appears 109 times
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: String function: 015AB970 appears 283 times
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: String function: 015F5130 appears 58 times
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: String function: 0162EA12 appears 86 times

Source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000002.00000002.1369771705.0000000007560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Documento de confirmacion de orden de compra OC 1580070060.exe
Source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000002.00000000.1302924591.000000000071A000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameSCEBd.exe> vs Documento de confirmacion de orden de compra OC 1580070060.exe
Source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Documento de confirmacion de orden de compra OC 1580070060.exe
Source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422651001.0000000001128000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs Documento de confirmacion de orden de compra OC 1580070060.exe
Source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422903263.00000000016AD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Documento de confirmacion de orden de compra OC 1580070060.exe
Source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422817149.0000000001462000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs Documento de confirmacion de orden de compra OC 1580070060.exe
Source: Documento de confirmacion de orden de compra OC 1580070060.exe	Binary or memory string: OriginalFilenameSCEBd.exe> vs Documento de confirmacion de orden de compra OC 1580070060.exe

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.userer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: wininet.dll	Jump to behavior

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3788521267.0000000010F75000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Documento de confirmacion de orden de compra OC 1580070060.exe PID: 7844, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Documento de confirmacion de orden de compra OC 1580070060.exe PID: 8112, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wlanext.exe PID: 7244, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, eyGVcdJI4l3xpr0csI.cs	Security API names: _0020.SetAccessControl
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, eyGVcdJI4l3xpr0csI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, eyGVcdJI4l3xpr0csI.cs	Security API names: _0020.AddAccessRule
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, BOggchRfbPuPHwF8VW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, eyGVcdJI4l3xpr0csI.cs	Security API names: _0020.SetAccessControl
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, eyGVcdJI4l3xpr0csI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, eyGVcdJI4l3xpr0csI.cs	Security API names: _0020.AddAccessRule
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, eyGVcdJI4l3xpr0csI.cs	Security API names: _0020.SetAccessControl
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, eyGVcdJI4l3xpr0csI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, eyGVcdJI4l3xpr0csI.cs	Security API names: _0020.AddAccessRule
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, BOggchRfbPuPHwF8VW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, BOggchRfbPuPHwF8VW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/6@9/6

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Documento de confirmacion de orden de compra OC 1580070060.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cslxg2va.3di.ps1

Jump to behavior

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Documento de confirmacion de orden de compra OC 1580070060.exe	ReversingLabs: Detection: 65%
Source: Documento de confirmacion de orden de compra OC 1580070060.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

File read: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process created: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process created: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000009.00000003.1424111215.0000000002D28000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000009.00000003.1421913080.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Documento de confirmacion de orden de compra OC 1580070060.exe, Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000009.00000003.1424111215.0000000002D28000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000009.00000003.1421913080.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422651001.0000000001128000.00000004.00000020.00020000.00000000.sdmp, Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422817149.0000000001450000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3767596988.0000000000830000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422651001.0000000001128000.00000004.00000020.00020000.00000000.sdmp, Documento de confirmacion de orden de compra OC 1580070060.exe, 00000006.00000002.1422817149.0000000001450000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3767596988.0000000000830000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Documento de confirmacion de orden de compra OC 1580070060.exe, --.cs	.Net Code: _0002 System.AppDomain.Load(byte[])
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.2d9a150.11.raw.unpack, Architectural.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.6d60000.18.raw.unpack, Architectural.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.2c5bc38.1.raw.unpack, Architectural.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, eyGVcdJI4l3xpr0csI.cs	.Net Code: MrcPiZp9Xy System.Reflection.Assembly.Load(byte[])
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.2c1bb48.5.raw.unpack, Architectural.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, eyGVcdJI4l3xpr0csI.cs	.Net Code: MrcPiZp9Xy System.Reflection.Assembly.Load(byte[])
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, eyGVcdJI4l3xpr0csI.cs	.Net Code: MrcPiZp9Xy System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 2_2_0703AFD0 push eax; ret	2_2_0703AFD9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041683E push esi; ret	6_2_0041683F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041718B push ds; iretd	6_2_0041718C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041E99E push esi; iretd	6_2_0041E99F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_00417224 push ebx; iretd	6_2_0041722A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041D4F2 push eax; ret	6_2_0041D4F8
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041D4FB push eax; ret	6_2_0041D562
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_00417C92 push ss; retf	6_2_00417C9E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041D4A5 push eax; ret	6_2_0041D4F8
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0041D55C push eax; ret	6_2_0041D562
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0040F531 push 75DF417Dh; iretd	6_2_0040F536
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0158225F pushad ; ret	6_2_015827F9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015827FA pushad ; ret	6_2_015827F9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B09AD push ecx; mov dword ptr [esp], ecx	6_2_015B09B6
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0158283D push eax; iretd	6_2_01582858
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0158135E push eax; iretd	6_2_01581369
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0DEB02 push esp; retn 0000h	7_2_0E0DEB03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0DEB1E push esp; retn 0000h	7_2_0E0DEB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0E108E push esi; iretd	7_2_0E0E108F
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0DE9B5 push esp; retn 0000h	7_2_0E0DEAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_10E91089 push edx; ret	7_2_10E9108B
Source: C:\Windows\explorer.exe	Code function: 7_2_10E931E1 push edx; retf	7_2_10E931E2
Source: C:\Windows\explorer.exe	Code function: 7_2_10E929D3 push 0000004Bh; iretd	7_2_10E929D6
Source: C:\Windows\explorer.exe	Code function: 7_2_10E93172 push esi; iretd	7_2_10E93175
Source: C:\Windows\explorer.exe	Code function: 7_2_10E9434D push 0000000Dh; retf	7_2_10E94352
Source: C:\Windows\explorer.exe	Code function: 7_2_10E92D25 push ss; iretd	7_2_10E92D38
Source: C:\Windows\explorer.exe	Code function: 7_2_10E9230F push edx; ret	7_2_10E92310
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02ED225F pushad ; ret	9_2_02ED27F9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02ED27FA pushad ; ret	9_2_02ED27F9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02ED283D push eax; iretd	9_2_02ED2858
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_02F009AD push ecx; mov dword ptr [esp], ecx	9_2_02F009B6

Source: Documento de confirmacion de orden de compra OC 1580070060.exe

Static PE information: section name: .text entropy: 7.964658769466714

Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.6fe0000.20.raw.unpack, ReactionVessel.cs	High entropy of concatenated method names: 'CopyMemory', 'SearchResult', 'CausalitySource', 'K4oTsswVn', 'ComputeReaction', 'ResizeVessel', 'Inject', 'c6vkj3brm', 'Init', 'Init'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.2ed4df8.3.raw.unpack, ReactionVessel.cs	High entropy of concatenated method names: 'CopyMemory', 'SearchResult', 'CausalitySource', 'K4oTsswVn', 'ComputeReaction', 'ResizeVessel', 'Inject', 'c6vkj3brm', 'Init', 'Init'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, slxaByZImLX0RUWuO1.cs	High entropy of concatenated method names: 'uloFpYCYV6', 'RXpFAsS6Qi', 'TFEFPffdh7', 'XNAFfXWak0', 'tElFjwBfF9', 'OHmFSg9tMT', 'EY1FcQrraK', 'ylWg98d4Pi', 'tvtgYGNmvs', 'cGvgvEwoyt'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, Dhu2MOCclnGP5HWpE8.cs	High entropy of concatenated method names: 'n7eKWZ0Uwu', 'VcXK3Kobwv', 'fu1KRlPD8k', 'LhnKCgiDIA', 'Y8XKsfiO4M', 'RbqKuj42e7', 'OBFKVQww2l', 'F15Kgfnjo3', 'ksKKF07B8M', 'v2uKo96aYS'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, qTNSUAPIwG0dCZiLPb.cs	High entropy of concatenated method names: 'hxwpOOggch', 'fbPpJuPHwF', 'jclp1nGP5H', 'ApEpt8v1xC', 'CQupsephsA', 'XPIpuR8r3G', 'z19YgpCboBJjMM3eU1', 'WQ2gPWubf6sG6L4dpX', 'fANppZy1pG', 'Oj4pAuvEUB'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, PUVjBQlGfpBTqYE6GZ.cs	High entropy of concatenated method names: 'IKqsnM44Zl', 'H8rsaksjh9', 'ulvslshy8D', 'ENasMqLt7L', 'O3jsHccemM', 'Ll9sdF9qku', 'lnJs6F8y8f', 'v39sbdYj0X', 'EfhseeQ9TW', 'ebBsQqlUod'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, ryLSShj27b96lZWfJn.cs	High entropy of concatenated method names: 'Dispose', 'sbhpvNCsM5', 'H8C5Hh4W2b', 'FZIMMYE4id', 'q26pZC1QTc', 'uiGpzuQndr', 'ProcessDialogKey', 'IUa5kvM1vJ', 'Jhp5p83Eqf', 'LhC55FlxaB'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, HnOaDI5iBVSUGNcQff.cs	High entropy of concatenated method names: 'I67iiC5LU', 'zQLWgpoZO', 's6q3TpYXj', 'ItiGjtLRO', 'rgJCbubjO', 'Yox4qOnCj', 'F1FwCS1ReUEH4ruY8W', 'HHP5AxDjoSgZYXyhqA', 'hTRghtJWJ', 'tqNoVvWiM'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, txX0carctujPwViM1C.cs	High entropy of concatenated method names: 'TZQVYb6R93', 'jdbVZ4jXJO', 'owegkSTq6C', 'cr8gp9ZtCO', 'op8Vql887T', 'aS0VaF1HZC', 'ChYVhph72G', 'cuOVlh8cmR', 'SMJVMts6jy', 'q7KVB28KcV'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, L6C1QTYcmiGuQndrdU.cs	High entropy of concatenated method names: 'gWggf7dkkH', 'ITPgjbBQ3B', 'KHygKX1I7s', 'EEUgSuK2TS', 'hmigc9aptS', 'JJSgOBsBY9', 'kw5gJmjHwB', 'w8ZgNHiFZa', 'ONYg1QZNyG', 'sOegtoYOBw'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, eyGVcdJI4l3xpr0csI.cs	High entropy of concatenated method names: 'dXeAXd6OvT', 'pODAfpkkaI', 'JaFAjlmoqP', 'xcnAKKCRBe', 'KBSASQ1Jil', 'KjSAckZ8nM', 'nIbAORRHKg', 'dsGAJO7gku', 'XtwANdBn68', 'IiQA1tDG2c'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, OvM1vJvbhp83EqfQhC.cs	High entropy of concatenated method names: 'boVgDSJHSS', 'QIPgHyrd6B', 'OvigdwbHZI', 'suhg6WDrYd', 'yySglungbt', 'owRgbbeSlm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, BOggchRfbPuPHwF8VW.cs	High entropy of concatenated method names: 'MH7jl53aGu', 'yLVjMESNu7', 'WYFjBnL50H', 'WGUjEKD7YL', 'vqGjTvTg7G', 'dSgjrw6XtE', 'Qjjj9gAF21', 'dVLjYCEAfp', 'BqPjv4M7tF', 'cdNjZ38SNX'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, PSAW3sBsiIShdsVyYb.cs	High entropy of concatenated method names: 'ToString', 'a11uqg31Td', 'q9HuH9aVEh', 'teEudMIDp9', 'cJ4u65oplX', 'byHubijOnl', 'dCNueajyxD', 'kbAuQCqXoX', 'aoOu2VGWqT', 'lV7u7dZXN1'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, lZbLZ0Ejs6l3I0XLE2.cs	High entropy of concatenated method names: 'NoCV1mikha', 'QpgVtsEnPE', 'ToString', 'f69VfyE6OI', 'QUYVjdmmcO', 'Sb9VKxQqAw', 'RUwVSSD2Xq', 'XaKVcl5Y1Y', 'hOAVONvNPO', 'wApVJYjs0W'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, YeaYTQ7JHR5U43JycA.cs	High entropy of concatenated method names: 'rJLO0rWP0l', 'eUqOUHjEom', 'qpqOiQMUVw', 'imxOW6pvBr', 'wwfOwgelJh', 'rOhO3VP4SB', 'EHwOGTRelE', 'hUtORHxY9G', 'Y6sOClYBTF', 'TE9O4ckZZL'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, tImn5LzS3y5FUxKNpY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l5TFLn7WTr', 'FAGFsYu6j7', 'OV3Fu6FOcr', 'rADFV5nYf1', 'xjdFgxXBgZ', 'u4IFFDnMXT', 'dP8Fopw3RA'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, tIn13IQ2qL1LWsd9Ok.cs	High entropy of concatenated method names: 'YjJOfLndcD', 'nCoOKBBNNy', 'jH7OcxMlxt', 'nQ8cZH1Wsw', 'vImczc4bEx', 'WfpOkZD4xe', 'OgJOpM3qk1', 'si3O5jULiM', 'fISOA5Yllg', 'YEOOP0aWqP'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, C1iWsohP09E0r6Qa9H.cs	High entropy of concatenated method names: 'zO2LREQ2Xh', 'IZZLCK373m', 'fwHLDy47VQ', 'DQLLHs64j7', 'EJLL6JjKZ3', 'fDELbHHj5H', 'bgeLQdJSjb', 'SanL2yPHQn', 'mL8Ln1fWcD', 'coRLqB0DvL'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, X1xCAX4o6cpTCGQuep.cs	High entropy of concatenated method names: 'PekSwjmLMo', 'GXgSG43nrd', 'uegKdBJpyK', 'aGoK69AxfS', 'Gf3KbF82rZ', 'DDBKe5JdLa', 'VB7KQuhcNw', 'GwoK25dFOX', 'eUwK7XDwme', 'KtrKncdRo4'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, QsAvPIDR8r3GRopZcJ.cs	High entropy of concatenated method names: 'OabcXqC0Jj', 'xjBcjQu4AN', 'ObJcSVRRiU', 'KXicO1LYDS', 'pk3cJAyO5w', 'NYRSTpZ1WH', 'tuKSrTA6je', 'qDVS9hxrod', 'v03SYmk0iT', 'EAeSv5jMXK'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.7560000.21.raw.unpack, LVh4GCpkjnqLbiYCPQr.cs	High entropy of concatenated method names: 'M2uF0lpTcT', 'qAmFUbmBrO', 'jT2FibIvlo', 'HQ4FWFV2lK', 'oT1FwpNh5y', 'NvNF32LIy5', 'QI9FGCAj1X', 'YRPFRiF9KP', 'PXpFCnZDnJ', 'mwOF4WLl3Q'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, slxaByZImLX0RUWuO1.cs	High entropy of concatenated method names: 'uloFpYCYV6', 'RXpFAsS6Qi', 'TFEFPffdh7', 'XNAFfXWak0', 'tElFjwBfF9', 'OHmFSg9tMT', 'EY1FcQrraK', 'ylWg98d4Pi', 'tvtgYGNmvs', 'cGvgvEwoyt'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, Dhu2MOCclnGP5HWpE8.cs	High entropy of concatenated method names: 'n7eKWZ0Uwu', 'VcXK3Kobwv', 'fu1KRlPD8k', 'LhnKCgiDIA', 'Y8XKsfiO4M', 'RbqKuj42e7', 'OBFKVQww2l', 'F15Kgfnjo3', 'ksKKF07B8M', 'v2uKo96aYS'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, qTNSUAPIwG0dCZiLPb.cs	High entropy of concatenated method names: 'hxwpOOggch', 'fbPpJuPHwF', 'jclp1nGP5H', 'ApEpt8v1xC', 'CQupsephsA', 'XPIpuR8r3G', 'z19YgpCboBJjMM3eU1', 'WQ2gPWubf6sG6L4dpX', 'fANppZy1pG', 'Oj4pAuvEUB'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, PUVjBQlGfpBTqYE6GZ.cs	High entropy of concatenated method names: 'IKqsnM44Zl', 'H8rsaksjh9', 'ulvslshy8D', 'ENasMqLt7L', 'O3jsHccemM', 'Ll9sdF9qku', 'lnJs6F8y8f', 'v39sbdYj0X', 'EfhseeQ9TW', 'ebBsQqlUod'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, ryLSShj27b96lZWfJn.cs	High entropy of concatenated method names: 'Dispose', 'sbhpvNCsM5', 'H8C5Hh4W2b', 'FZIMMYE4id', 'q26pZC1QTc', 'uiGpzuQndr', 'ProcessDialogKey', 'IUa5kvM1vJ', 'Jhp5p83Eqf', 'LhC55FlxaB'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, HnOaDI5iBVSUGNcQff.cs	High entropy of concatenated method names: 'I67iiC5LU', 'zQLWgpoZO', 's6q3TpYXj', 'ItiGjtLRO', 'rgJCbubjO', 'Yox4qOnCj', 'F1FwCS1ReUEH4ruY8W', 'HHP5AxDjoSgZYXyhqA', 'hTRghtJWJ', 'tqNoVvWiM'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, txX0carctujPwViM1C.cs	High entropy of concatenated method names: 'TZQVYb6R93', 'jdbVZ4jXJO', 'owegkSTq6C', 'cr8gp9ZtCO', 'op8Vql887T', 'aS0VaF1HZC', 'ChYVhph72G', 'cuOVlh8cmR', 'SMJVMts6jy', 'q7KVB28KcV'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, L6C1QTYcmiGuQndrdU.cs	High entropy of concatenated method names: 'gWggf7dkkH', 'ITPgjbBQ3B', 'KHygKX1I7s', 'EEUgSuK2TS', 'hmigc9aptS', 'JJSgOBsBY9', 'kw5gJmjHwB', 'w8ZgNHiFZa', 'ONYg1QZNyG', 'sOegtoYOBw'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, eyGVcdJI4l3xpr0csI.cs	High entropy of concatenated method names: 'dXeAXd6OvT', 'pODAfpkkaI', 'JaFAjlmoqP', 'xcnAKKCRBe', 'KBSASQ1Jil', 'KjSAckZ8nM', 'nIbAORRHKg', 'dsGAJO7gku', 'XtwANdBn68', 'IiQA1tDG2c'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, OvM1vJvbhp83EqfQhC.cs	High entropy of concatenated method names: 'boVgDSJHSS', 'QIPgHyrd6B', 'OvigdwbHZI', 'suhg6WDrYd', 'yySglungbt', 'owRgbbeSlm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, BOggchRfbPuPHwF8VW.cs	High entropy of concatenated method names: 'MH7jl53aGu', 'yLVjMESNu7', 'WYFjBnL50H', 'WGUjEKD7YL', 'vqGjTvTg7G', 'dSgjrw6XtE', 'Qjjj9gAF21', 'dVLjYCEAfp', 'BqPjv4M7tF', 'cdNjZ38SNX'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, PSAW3sBsiIShdsVyYb.cs	High entropy of concatenated method names: 'ToString', 'a11uqg31Td', 'q9HuH9aVEh', 'teEudMIDp9', 'cJ4u65oplX', 'byHubijOnl', 'dCNueajyxD', 'kbAuQCqXoX', 'aoOu2VGWqT', 'lV7u7dZXN1'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, lZbLZ0Ejs6l3I0XLE2.cs	High entropy of concatenated method names: 'NoCV1mikha', 'QpgVtsEnPE', 'ToString', 'f69VfyE6OI', 'QUYVjdmmcO', 'Sb9VKxQqAw', 'RUwVSSD2Xq', 'XaKVcl5Y1Y', 'hOAVONvNPO', 'wApVJYjs0W'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, YeaYTQ7JHR5U43JycA.cs	High entropy of concatenated method names: 'rJLO0rWP0l', 'eUqOUHjEom', 'qpqOiQMUVw', 'imxOW6pvBr', 'wwfOwgelJh', 'rOhO3VP4SB', 'EHwOGTRelE', 'hUtORHxY9G', 'Y6sOClYBTF', 'TE9O4ckZZL'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, tImn5LzS3y5FUxKNpY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l5TFLn7WTr', 'FAGFsYu6j7', 'OV3Fu6FOcr', 'rADFV5nYf1', 'xjdFgxXBgZ', 'u4IFFDnMXT', 'dP8Fopw3RA'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, tIn13IQ2qL1LWsd9Ok.cs	High entropy of concatenated method names: 'YjJOfLndcD', 'nCoOKBBNNy', 'jH7OcxMlxt', 'nQ8cZH1Wsw', 'vImczc4bEx', 'WfpOkZD4xe', 'OgJOpM3qk1', 'si3O5jULiM', 'fISOA5Yllg', 'YEOOP0aWqP'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, C1iWsohP09E0r6Qa9H.cs	High entropy of concatenated method names: 'zO2LREQ2Xh', 'IZZLCK373m', 'fwHLDy47VQ', 'DQLLHs64j7', 'EJLL6JjKZ3', 'fDELbHHj5H', 'bgeLQdJSjb', 'SanL2yPHQn', 'mL8Ln1fWcD', 'coRLqB0DvL'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, X1xCAX4o6cpTCGQuep.cs	High entropy of concatenated method names: 'PekSwjmLMo', 'GXgSG43nrd', 'uegKdBJpyK', 'aGoK69AxfS', 'Gf3KbF82rZ', 'DDBKe5JdLa', 'VB7KQuhcNw', 'GwoK25dFOX', 'eUwK7XDwme', 'KtrKncdRo4'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, QsAvPIDR8r3GRopZcJ.cs	High entropy of concatenated method names: 'OabcXqC0Jj', 'xjBcjQu4AN', 'ObJcSVRRiU', 'KXicO1LYDS', 'pk3cJAyO5w', 'NYRSTpZ1WH', 'tuKSrTA6je', 'qDVS9hxrod', 'v03SYmk0iT', 'EAeSv5jMXK'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3f419b0.17.raw.unpack, LVh4GCpkjnqLbiYCPQr.cs	High entropy of concatenated method names: 'M2uF0lpTcT', 'qAmFUbmBrO', 'jT2FibIvlo', 'HQ4FWFV2lK', 'oT1FwpNh5y', 'NvNF32LIy5', 'QI9FGCAj1X', 'YRPFRiF9KP', 'PXpFCnZDnJ', 'mwOF4WLl3Q'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, slxaByZImLX0RUWuO1.cs	High entropy of concatenated method names: 'uloFpYCYV6', 'RXpFAsS6Qi', 'TFEFPffdh7', 'XNAFfXWak0', 'tElFjwBfF9', 'OHmFSg9tMT', 'EY1FcQrraK', 'ylWg98d4Pi', 'tvtgYGNmvs', 'cGvgvEwoyt'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, Dhu2MOCclnGP5HWpE8.cs	High entropy of concatenated method names: 'n7eKWZ0Uwu', 'VcXK3Kobwv', 'fu1KRlPD8k', 'LhnKCgiDIA', 'Y8XKsfiO4M', 'RbqKuj42e7', 'OBFKVQww2l', 'F15Kgfnjo3', 'ksKKF07B8M', 'v2uKo96aYS'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, qTNSUAPIwG0dCZiLPb.cs	High entropy of concatenated method names: 'hxwpOOggch', 'fbPpJuPHwF', 'jclp1nGP5H', 'ApEpt8v1xC', 'CQupsephsA', 'XPIpuR8r3G', 'z19YgpCboBJjMM3eU1', 'WQ2gPWubf6sG6L4dpX', 'fANppZy1pG', 'Oj4pAuvEUB'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, PUVjBQlGfpBTqYE6GZ.cs	High entropy of concatenated method names: 'IKqsnM44Zl', 'H8rsaksjh9', 'ulvslshy8D', 'ENasMqLt7L', 'O3jsHccemM', 'Ll9sdF9qku', 'lnJs6F8y8f', 'v39sbdYj0X', 'EfhseeQ9TW', 'ebBsQqlUod'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, ryLSShj27b96lZWfJn.cs	High entropy of concatenated method names: 'Dispose', 'sbhpvNCsM5', 'H8C5Hh4W2b', 'FZIMMYE4id', 'q26pZC1QTc', 'uiGpzuQndr', 'ProcessDialogKey', 'IUa5kvM1vJ', 'Jhp5p83Eqf', 'LhC55FlxaB'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, HnOaDI5iBVSUGNcQff.cs	High entropy of concatenated method names: 'I67iiC5LU', 'zQLWgpoZO', 's6q3TpYXj', 'ItiGjtLRO', 'rgJCbubjO', 'Yox4qOnCj', 'F1FwCS1ReUEH4ruY8W', 'HHP5AxDjoSgZYXyhqA', 'hTRghtJWJ', 'tqNoVvWiM'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, txX0carctujPwViM1C.cs	High entropy of concatenated method names: 'TZQVYb6R93', 'jdbVZ4jXJO', 'owegkSTq6C', 'cr8gp9ZtCO', 'op8Vql887T', 'aS0VaF1HZC', 'ChYVhph72G', 'cuOVlh8cmR', 'SMJVMts6jy', 'q7KVB28KcV'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, L6C1QTYcmiGuQndrdU.cs	High entropy of concatenated method names: 'gWggf7dkkH', 'ITPgjbBQ3B', 'KHygKX1I7s', 'EEUgSuK2TS', 'hmigc9aptS', 'JJSgOBsBY9', 'kw5gJmjHwB', 'w8ZgNHiFZa', 'ONYg1QZNyG', 'sOegtoYOBw'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, eyGVcdJI4l3xpr0csI.cs	High entropy of concatenated method names: 'dXeAXd6OvT', 'pODAfpkkaI', 'JaFAjlmoqP', 'xcnAKKCRBe', 'KBSASQ1Jil', 'KjSAckZ8nM', 'nIbAORRHKg', 'dsGAJO7gku', 'XtwANdBn68', 'IiQA1tDG2c'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, OvM1vJvbhp83EqfQhC.cs	High entropy of concatenated method names: 'boVgDSJHSS', 'QIPgHyrd6B', 'OvigdwbHZI', 'suhg6WDrYd', 'yySglungbt', 'owRgbbeSlm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, BOggchRfbPuPHwF8VW.cs	High entropy of concatenated method names: 'MH7jl53aGu', 'yLVjMESNu7', 'WYFjBnL50H', 'WGUjEKD7YL', 'vqGjTvTg7G', 'dSgjrw6XtE', 'Qjjj9gAF21', 'dVLjYCEAfp', 'BqPjv4M7tF', 'cdNjZ38SNX'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, PSAW3sBsiIShdsVyYb.cs	High entropy of concatenated method names: 'ToString', 'a11uqg31Td', 'q9HuH9aVEh', 'teEudMIDp9', 'cJ4u65oplX', 'byHubijOnl', 'dCNueajyxD', 'kbAuQCqXoX', 'aoOu2VGWqT', 'lV7u7dZXN1'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, lZbLZ0Ejs6l3I0XLE2.cs	High entropy of concatenated method names: 'NoCV1mikha', 'QpgVtsEnPE', 'ToString', 'f69VfyE6OI', 'QUYVjdmmcO', 'Sb9VKxQqAw', 'RUwVSSD2Xq', 'XaKVcl5Y1Y', 'hOAVONvNPO', 'wApVJYjs0W'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, YeaYTQ7JHR5U43JycA.cs	High entropy of concatenated method names: 'rJLO0rWP0l', 'eUqOUHjEom', 'qpqOiQMUVw', 'imxOW6pvBr', 'wwfOwgelJh', 'rOhO3VP4SB', 'EHwOGTRelE', 'hUtORHxY9G', 'Y6sOClYBTF', 'TE9O4ckZZL'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, tImn5LzS3y5FUxKNpY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l5TFLn7WTr', 'FAGFsYu6j7', 'OV3Fu6FOcr', 'rADFV5nYf1', 'xjdFgxXBgZ', 'u4IFFDnMXT', 'dP8Fopw3RA'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, tIn13IQ2qL1LWsd9Ok.cs	High entropy of concatenated method names: 'YjJOfLndcD', 'nCoOKBBNNy', 'jH7OcxMlxt', 'nQ8cZH1Wsw', 'vImczc4bEx', 'WfpOkZD4xe', 'OgJOpM3qk1', 'si3O5jULiM', 'fISOA5Yllg', 'YEOOP0aWqP'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, C1iWsohP09E0r6Qa9H.cs	High entropy of concatenated method names: 'zO2LREQ2Xh', 'IZZLCK373m', 'fwHLDy47VQ', 'DQLLHs64j7', 'EJLL6JjKZ3', 'fDELbHHj5H', 'bgeLQdJSjb', 'SanL2yPHQn', 'mL8Ln1fWcD', 'coRLqB0DvL'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, X1xCAX4o6cpTCGQuep.cs	High entropy of concatenated method names: 'PekSwjmLMo', 'GXgSG43nrd', 'uegKdBJpyK', 'aGoK69AxfS', 'Gf3KbF82rZ', 'DDBKe5JdLa', 'VB7KQuhcNw', 'GwoK25dFOX', 'eUwK7XDwme', 'KtrKncdRo4'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, QsAvPIDR8r3GRopZcJ.cs	High entropy of concatenated method names: 'OabcXqC0Jj', 'xjBcjQu4AN', 'ObJcSVRRiU', 'KXicO1LYDS', 'pk3cJAyO5w', 'NYRSTpZ1WH', 'tuKSrTA6je', 'qDVS9hxrod', 'v03SYmk0iT', 'EAeSv5jMXK'
Source: 2.2.Documento de confirmacion de orden de compra OC 1580070060.exe.3fb69d0.16.raw.unpack, LVh4GCpkjnqLbiYCPQr.cs	High entropy of concatenated method names: 'M2uF0lpTcT', 'qAmFUbmBrO', 'jT2FibIvlo', 'HQ4FWFV2lK', 'oT1FwpNh5y', 'NvNF32LIy5', 'QI9FGCAj1X', 'YRPFRiF9KP', 'PXpFCnZDnJ', 'mwOF4WLl3Q'

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	File created: \documento de confirmacion de orden de compra oc 1580070060.exe
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	File created: \documento de confirmacion de orden de compra oc 1580070060.exe
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	File created: \documento de confirmacion de orden de compra oc 1580070060.exe	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	File created: \documento de confirmacion de orden de compra oc 1580070060.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE6

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Documento de confirmacion de orden de compra OC 1580070060.exe PID: 7844, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000002859904 second address: 000000000285990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000002859B6E second address: 0000000002859B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Memory allocated: 77F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Memory allocated: 87F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Memory allocated: 8990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Memory allocated: 9990000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6185	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1903	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1957	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7988	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Window / User API: threadDelayed 2413	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Window / User API: threadDelayed 7555	Jump to behavior

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\wlanext.exe	API coverage: 1.8 %

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2560	Thread sleep count: 1957 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2560	Thread sleep time: -3914000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2560	Thread sleep count: 7988 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2560	Thread sleep time: -15976000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 7304	Thread sleep count: 2413 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 7304	Thread sleep time: -4826000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 7304	Thread sleep count: 7555 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 7304	Thread sleep time: -15110000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: )d2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1362634820.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000/;
Source: explorer.exe, 00000007.00000000.1362634820.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000o;
Source: explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.3777035401.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTbrVMWare
Source: explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}?
Source: explorer.exe, 00000007.00000002.3777035401.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.000000000952D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.1369898580.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1369898580.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: %SystemRoot%\system32\mswsock.dlldRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000000.1369898580.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000007.00000002.3770390587.0000000002FC0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Code function: 6_2_0040ACE0 LdrLoadDll,

6_2_0040ACE0

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AC156 mov eax, dword ptr fs:[00000030h]	6_2_015AC156
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684164 mov eax, dword ptr fs:[00000030h]	6_2_01684164
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684164 mov eax, dword ptr fs:[00000030h]	6_2_01684164
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6154 mov eax, dword ptr fs:[00000030h]	6_2_015B6154
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6154 mov eax, dword ptr fs:[00000030h]	6_2_015B6154
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01644144 mov eax, dword ptr fs:[00000030h]	6_2_01644144
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01644144 mov eax, dword ptr fs:[00000030h]	6_2_01644144
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01644144 mov ecx, dword ptr fs:[00000030h]	6_2_01644144
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01644144 mov eax, dword ptr fs:[00000030h]	6_2_01644144
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01644144 mov eax, dword ptr fs:[00000030h]	6_2_01644144
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01648158 mov eax, dword ptr fs:[00000030h]	6_2_01648158
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov eax, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov ecx, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov eax, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov eax, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov ecx, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov eax, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov eax, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov ecx, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov eax, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E10E mov ecx, dword ptr fs:[00000030h]	6_2_0165E10E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01670115 mov eax, dword ptr fs:[00000030h]	6_2_01670115
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E0124 mov eax, dword ptr fs:[00000030h]	6_2_015E0124
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165A118 mov ecx, dword ptr fs:[00000030h]	6_2_0165A118
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165A118 mov eax, dword ptr fs:[00000030h]	6_2_0165A118
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165A118 mov eax, dword ptr fs:[00000030h]	6_2_0165A118
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165A118 mov eax, dword ptr fs:[00000030h]	6_2_0165A118
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016861E5 mov eax, dword ptr fs:[00000030h]	6_2_016861E5
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016761C3 mov eax, dword ptr fs:[00000030h]	6_2_016761C3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016761C3 mov eax, dword ptr fs:[00000030h]	6_2_016761C3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E01F8 mov eax, dword ptr fs:[00000030h]	6_2_015E01F8
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0162E1D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0162E1D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0162E1D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0162E1D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0162E1D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AA197 mov eax, dword ptr fs:[00000030h]	6_2_015AA197
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AA197 mov eax, dword ptr fs:[00000030h]	6_2_015AA197
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AA197 mov eax, dword ptr fs:[00000030h]	6_2_015AA197
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F0185 mov eax, dword ptr fs:[00000030h]	6_2_015F0185
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01654180 mov eax, dword ptr fs:[00000030h]	6_2_01654180
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01654180 mov eax, dword ptr fs:[00000030h]	6_2_01654180
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166C188 mov eax, dword ptr fs:[00000030h]	6_2_0166C188
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166C188 mov eax, dword ptr fs:[00000030h]	6_2_0166C188
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163019F mov eax, dword ptr fs:[00000030h]	6_2_0163019F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163019F mov eax, dword ptr fs:[00000030h]	6_2_0163019F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163019F mov eax, dword ptr fs:[00000030h]	6_2_0163019F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163019F mov eax, dword ptr fs:[00000030h]	6_2_0163019F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B2050 mov eax, dword ptr fs:[00000030h]	6_2_015B2050
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DC073 mov eax, dword ptr fs:[00000030h]	6_2_015DC073
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01636050 mov eax, dword ptr fs:[00000030h]	6_2_01636050
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CE016 mov eax, dword ptr fs:[00000030h]	6_2_015CE016
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CE016 mov eax, dword ptr fs:[00000030h]	6_2_015CE016
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CE016 mov eax, dword ptr fs:[00000030h]	6_2_015CE016
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CE016 mov eax, dword ptr fs:[00000030h]	6_2_015CE016
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01646030 mov eax, dword ptr fs:[00000030h]	6_2_01646030
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01634000 mov ecx, dword ptr fs:[00000030h]	6_2_01634000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01652000 mov eax, dword ptr fs:[00000030h]	6_2_01652000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01652000 mov eax, dword ptr fs:[00000030h]	6_2_01652000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01652000 mov eax, dword ptr fs:[00000030h]	6_2_01652000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01652000 mov eax, dword ptr fs:[00000030h]	6_2_01652000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01652000 mov eax, dword ptr fs:[00000030h]	6_2_01652000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01652000 mov eax, dword ptr fs:[00000030h]	6_2_01652000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01652000 mov eax, dword ptr fs:[00000030h]	6_2_01652000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01652000 mov eax, dword ptr fs:[00000030h]	6_2_01652000
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AA020 mov eax, dword ptr fs:[00000030h]	6_2_015AA020
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AC020 mov eax, dword ptr fs:[00000030h]	6_2_015AC020
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016360E0 mov eax, dword ptr fs:[00000030h]	6_2_016360E0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AC0F0 mov eax, dword ptr fs:[00000030h]	6_2_015AC0F0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F20F0 mov ecx, dword ptr fs:[00000030h]	6_2_015F20F0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B80E9 mov eax, dword ptr fs:[00000030h]	6_2_015B80E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AA0E3 mov ecx, dword ptr fs:[00000030h]	6_2_015AA0E3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016320DE mov eax, dword ptr fs:[00000030h]	6_2_016320DE
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016480A8 mov eax, dword ptr fs:[00000030h]	6_2_016480A8
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B208A mov eax, dword ptr fs:[00000030h]	6_2_015B208A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016760B8 mov eax, dword ptr fs:[00000030h]	6_2_016760B8
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016760B8 mov ecx, dword ptr fs:[00000030h]	6_2_016760B8
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A80A0 mov eax, dword ptr fs:[00000030h]	6_2_015A80A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165437C mov eax, dword ptr fs:[00000030h]	6_2_0165437C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0168634F mov eax, dword ptr fs:[00000030h]	6_2_0168634F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01632349 mov eax, dword ptr fs:[00000030h]	6_2_01632349
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167A352 mov eax, dword ptr fs:[00000030h]	6_2_0167A352
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01658350 mov ecx, dword ptr fs:[00000030h]	6_2_01658350
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163035C mov eax, dword ptr fs:[00000030h]	6_2_0163035C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163035C mov eax, dword ptr fs:[00000030h]	6_2_0163035C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163035C mov eax, dword ptr fs:[00000030h]	6_2_0163035C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163035C mov ecx, dword ptr fs:[00000030h]	6_2_0163035C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163035C mov eax, dword ptr fs:[00000030h]	6_2_0163035C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163035C mov eax, dword ptr fs:[00000030h]	6_2_0163035C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AC310 mov ecx, dword ptr fs:[00000030h]	6_2_015AC310
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01688324 mov eax, dword ptr fs:[00000030h]	6_2_01688324
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01688324 mov ecx, dword ptr fs:[00000030h]	6_2_01688324
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01688324 mov eax, dword ptr fs:[00000030h]	6_2_01688324
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01688324 mov eax, dword ptr fs:[00000030h]	6_2_01688324
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D0310 mov ecx, dword ptr fs:[00000030h]	6_2_015D0310
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA30B mov eax, dword ptr fs:[00000030h]	6_2_015EA30B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA30B mov eax, dword ptr fs:[00000030h]	6_2_015EA30B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA30B mov eax, dword ptr fs:[00000030h]	6_2_015EA30B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015BA3C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015BA3C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015BA3C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015BA3C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015BA3C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015BA3C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B83C0 mov eax, dword ptr fs:[00000030h]	6_2_015B83C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B83C0 mov eax, dword ptr fs:[00000030h]	6_2_015B83C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B83C0 mov eax, dword ptr fs:[00000030h]	6_2_015B83C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B83C0 mov eax, dword ptr fs:[00000030h]	6_2_015B83C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E63FF mov eax, dword ptr fs:[00000030h]	6_2_015E63FF
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166C3CD mov eax, dword ptr fs:[00000030h]	6_2_0166C3CD
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CE3F0 mov eax, dword ptr fs:[00000030h]	6_2_015CE3F0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CE3F0 mov eax, dword ptr fs:[00000030h]	6_2_015CE3F0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CE3F0 mov eax, dword ptr fs:[00000030h]	6_2_015CE3F0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016543D4 mov eax, dword ptr fs:[00000030h]	6_2_016543D4
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016543D4 mov eax, dword ptr fs:[00000030h]	6_2_016543D4
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C03E9 mov eax, dword ptr fs:[00000030h]	6_2_015C03E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C03E9 mov eax, dword ptr fs:[00000030h]	6_2_015C03E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C03E9 mov eax, dword ptr fs:[00000030h]	6_2_015C03E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C03E9 mov eax, dword ptr fs:[00000030h]	6_2_015C03E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C03E9 mov eax, dword ptr fs:[00000030h]	6_2_015C03E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C03E9 mov eax, dword ptr fs:[00000030h]	6_2_015C03E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C03E9 mov eax, dword ptr fs:[00000030h]	6_2_015C03E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C03E9 mov eax, dword ptr fs:[00000030h]	6_2_015C03E9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E3DB mov eax, dword ptr fs:[00000030h]	6_2_0165E3DB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E3DB mov eax, dword ptr fs:[00000030h]	6_2_0165E3DB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E3DB mov ecx, dword ptr fs:[00000030h]	6_2_0165E3DB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165E3DB mov eax, dword ptr fs:[00000030h]	6_2_0165E3DB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A8397 mov eax, dword ptr fs:[00000030h]	6_2_015A8397
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A8397 mov eax, dword ptr fs:[00000030h]	6_2_015A8397
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A8397 mov eax, dword ptr fs:[00000030h]	6_2_015A8397
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AE388 mov eax, dword ptr fs:[00000030h]	6_2_015AE388
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AE388 mov eax, dword ptr fs:[00000030h]	6_2_015AE388
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AE388 mov eax, dword ptr fs:[00000030h]	6_2_015AE388
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D438F mov eax, dword ptr fs:[00000030h]	6_2_015D438F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D438F mov eax, dword ptr fs:[00000030h]	6_2_015D438F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6259 mov eax, dword ptr fs:[00000030h]	6_2_015B6259
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AA250 mov eax, dword ptr fs:[00000030h]	6_2_015AA250
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01660274 mov eax, dword ptr fs:[00000030h]	6_2_01660274
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01638243 mov eax, dword ptr fs:[00000030h]	6_2_01638243
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01638243 mov ecx, dword ptr fs:[00000030h]	6_2_01638243
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A826B mov eax, dword ptr fs:[00000030h]	6_2_015A826B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0168625D mov eax, dword ptr fs:[00000030h]	6_2_0168625D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166A250 mov eax, dword ptr fs:[00000030h]	6_2_0166A250
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166A250 mov eax, dword ptr fs:[00000030h]	6_2_0166A250
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B4260 mov eax, dword ptr fs:[00000030h]	6_2_015B4260
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B4260 mov eax, dword ptr fs:[00000030h]	6_2_015B4260
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B4260 mov eax, dword ptr fs:[00000030h]	6_2_015B4260
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A823B mov eax, dword ptr fs:[00000030h]	6_2_015A823B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015BA2C3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015BA2C3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015BA2C3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015BA2C3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015BA2C3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C02E1 mov eax, dword ptr fs:[00000030h]	6_2_015C02E1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C02E1 mov eax, dword ptr fs:[00000030h]	6_2_015C02E1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C02E1 mov eax, dword ptr fs:[00000030h]	6_2_015C02E1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016862D6 mov eax, dword ptr fs:[00000030h]	6_2_016862D6
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016462A0 mov eax, dword ptr fs:[00000030h]	6_2_016462A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016462A0 mov ecx, dword ptr fs:[00000030h]	6_2_016462A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016462A0 mov eax, dword ptr fs:[00000030h]	6_2_016462A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016462A0 mov eax, dword ptr fs:[00000030h]	6_2_016462A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016462A0 mov eax, dword ptr fs:[00000030h]	6_2_016462A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016462A0 mov eax, dword ptr fs:[00000030h]	6_2_016462A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE284 mov eax, dword ptr fs:[00000030h]	6_2_015EE284
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE284 mov eax, dword ptr fs:[00000030h]	6_2_015EE284
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01630283 mov eax, dword ptr fs:[00000030h]	6_2_01630283
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01630283 mov eax, dword ptr fs:[00000030h]	6_2_01630283
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01630283 mov eax, dword ptr fs:[00000030h]	6_2_01630283
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C02A0 mov eax, dword ptr fs:[00000030h]	6_2_015C02A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C02A0 mov eax, dword ptr fs:[00000030h]	6_2_015C02A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B8550 mov eax, dword ptr fs:[00000030h]	6_2_015B8550
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B8550 mov eax, dword ptr fs:[00000030h]	6_2_015B8550
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E656A mov eax, dword ptr fs:[00000030h]	6_2_015E656A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E656A mov eax, dword ptr fs:[00000030h]	6_2_015E656A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E656A mov eax, dword ptr fs:[00000030h]	6_2_015E656A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE53E mov eax, dword ptr fs:[00000030h]	6_2_015DE53E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE53E mov eax, dword ptr fs:[00000030h]	6_2_015DE53E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE53E mov eax, dword ptr fs:[00000030h]	6_2_015DE53E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE53E mov eax, dword ptr fs:[00000030h]	6_2_015DE53E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE53E mov eax, dword ptr fs:[00000030h]	6_2_015DE53E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01646500 mov eax, dword ptr fs:[00000030h]	6_2_01646500
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684500 mov eax, dword ptr fs:[00000030h]	6_2_01684500
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684500 mov eax, dword ptr fs:[00000030h]	6_2_01684500
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684500 mov eax, dword ptr fs:[00000030h]	6_2_01684500
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684500 mov eax, dword ptr fs:[00000030h]	6_2_01684500
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684500 mov eax, dword ptr fs:[00000030h]	6_2_01684500
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684500 mov eax, dword ptr fs:[00000030h]	6_2_01684500
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684500 mov eax, dword ptr fs:[00000030h]	6_2_01684500
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0535 mov eax, dword ptr fs:[00000030h]	6_2_015C0535
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0535 mov eax, dword ptr fs:[00000030h]	6_2_015C0535
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0535 mov eax, dword ptr fs:[00000030h]	6_2_015C0535
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0535 mov eax, dword ptr fs:[00000030h]	6_2_015C0535
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0535 mov eax, dword ptr fs:[00000030h]	6_2_015C0535
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0535 mov eax, dword ptr fs:[00000030h]	6_2_015C0535
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B65D0 mov eax, dword ptr fs:[00000030h]	6_2_015B65D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA5D0 mov eax, dword ptr fs:[00000030h]	6_2_015EA5D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA5D0 mov eax, dword ptr fs:[00000030h]	6_2_015EA5D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE5CF mov eax, dword ptr fs:[00000030h]	6_2_015EE5CF
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE5CF mov eax, dword ptr fs:[00000030h]	6_2_015EE5CF
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EC5ED mov eax, dword ptr fs:[00000030h]	6_2_015EC5ED
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EC5ED mov eax, dword ptr fs:[00000030h]	6_2_015EC5ED
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	6_2_015DE5E7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	6_2_015DE5E7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	6_2_015DE5E7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	6_2_015DE5E7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	6_2_015DE5E7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	6_2_015DE5E7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	6_2_015DE5E7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE5E7 mov eax, dword ptr fs:[00000030h]	6_2_015DE5E7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B25E0 mov eax, dword ptr fs:[00000030h]	6_2_015B25E0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE59C mov eax, dword ptr fs:[00000030h]	6_2_015EE59C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016305A7 mov eax, dword ptr fs:[00000030h]	6_2_016305A7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016305A7 mov eax, dword ptr fs:[00000030h]	6_2_016305A7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016305A7 mov eax, dword ptr fs:[00000030h]	6_2_016305A7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E4588 mov eax, dword ptr fs:[00000030h]	6_2_015E4588
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B2582 mov eax, dword ptr fs:[00000030h]	6_2_015B2582
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B2582 mov ecx, dword ptr fs:[00000030h]	6_2_015B2582
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D45B1 mov eax, dword ptr fs:[00000030h]	6_2_015D45B1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D45B1 mov eax, dword ptr fs:[00000030h]	6_2_015D45B1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163C460 mov ecx, dword ptr fs:[00000030h]	6_2_0163C460
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A645D mov eax, dword ptr fs:[00000030h]	6_2_015A645D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D245A mov eax, dword ptr fs:[00000030h]	6_2_015D245A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE443 mov eax, dword ptr fs:[00000030h]	6_2_015EE443
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE443 mov eax, dword ptr fs:[00000030h]	6_2_015EE443
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE443 mov eax, dword ptr fs:[00000030h]	6_2_015EE443
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE443 mov eax, dword ptr fs:[00000030h]	6_2_015EE443
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE443 mov eax, dword ptr fs:[00000030h]	6_2_015EE443
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE443 mov eax, dword ptr fs:[00000030h]	6_2_015EE443
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE443 mov eax, dword ptr fs:[00000030h]	6_2_015EE443
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EE443 mov eax, dword ptr fs:[00000030h]	6_2_015EE443
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DA470 mov eax, dword ptr fs:[00000030h]	6_2_015DA470
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DA470 mov eax, dword ptr fs:[00000030h]	6_2_015DA470
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DA470 mov eax, dword ptr fs:[00000030h]	6_2_015DA470
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166A456 mov eax, dword ptr fs:[00000030h]	6_2_0166A456
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01636420 mov eax, dword ptr fs:[00000030h]	6_2_01636420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01636420 mov eax, dword ptr fs:[00000030h]	6_2_01636420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01636420 mov eax, dword ptr fs:[00000030h]	6_2_01636420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01636420 mov eax, dword ptr fs:[00000030h]	6_2_01636420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01636420 mov eax, dword ptr fs:[00000030h]	6_2_01636420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01636420 mov eax, dword ptr fs:[00000030h]	6_2_01636420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01636420 mov eax, dword ptr fs:[00000030h]	6_2_01636420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E8402 mov eax, dword ptr fs:[00000030h]	6_2_015E8402
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E8402 mov eax, dword ptr fs:[00000030h]	6_2_015E8402
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E8402 mov eax, dword ptr fs:[00000030h]	6_2_015E8402
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA430 mov eax, dword ptr fs:[00000030h]	6_2_015EA430
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AE420 mov eax, dword ptr fs:[00000030h]	6_2_015AE420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AE420 mov eax, dword ptr fs:[00000030h]	6_2_015AE420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AE420 mov eax, dword ptr fs:[00000030h]	6_2_015AE420
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015AC427 mov eax, dword ptr fs:[00000030h]	6_2_015AC427
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B04E5 mov ecx, dword ptr fs:[00000030h]	6_2_015B04E5
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163A4B0 mov eax, dword ptr fs:[00000030h]	6_2_0163A4B0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E44B0 mov ecx, dword ptr fs:[00000030h]	6_2_015E44B0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B64AB mov eax, dword ptr fs:[00000030h]	6_2_015B64AB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0166A49A mov eax, dword ptr fs:[00000030h]	6_2_0166A49A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B0750 mov eax, dword ptr fs:[00000030h]	6_2_015B0750
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2750 mov eax, dword ptr fs:[00000030h]	6_2_015F2750
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2750 mov eax, dword ptr fs:[00000030h]	6_2_015F2750
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E674D mov esi, dword ptr fs:[00000030h]	6_2_015E674D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E674D mov eax, dword ptr fs:[00000030h]	6_2_015E674D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E674D mov eax, dword ptr fs:[00000030h]	6_2_015E674D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B8770 mov eax, dword ptr fs:[00000030h]	6_2_015B8770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0770 mov eax, dword ptr fs:[00000030h]	6_2_015C0770
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01634755 mov eax, dword ptr fs:[00000030h]	6_2_01634755
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163E75D mov eax, dword ptr fs:[00000030h]	6_2_0163E75D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B0710 mov eax, dword ptr fs:[00000030h]	6_2_015B0710
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E0710 mov eax, dword ptr fs:[00000030h]	6_2_015E0710
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162C730 mov eax, dword ptr fs:[00000030h]	6_2_0162C730
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EC700 mov eax, dword ptr fs:[00000030h]	6_2_015EC700
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E273C mov eax, dword ptr fs:[00000030h]	6_2_015E273C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E273C mov ecx, dword ptr fs:[00000030h]	6_2_015E273C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E273C mov eax, dword ptr fs:[00000030h]	6_2_015E273C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EC720 mov eax, dword ptr fs:[00000030h]	6_2_015EC720
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EC720 mov eax, dword ptr fs:[00000030h]	6_2_015EC720
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163E7E1 mov eax, dword ptr fs:[00000030h]	6_2_0163E7E1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BC7C0 mov eax, dword ptr fs:[00000030h]	6_2_015BC7C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B47FB mov eax, dword ptr fs:[00000030h]	6_2_015B47FB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B47FB mov eax, dword ptr fs:[00000030h]	6_2_015B47FB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016307C3 mov eax, dword ptr fs:[00000030h]	6_2_016307C3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D27ED mov eax, dword ptr fs:[00000030h]	6_2_015D27ED
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D27ED mov eax, dword ptr fs:[00000030h]	6_2_015D27ED
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D27ED mov eax, dword ptr fs:[00000030h]	6_2_015D27ED
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016647A0 mov eax, dword ptr fs:[00000030h]	6_2_016647A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165678E mov eax, dword ptr fs:[00000030h]	6_2_0165678E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B07AF mov eax, dword ptr fs:[00000030h]	6_2_015B07AF
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167866E mov eax, dword ptr fs:[00000030h]	6_2_0167866E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167866E mov eax, dword ptr fs:[00000030h]	6_2_0167866E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CC640 mov eax, dword ptr fs:[00000030h]	6_2_015CC640
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E2674 mov eax, dword ptr fs:[00000030h]	6_2_015E2674
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA660 mov eax, dword ptr fs:[00000030h]	6_2_015EA660
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA660 mov eax, dword ptr fs:[00000030h]	6_2_015EA660
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F2619 mov eax, dword ptr fs:[00000030h]	6_2_015F2619
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C260B mov eax, dword ptr fs:[00000030h]	6_2_015C260B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C260B mov eax, dword ptr fs:[00000030h]	6_2_015C260B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C260B mov eax, dword ptr fs:[00000030h]	6_2_015C260B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C260B mov eax, dword ptr fs:[00000030h]	6_2_015C260B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C260B mov eax, dword ptr fs:[00000030h]	6_2_015C260B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C260B mov eax, dword ptr fs:[00000030h]	6_2_015C260B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C260B mov eax, dword ptr fs:[00000030h]	6_2_015C260B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E609 mov eax, dword ptr fs:[00000030h]	6_2_0162E609
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B262C mov eax, dword ptr fs:[00000030h]	6_2_015B262C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015CE627 mov eax, dword ptr fs:[00000030h]	6_2_015CE627
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E6620 mov eax, dword ptr fs:[00000030h]	6_2_015E6620
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E8620 mov eax, dword ptr fs:[00000030h]	6_2_015E8620
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0162E6F2
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0162E6F2
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0162E6F2
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0162E6F2
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016306F1 mov eax, dword ptr fs:[00000030h]	6_2_016306F1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016306F1 mov eax, dword ptr fs:[00000030h]	6_2_016306F1
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA6C7 mov ebx, dword ptr fs:[00000030h]	6_2_015EA6C7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA6C7 mov eax, dword ptr fs:[00000030h]	6_2_015EA6C7
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B4690 mov eax, dword ptr fs:[00000030h]	6_2_015B4690
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B4690 mov eax, dword ptr fs:[00000030h]	6_2_015B4690
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E66B0 mov eax, dword ptr fs:[00000030h]	6_2_015E66B0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EC6A6 mov eax, dword ptr fs:[00000030h]	6_2_015EC6A6
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01654978 mov eax, dword ptr fs:[00000030h]	6_2_01654978
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01654978 mov eax, dword ptr fs:[00000030h]	6_2_01654978
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163C97C mov eax, dword ptr fs:[00000030h]	6_2_0163C97C
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01630946 mov eax, dword ptr fs:[00000030h]	6_2_01630946
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684940 mov eax, dword ptr fs:[00000030h]	6_2_01684940
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F096E mov eax, dword ptr fs:[00000030h]	6_2_015F096E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F096E mov edx, dword ptr fs:[00000030h]	6_2_015F096E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015F096E mov eax, dword ptr fs:[00000030h]	6_2_015F096E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D6962 mov eax, dword ptr fs:[00000030h]	6_2_015D6962
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D6962 mov eax, dword ptr fs:[00000030h]	6_2_015D6962
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D6962 mov eax, dword ptr fs:[00000030h]	6_2_015D6962
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A8918 mov eax, dword ptr fs:[00000030h]	6_2_015A8918
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A8918 mov eax, dword ptr fs:[00000030h]	6_2_015A8918
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163892A mov eax, dword ptr fs:[00000030h]	6_2_0163892A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0164892B mov eax, dword ptr fs:[00000030h]	6_2_0164892B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E908 mov eax, dword ptr fs:[00000030h]	6_2_0162E908
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162E908 mov eax, dword ptr fs:[00000030h]	6_2_0162E908
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163C912 mov eax, dword ptr fs:[00000030h]	6_2_0163C912
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163E9E0 mov eax, dword ptr fs:[00000030h]	6_2_0163E9E0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015BA9D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015BA9D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015BA9D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015BA9D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015BA9D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015BA9D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E49D0 mov eax, dword ptr fs:[00000030h]	6_2_015E49D0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016469C0 mov eax, dword ptr fs:[00000030h]	6_2_016469C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E29F9 mov eax, dword ptr fs:[00000030h]	6_2_015E29F9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E29F9 mov eax, dword ptr fs:[00000030h]	6_2_015E29F9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167A9D3 mov eax, dword ptr fs:[00000030h]	6_2_0167A9D3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016389B3 mov esi, dword ptr fs:[00000030h]	6_2_016389B3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016389B3 mov eax, dword ptr fs:[00000030h]	6_2_016389B3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016389B3 mov eax, dword ptr fs:[00000030h]	6_2_016389B3
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B09AD mov eax, dword ptr fs:[00000030h]	6_2_015B09AD
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B09AD mov eax, dword ptr fs:[00000030h]	6_2_015B09AD
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C29A0 mov eax, dword ptr fs:[00000030h]	6_2_015C29A0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B4859 mov eax, dword ptr fs:[00000030h]	6_2_015B4859
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B4859 mov eax, dword ptr fs:[00000030h]	6_2_015B4859
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E0854 mov eax, dword ptr fs:[00000030h]	6_2_015E0854
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163E872 mov eax, dword ptr fs:[00000030h]	6_2_0163E872
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163E872 mov eax, dword ptr fs:[00000030h]	6_2_0163E872
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01646870 mov eax, dword ptr fs:[00000030h]	6_2_01646870
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01646870 mov eax, dword ptr fs:[00000030h]	6_2_01646870
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C2840 mov ecx, dword ptr fs:[00000030h]	6_2_015C2840
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165483A mov eax, dword ptr fs:[00000030h]	6_2_0165483A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165483A mov eax, dword ptr fs:[00000030h]	6_2_0165483A
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D2835 mov eax, dword ptr fs:[00000030h]	6_2_015D2835
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D2835 mov eax, dword ptr fs:[00000030h]	6_2_015D2835
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D2835 mov eax, dword ptr fs:[00000030h]	6_2_015D2835
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D2835 mov ecx, dword ptr fs:[00000030h]	6_2_015D2835
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D2835 mov eax, dword ptr fs:[00000030h]	6_2_015D2835
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D2835 mov eax, dword ptr fs:[00000030h]	6_2_015D2835
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EA830 mov eax, dword ptr fs:[00000030h]	6_2_015EA830
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163C810 mov eax, dword ptr fs:[00000030h]	6_2_0163C810
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167A8E4 mov eax, dword ptr fs:[00000030h]	6_2_0167A8E4
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DE8C0 mov eax, dword ptr fs:[00000030h]	6_2_015DE8C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EC8F9 mov eax, dword ptr fs:[00000030h]	6_2_015EC8F9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EC8F9 mov eax, dword ptr fs:[00000030h]	6_2_015EC8F9
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_016808C0 mov eax, dword ptr fs:[00000030h]	6_2_016808C0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B0887 mov eax, dword ptr fs:[00000030h]	6_2_015B0887
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163C89D mov eax, dword ptr fs:[00000030h]	6_2_0163C89D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015A8B50 mov eax, dword ptr fs:[00000030h]	6_2_015A8B50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01646B40 mov eax, dword ptr fs:[00000030h]	6_2_01646B40
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01646B40 mov eax, dword ptr fs:[00000030h]	6_2_01646B40
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015ACB7E mov eax, dword ptr fs:[00000030h]	6_2_015ACB7E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01658B42 mov eax, dword ptr fs:[00000030h]	6_2_01658B42
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0167AB40 mov eax, dword ptr fs:[00000030h]	6_2_0167AB40
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01664B4B mov eax, dword ptr fs:[00000030h]	6_2_01664B4B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01664B4B mov eax, dword ptr fs:[00000030h]	6_2_01664B4B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165EB50 mov eax, dword ptr fs:[00000030h]	6_2_0165EB50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01682B57 mov eax, dword ptr fs:[00000030h]	6_2_01682B57
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01682B57 mov eax, dword ptr fs:[00000030h]	6_2_01682B57
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01682B57 mov eax, dword ptr fs:[00000030h]	6_2_01682B57
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01682B57 mov eax, dword ptr fs:[00000030h]	6_2_01682B57
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01678B28 mov eax, dword ptr fs:[00000030h]	6_2_01678B28
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01678B28 mov eax, dword ptr fs:[00000030h]	6_2_01678B28
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01684B00 mov eax, dword ptr fs:[00000030h]	6_2_01684B00
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DEB20 mov eax, dword ptr fs:[00000030h]	6_2_015DEB20
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DEB20 mov eax, dword ptr fs:[00000030h]	6_2_015DEB20
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162EB1D mov eax, dword ptr fs:[00000030h]	6_2_0162EB1D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162EB1D mov eax, dword ptr fs:[00000030h]	6_2_0162EB1D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162EB1D mov eax, dword ptr fs:[00000030h]	6_2_0162EB1D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162EB1D mov eax, dword ptr fs:[00000030h]	6_2_0162EB1D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162EB1D mov eax, dword ptr fs:[00000030h]	6_2_0162EB1D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162EB1D mov eax, dword ptr fs:[00000030h]	6_2_0162EB1D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162EB1D mov eax, dword ptr fs:[00000030h]	6_2_0162EB1D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162EB1D mov eax, dword ptr fs:[00000030h]	6_2_0162EB1D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162EB1D mov eax, dword ptr fs:[00000030h]	6_2_0162EB1D
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163CBF0 mov eax, dword ptr fs:[00000030h]	6_2_0163CBF0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D0BCB mov eax, dword ptr fs:[00000030h]	6_2_015D0BCB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D0BCB mov eax, dword ptr fs:[00000030h]	6_2_015D0BCB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D0BCB mov eax, dword ptr fs:[00000030h]	6_2_015D0BCB
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B0BCD mov eax, dword ptr fs:[00000030h]	6_2_015B0BCD
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B0BCD mov eax, dword ptr fs:[00000030h]	6_2_015B0BCD
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B0BCD mov eax, dword ptr fs:[00000030h]	6_2_015B0BCD
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DEBFC mov eax, dword ptr fs:[00000030h]	6_2_015DEBFC
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B8BF0 mov eax, dword ptr fs:[00000030h]	6_2_015B8BF0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B8BF0 mov eax, dword ptr fs:[00000030h]	6_2_015B8BF0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B8BF0 mov eax, dword ptr fs:[00000030h]	6_2_015B8BF0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165EBD0 mov eax, dword ptr fs:[00000030h]	6_2_0165EBD0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01664BB0 mov eax, dword ptr fs:[00000030h]	6_2_01664BB0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01664BB0 mov eax, dword ptr fs:[00000030h]	6_2_01664BB0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0BBE mov eax, dword ptr fs:[00000030h]	6_2_015C0BBE
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0BBE mov eax, dword ptr fs:[00000030h]	6_2_015C0BBE
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0165EA60 mov eax, dword ptr fs:[00000030h]	6_2_0165EA60
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0A5B mov eax, dword ptr fs:[00000030h]	6_2_015C0A5B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015C0A5B mov eax, dword ptr fs:[00000030h]	6_2_015C0A5B
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6A50 mov eax, dword ptr fs:[00000030h]	6_2_015B6A50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6A50 mov eax, dword ptr fs:[00000030h]	6_2_015B6A50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6A50 mov eax, dword ptr fs:[00000030h]	6_2_015B6A50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6A50 mov eax, dword ptr fs:[00000030h]	6_2_015B6A50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6A50 mov eax, dword ptr fs:[00000030h]	6_2_015B6A50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6A50 mov eax, dword ptr fs:[00000030h]	6_2_015B6A50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B6A50 mov eax, dword ptr fs:[00000030h]	6_2_015B6A50
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162CA72 mov eax, dword ptr fs:[00000030h]	6_2_0162CA72
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0162CA72 mov eax, dword ptr fs:[00000030h]	6_2_0162CA72
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015ECA6F mov eax, dword ptr fs:[00000030h]	6_2_015ECA6F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015ECA6F mov eax, dword ptr fs:[00000030h]	6_2_015ECA6F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015ECA6F mov eax, dword ptr fs:[00000030h]	6_2_015ECA6F
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015ECA38 mov eax, dword ptr fs:[00000030h]	6_2_015ECA38
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D4A35 mov eax, dword ptr fs:[00000030h]	6_2_015D4A35
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015D4A35 mov eax, dword ptr fs:[00000030h]	6_2_015D4A35
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_0163CA11 mov eax, dword ptr fs:[00000030h]	6_2_0163CA11
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015DEA2E mov eax, dword ptr fs:[00000030h]	6_2_015DEA2E
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015ECA24 mov eax, dword ptr fs:[00000030h]	6_2_015ECA24
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015B0AD0 mov eax, dword ptr fs:[00000030h]	6_2_015B0AD0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E4AD0 mov eax, dword ptr fs:[00000030h]	6_2_015E4AD0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E4AD0 mov eax, dword ptr fs:[00000030h]	6_2_015E4AD0
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01606ACC mov eax, dword ptr fs:[00000030h]	6_2_01606ACC
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01606ACC mov eax, dword ptr fs:[00000030h]	6_2_01606ACC
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01606ACC mov eax, dword ptr fs:[00000030h]	6_2_01606ACC
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EAAEE mov eax, dword ptr fs:[00000030h]	6_2_015EAAEE
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015EAAEE mov eax, dword ptr fs:[00000030h]	6_2_015EAAEE
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_01606AA4 mov eax, dword ptr fs:[00000030h]	6_2_01606AA4
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015E8A90 mov edx, dword ptr fs:[00000030h]	6_2_015E8A90
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BEA80 mov eax, dword ptr fs:[00000030h]	6_2_015BEA80
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Code function: 6_2_015BEA80 mov eax, dword ptr fs:[00000030h]	6_2_015BEA80

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 13.248.169.48 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.104.233.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.117 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.247.82.92 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Memory written: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Thread register set: target process: 3968			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3968			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 830000

Jump to behavior

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Process created: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe"	Jump to behavior

Source: explorer.exe, 00000007.00000003.2161201978.00000000096A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075778703.00000000096A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773385359.0000000004460000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.3769738689.0000000001081000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1363206218.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.3769738689.0000000001081000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1363206218.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: explorer.exe, 00000007.00000002.3767640508.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1362634820.0000000000889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000007.00000002.3769738689.0000000001081000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1363206218.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Queries volume information: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Documento de confirmacion de orden de compra OC 1580070060.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	612 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	612 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Documento de confirmacion de orden de compra OC 1580070060.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
Documento de confirmacion de orden de compra OC 1580070060.exe	73%	Virustotal		Browse
Documento de confirmacion de orden de compra OC 1580070060.exe	100%	Avira	HEUR/AGEN.1323682
Documento de confirmacion de orden de compra OC 1580070060.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
boostyourselftoday.com	2%	Virustotal	Browse
rdlva.com	1%	Virustotal	Browse
www.gourmetfoodfactory.com	1%	Virustotal	Browse
www.deespresence.com	0%	Virustotal	Browse
www.yassa-hany.online	0%	Virustotal	Browse
first-solution.online	4%	Virustotal	Browse
www.anti-theft-device-82641.bond	0%	Virustotal	Browse
www.tobegoodlife.net	0%	Virustotal	Browse
www.first-solution.online	4%	Virustotal	Browse
www.boostyourselftoday.com	1%	Virustotal	Browse
www.rdlva.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.micro	0%	URL Reputation	safe
http://www.go-bloggers.comReferer:	0%	Avira URL Cloud	safe
http://www.yobo-by.com/pz08/r	0%	Avira URL Cloud	safe
http://www.first-solution.online	100%	Avira URL Cloud	malware
http://www.boostyourselftoday.com/pz08/	0%	Avira URL Cloud	safe
http://www.erxkula.shop	0%	Avira URL Cloud	safe
http://www.hotelfincamalvasia.com/pz08/	0%	Avira URL Cloud	safe
http://www.hotelfincamalvasia.com/pz08/	0%	Virustotal		Browse
http://www.boostyourselftoday.com/pz08/	1%	Virustotal		Browse
http://www.tobegoodlife.net/pz08/?mzrPV4R=rNKgyUfibZYi2jFMK108bKnky+14wNxwM8NnE8KsHa7VIqkijrw0P4oWcpuZrVGnm++1&Rl=8pFP0r98Chvt5p5P	0%	Avira URL Cloud	safe
http://www.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P	0%	Avira URL Cloud	safe
http://www.gourmetfoodfactory.com/pz08/	0%	Avira URL Cloud	safe
http://www.boostyourselftoday.comReferer:	0%	Avira URL Cloud	safe
http://www.liveforwardventures.comReferer:	0%	Avira URL Cloud	safe
http://www.deespresence.com	100%	Avira URL Cloud	malware
http://www.tobegoodlife.net	0%	Avira URL Cloud	safe
http://www.yassa-hany.onlineReferer:	0%	Avira URL Cloud	safe
http://www.first-solution.online	4%	Virustotal		Browse
http://www.rdlva.comReferer:	0%	Avira URL Cloud	safe
http://www.hotelfincamalvasia.com	0%	Avira URL Cloud	safe
www.rdlva.com/pz08/	0%	Avira URL Cloud	safe
http://www.tobegoodlife.net	0%	Virustotal		Browse
http://www.deespresence.com/pz08/?mzrPV4R=mxdTlzLD7R2wREPHHt3at4Gpr92+eFouLLpunB54pJiVolXtAgiSpNVnugXBmdY6T59Y&Rl=8pFP0r98Chvt5p5P	100%	Avira URL Cloud	malware
http://www.erxkula.shop/pz08/www.tobegoodlife.net	0%	Avira URL Cloud	safe
http://www.deespresence.com	0%	Virustotal		Browse
http://www.yassa-hany.online/pz08/www.phdop.xyz	0%	Avira URL Cloud	safe
http://www.hotelfincamalvasia.com	0%	Virustotal		Browse
http://www.anti-theft-device-82641.bond/pz08/www.erxkula.shop	0%	Avira URL Cloud	safe
http://www.gourmetfoodfactory.com/pz08/	1%	Virustotal		Browse
http://www.phdop.xyz/pz08/www.gourmetfoodfactory.com	100%	Avira URL Cloud	phishing
http://www.deespresence.comReferer:	0%	Avira URL Cloud	safe
http://www.fanyablack.com/pz08/	0%	Avira URL Cloud	safe
http://www.tobegoodlife.net/pz08/www.boostyourselftoday.com	0%	Avira URL Cloud	safe
https://word.office.com576	0%	Avira URL Cloud	safe
http://www.fanyablack.comReferer:	0%	Avira URL Cloud	safe
http://www.gourmetfoodfactory.com/pz08/www.rdlva.com	0%	Avira URL Cloud	safe
http://www.gourmetfoodfactory.com/pz08/?mzrPV4R=YXUHyuzV9xL0ASV6xbcNd1qnDMoomLXuS1YqahB0JTuNzOlGIgIKnXH69pHGKPL64RNK&Rl=8pFP0r98Chvt5p5P	0%	Avira URL Cloud	safe
http://www.phdop.xyz	0%	Avira URL Cloud	safe
http://www.tobegoodlife.netReferer:	0%	Avira URL Cloud	safe
http://www.rdlva.com/pz08/?mzrPV4R=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPFCVlt2AKTz&Rl=8pFP0r98Chvt5p5P	0%	Avira URL Cloud	safe
http://www.go-bloggers.com/pz08/	0%	Avira URL Cloud	safe
http://www.anti-theft-device-82641.bond/pz08/	0%	Avira URL Cloud	safe
http://www.boostyourselftoday.com/pz08/www.yassa-hany.online	0%	Avira URL Cloud	safe
http://www.fanyablack.com	0%	Avira URL Cloud	safe
http://www.yassa-hany.online	0%	Avira URL Cloud	safe
http://www.deespresence.com/pz08/www.first-solution.online	100%	Avira URL Cloud	malware
http://www.rdlva.com	0%	Avira URL Cloud	safe
http://www.erxkula.shop/pz08/	0%	Avira URL Cloud	safe
http://www.liveforwardventures.com/pz08/www.go-bloggers.com	0%	Avira URL Cloud	safe
http://www.anti-theft-device-82641.bond/pz08/?mzrPV4R=w4iQQzmLgtkynP17ZMB2mbFkkIU6TbnESYYIzY5jx7ngWWHQ4I+nKrEmnl21fB9XO+Mu&Rl=8pFP0r98Chvt5p5P	0%	Avira URL Cloud	safe
http://www.liveforwardventures.com	0%	Avira URL Cloud	safe
http://www.liveforwardventures.com/pz08/	0%	Avira URL Cloud	safe
http://www.deespresence.com/pz08/	100%	Avira URL Cloud	malware
http://www.tobegoodlife.net/pz08/	0%	Avira URL Cloud	safe
https://powerpoint.office.comcemberZ	0%	Avira URL Cloud	safe
http://www.first-solution.online/pz08/www.anti-theft-device-82641.bond	100%	Avira URL Cloud	malware
http://www.first-solution.online/pz08/	100%	Avira URL Cloud	malware
http://www.gourmetfoodfactory.com	0%	Avira URL Cloud	safe
https://www.rdlva.com/pz08/?mzrPV4R=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPFCVlt2	0%	Avira URL Cloud	safe
https://outlook.comNaP0B	0%	Avira URL Cloud	safe
http://www.rdlva.com/pz08/www.nordens-media.com	0%	Avira URL Cloud	safe
http://www.yobo-by.com	0%	Avira URL Cloud	safe
http://www.first-solution.onlineReferer:	0%	Avira URL Cloud	safe
http://www.erxkula.shopReferer:	0%	Avira URL Cloud	safe
http://www.boostyourselftoday.com	0%	Avira URL Cloud	safe
http://www.fanyablack.com/pz08/www.yobo-by.com	0%	Avira URL Cloud	safe
http://www.boostyourselftoday.com/pz08/?mzrPV4R=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN2AdDBFU3yO&Rl=8pFP0r98Chvt5p5P	0%	Avira URL Cloud	safe
http://www.gourmetfoodfactory.comReferer:	0%	Avira URL Cloud	safe
http://www.yobo-by.comReferer:	0%	Avira URL Cloud	safe
http://www.hotelfincamalvasia.comReferer:	0%	Avira URL Cloud	safe
http://www.hotelfincamalvasia.com/pz08/www.fanyablack.com	0%	Avira URL Cloud	safe
http://www.phdop.xyzReferer:	0%	Avira URL Cloud	safe
http://www.anti-theft-device-82641.bond	0%	Avira URL Cloud	safe
http://www.nordens-media.com/pz08/	0%	Avira URL Cloud	safe
http://www.nordens-media.comReferer:	0%	Avira URL Cloud	safe
http://www.go-bloggers.com/pz08/www.hotelfincamalvasia.com	0%	Avira URL Cloud	safe
http://www.nordens-media.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
boostyourselftoday.com	172.104.233.69	true	true	2%, Virustotal, Browse	unknown
rdlva.com	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.gourmetfoodfactory.com	13.248.169.48	true	true	1%, Virustotal, Browse	unknown
www.deespresence.com	91.195.240.117	true	true	0%, Virustotal, Browse	unknown
www.yassa-hany.online	103.224.212.213	true	true	0%, Virustotal, Browse	unknown
first-solution.online	3.33.130.190	true	true	4%, Virustotal, Browse	unknown
www.anti-theft-device-82641.bond	104.247.82.92	true	true	0%, Virustotal, Browse	unknown
www.tobegoodlife.net	91.195.240.117	true	true	0%, Virustotal, Browse	unknown
www.first-solution.online	unknown	unknown	true	4%, Virustotal, Browse	unknown
www.erxkula.shop	unknown	unknown	true		unknown
www.boostyourselftoday.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.rdlva.com	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P	true	Avira URL Cloud: safe	unknown
http://www.tobegoodlife.net/pz08/?mzrPV4R=rNKgyUfibZYi2jFMK108bKnky+14wNxwM8NnE8KsHa7VIqkijrw0P4oWcpuZrVGnm++1&Rl=8pFP0r98Chvt5p5P	true	Avira URL Cloud: safe	unknown
www.rdlva.com/pz08/	true	Avira URL Cloud: safe	low
http://www.deespresence.com/pz08/?mzrPV4R=mxdTlzLD7R2wREPHHt3at4Gpr92+eFouLLpunB54pJiVolXtAgiSpNVnugXBmdY6T59Y&Rl=8pFP0r98Chvt5p5P	true	Avira URL Cloud: malware	unknown
http://www.gourmetfoodfactory.com/pz08/?mzrPV4R=YXUHyuzV9xL0ASV6xbcNd1qnDMoomLXuS1YqahB0JTuNzOlGIgIKnXH69pHGKPL64RNK&Rl=8pFP0r98Chvt5p5P	true	Avira URL Cloud: safe	unknown
http://www.rdlva.com/pz08/?mzrPV4R=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPFCVlt2AKTz&Rl=8pFP0r98Chvt5p5P	true	Avira URL Cloud: safe	unknown
http://www.anti-theft-device-82641.bond/pz08/?mzrPV4R=w4iQQzmLgtkynP17ZMB2mbFkkIU6TbnESYYIzY5jx7ngWWHQ4I+nKrEmnl21fB9XO+Mu&Rl=8pFP0r98Chvt5p5P	true	Avira URL Cloud: safe	unknown
http://www.boostyourselftoday.com/pz08/?mzrPV4R=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN2AdDBFU3yO&Rl=8pFP0r98Chvt5p5P	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.erxkula.shop	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yobo-by.com/pz08/r	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.go-bloggers.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.boostyourselftoday.com/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wns.windows.com/bat	explorer.exe, 00000007.00000002.3779782500.0000000009734000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074357398.0000000009734000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2160822500.0000000009715000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hotelfincamalvasia.com/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.first-solution.online	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.gourmetfoodfactory.com/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074676550.0000000002FB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1363775067.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3770353382.0000000002FB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.boostyourselftoday.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.liveforwardventures.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppin	explorer.exe, 00000007.00000003.2161248237.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.deespresence.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.tobegoodlife.net	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.yassa-hany.onlineReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-w	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hotelfincamalvasia.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.rdlva.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.erxkula.shop/pz08/www.tobegoodlife.net	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yassa-hany.online/pz08/www.phdop.xyz	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Documento de confirmacion de orden de compra OC 1580070060.exe, 00000002.00000002.1363884469.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.anti-theft-device-82641.bond/pz08/www.erxkula.shop	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phdop.xyz/pz08/www.gourmetfoodfactory.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000007.00000003.2161201978.00000000096A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1371361746.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.deespresence.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&oc	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fanyablack.com/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tobegoodlife.net/pz08/www.boostyourselftoday.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com576	explorer.exe, 00000007.00000003.2161248237.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076400890.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3783880264.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fanyablack.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gourmetfoodfactory.com/pz08/www.rdlva.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phdop.xyz	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tobegoodlife.netReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000007.00000003.2161248237.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.go-bloggers.com/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.anti-theft-device-82641.bond/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.boostyourselftoday.com/pz08/www.yassa-hany.online	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fanyablack.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/$	explorer.exe, 00000007.00000002.3777035401.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.yassa-hany.online	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000007.00000002.3777035401.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.deespresence.com/pz08/www.first-solution.online	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvW	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.rdlva.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.erxkula.shop/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://img.sedoparking.com	explorer.exe, 00000007.00000002.3788080356.0000000010BAF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3770571332.00000000039AF000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000007.00000002.3775616334.0000000007B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3775547148.0000000007AF0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3770049273.0000000002C00000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.liveforwardventures.com/pz08/www.go-bloggers.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.liveforwardventures.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.liveforwardventures.com/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.deespresence.com/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tobegoodlife.net/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcemberZ	explorer.exe, 00000007.00000003.2161248237.000000000D0B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3783880264.000000000D073000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076400890.000000000D046000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3079426229.000000000D072000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.first-solution.online/pz08/www.anti-theft-device-82641.bond	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com/X	explorer.exe, 00000007.00000002.3777035401.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1369898580.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.first-solution.online/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.gourmetfoodfactory.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rdlva.com/pz08/?mzrPV4R=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPFCVlt2	explorer.exe, 00000007.00000002.3788080356.0000000010BAF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3770571332.00000000039AF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.comNaP0B	explorer.exe, 00000007.00000003.2161248237.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076400890.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1377558024.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3783880264.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rdlva.com/pz08/www.nordens-media.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yobo-by.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.first-solution.onlineReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.erxkula.shopReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.boostyourselftoday.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fanyablack.com/pz08/www.yobo-by.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gourmetfoodfactory.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yobo-by.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hotelfincamalvasia.com/pz08/www.fanyablack.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hotelfincamalvasia.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phdop.xyzReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.anti-theft-device-82641.bond	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-	explorer.exe, 00000007.00000000.1366712290.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075887866.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2163995180.0000000006FE6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3773909244.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nordens-media.com/pz08/	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nordens-media.comReferer:	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.go-bloggers.com/pz08/www.hotelfincamalvasia.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nordens-media.com	explorer.exe, 00000007.00000003.2158773732.000000000D5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3785395195.000000000D5E3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sedo.com/services/parking.php3	explorer.exe, 00000007.00000002.3788080356.0000000010BAF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000009.00000002.3770571332.00000000039AF000.00000004.10000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.117	www.deespresence.com	Germany	47846	SEDO-ASDE	true
13.248.169.48	www.gourmetfoodfactory.com	United States	16509	AMAZON-02US	true
103.224.212.213	www.yassa-hany.online	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
172.104.233.69	boostyourselftoday.com	United States	63949	LINODE-APLinodeLLCUS	true
3.33.130.190	rdlva.com	United States	8987	AMAZONEXPANSIONGB	true
104.247.82.92	www.anti-theft-device-82641.bond	Canada	206834	TEAMINTERNET-CA-ASCA	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1392765
Start date and time:	2024-02-15 12:05:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Documento de confirmacion de orden de compra OC 1580070060.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/6@9/6
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 106 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.18.118.41, 104.18.119.41
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, vip.imcart.shop.cdn.cloudflare.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target explorer.exe, PID 3968 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:06:04	API Interceptor	1x Sleep call for process: Documento de confirmacion de orden de compra OC 1580070060.exe modified
12:06:09	API Interceptor	12x Sleep call for process: powershell.exe modified
12:06:14	API Interceptor	7538420x Sleep call for process: explorer.exe modified
12:06:56	API Interceptor	7882881x Sleep call for process: wlanext.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.117	Signed_order_021424.bat	Get hash	malicious	FormBook, DBatLoader	Browse	www.veripost.net/fd05/
	Banka odeme havale makbuzu 20240213 TL950000900.exe	Get hash	malicious	FormBook	Browse	www.baerana.com/pz08/?_fr0y=qrRLUxO&0pT=iUtqEraofiOoamAGmz9y1BZqdP67NXRhW/u/s4hsis3XwB7pF+A9OlO8MX3HYYw8k/v8
	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	www.trendsdrop.com/pz08/?pR-l7PfH=0M5dcOd0a8Tfp9h79+xfp+SCMPgN/ustfC2qpfyEpkvPrmMkp79I5o75i3Q+rWeBcIQF&CrFT7j=ftx8Clc09Ned3F
	PO-H23-0006384.exe	Get hash	malicious	FormBook	Browse	www.artcitytheatre.com/nk2s/
	Banka odeme havale makbuzu 20240209 TL950000900.exe	Get hash	malicious	FormBook	Browse	www.tobegoodlife.net/pz08/?BX=rNKgyUfibZYi2jFMK108bKnky+14wNxwM8NnE8KsHa7VIqkijrw0P4oWcqawi1Kfve+1&_hg0=jlQXPdnpD
	Banka odeme havale makbuzu 20240209 TL950000900.exe	Get hash	malicious	FormBook	Browse	www.besttravelsgate.com/pz08/?9r7Hc=BdU8&w81P-PhP=LJNuoPCvrIYMX4SojebtJ/6O6huLJniGJdFfecLM9Cjw0AhzIqSjab1CQjBRX9oGjn33
	Repeat_Order_#020823.bat	Get hash	malicious	FormBook, DBatLoader	Browse	www.veripost.net/fd05/
	gG5dwIYGbEQZBt7.exe	Get hash	malicious	FormBook	Browse	www.boatnirvanalife.com/cz30/
	DFFF.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.hamdan-enterprises.com/gc3h/?GN9=pVYrtA9dL+V6FlQQ/3ewYhgqlADAtbEPsNv0MyEA93osxYtLeWVP+fpTqecyOoIH9sCB3C5qTBz4rBw/TrHkQe4f+mqlZM1aoQ==&d81=ZhATkXfxPBvHAvo
	file.exe	Get hash	malicious	FormBook	Browse	www.hamdan-enterprises.com/gc3h/?xp=pVYrtA9dL+V6FlQPnHfnZSJyvgP+qZsPsNv0MyEA93osxYtLeWVP+fpTqecyOoIH9sCB3C5qTBz4rBw/TrHlGsIP6Q2bROJj6w==&8BJ=eDZDmLMxRbH8
13.248.169.48	http://borg.wtf	Get hash	malicious	Unknown	Browse	borg.wtf/
	O4FR7BTmYq.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.linktotechnologies.com/cg86/
	Solicitud de precio (ORDEN DE COMPRA A4-000004024).bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.yxys.xyz/hi5f/?kzrxPp=cgeHYOWul7i1U2UxKWBUstKkqz+XHk6jUl2uFtikaoff3qvRFshV6rzyVgFc5XCkRy1w&9rh=_hrX_
	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	secure.vexcorp.com/admin/
	Offer_Request.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.projectsupdate.com/hi5f/?ETAlgZ0=jQsp53mu0hQVV/oiY2zhGvLghMb60HFcVyKrksP3rYPIcugbhXddbCpyKkM8GbUn85yz&VR-XC=02Jp68sholRD2Xq0
	a5hbkmGD7N.exe	Get hash	malicious	Pushdo	Browse	www.otena.com/
	file.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.glovegpt.com/ce10/?lv7T7b-=xgTPoZP+wGaD3fYSeGX70ZdeG9KI5pd7X2NwVM4gmAPT+uhONMVhMD5uawLSBeZjB36e&U48pU2=ghcPOpDPXB44VLF
	http://catsdegree.com	Get hash	malicious	Unknown	Browse	catsdegree.com/
	x21iMpR0I1.exe	Get hash	malicious	FormBook	Browse	www.consultingconsultants.com/de74/?kxl0dl=HcqrJas7Hw8+ahuoUtQYWCwyAFBxHXNXOqic7snQN/jDIetBVFmu2W59sOhBMZZ5RnMs&jTF4=DhOx3
	PO_88874637463836483.xls	Get hash	malicious	FormBook	Browse	www.consultingconsultants.com/de74/?oPL8bZE=HcqrJatPbA9KHx7bKdQYWCwyAFBxHXNXOq6Mnv7RJfjCIvBHSV3igSB/vrZXX950ZUBcPQ==&2dt=Lxll6n0PHP_xoRr0

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.anti-theft-device-82641.bond	Banka odeme havale makbuzu 20240209 TL950000900.exe	Get hash	malicious	FormBook	Browse	104.247.82.92
www.yassa-hany.online	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
www.tobegoodlife.net	Banka odeme havale makbuzu 20240213 TL950000900.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
www.tobegoodlife.net	Banka odeme havale makbuzu 20240209 TL950000900.exe	Get hash	malicious	FormBook	Browse	91.195.240.117

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LINODE-APLinodeLLCUS	http://www.nenechicken.com.au	Get hash	malicious	Unknown	Browse	172.104.175.5
	https://r20.rs6.net/tn.jsp?f=001yZn-3dvRVW2-A2mYw7PoamABWt60wrJSxJ2h6w6hX5EwH11SamAM2Jq7-9DdZeg0ILplLEJCGKxzL8lwX32DtMPOeazQTt_-KAsk_WLPDWbuDsHoUZJ4shHnCidOLSoppfAcsul4teMMc-7ccxylMw==&c=&ch=&__=/2384976/pslkrvrnlepnqgrezikdmnpipdefiayzcbzdjcxfgmkfonenkyikevdkgdenrqsoimetxtgvdztiesfpbokpoanmtekbdxqequhbcffrirbbizsnxwrbumlfeftbvcyfhwxabszfejbvhovdjwyntfclmitbyqautoezlcbpiynmdycinxqdslujvgmuujdcgadyleki/bGluZHNleS5zb2JvbG9za2lAb3Zlcmxha2Vob3NwaXRhbC5vcmc=	Get hash	malicious	HTMLPhisher	Browse	45.56.104.115
	Wezwanie_swiadka.pdf.exe	Get hash	malicious	LimeRAT	Browse	45.33.6.223
	S8NBeK3N9M.elf	Get hash	malicious	Unknown	Browse	104.237.154.37
	3cb0cd.msi	Get hash	malicious	Unknown	Browse	172.105.41.109
	8e0nyWHFII.elf	Get hash	malicious	Mirai	Browse	139.162.103.208
	Quotation following specifications.exe	Get hash	malicious	FormBook	Browse	72.14.178.174
	XUe68HDW4w.elf	Get hash	malicious	Mirai	Browse	172.104.69.38
	http://gn.net/ds-server/s/noauth/psm/tsp/sign	Get hash	malicious	Unknown	Browse	96.126.123.244
	Va8wXzulSy.elf	Get hash	malicious	Mirai	Browse	172.105.176.100
TRELLIAN-AS-APTrellianPtyLimitedAU	2024-09C33T37.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
	z2______________________________.exe	Get hash	malicious	FormBook	Browse	103.224.212.212
	Confirm PDF.exe	Get hash	malicious	FormBook	Browse	103.224.212.214
	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
	http://yaatde.com	Get hash	malicious	Unknown	Browse	103.224.182.206
	Purchase_Order_PA056223.pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.216
	jYLXwtSJOP.exe	Get hash	malicious	FormBook	Browse	103.224.212.214
	AL5052H32.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.212.215
	SsQblB4e3Y.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	103.224.182.210
	sample.exe	Get hash	malicious	Unknown	Browse	103.224.182.251
AMAZONEXPANSIONGB	C5CzixDMBu.elf	Get hash	malicious	Unknown	Browse	3.47.189.126
	fnU3Ijt1Vj.elf	Get hash	malicious	Mirai	Browse	3.33.192.254
	Order.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	https://att-102215-107635.weeblysite.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://atttttttttttttttttttttt.weeblysite.com/	Get hash	malicious	Unknown	Browse	3.33.220.150
	https://aikcnekapmvcwx.weeblysite.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	International Bank transfer.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	Signed_order_021424.bat	Get hash	malicious	FormBook, DBatLoader	Browse	3.33.130.190
	PDFViewer_46615443.msi	Get hash	malicious	Unknown	Browse	3.33.220.150
	z14POO230487PDF.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
SEDO-ASDE	Signed_order_021424.bat	Get hash	malicious	FormBook, DBatLoader	Browse	91.195.240.117
	z14POO230487PDF.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	z2______________________________.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	FedEx_24021747701.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	FedEx_2402657477.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	Confirm PDF.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Banka odeme havale makbuzu 20240213 TL950000900.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	http://Tw1tter.com/Dionspizza	Get hash	malicious	Unknown	Browse	91.195.240.19
	Quotation following specifications.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
AMAZON-02US	D9guGLReiK.elf	Get hash	malicious	Mirai	Browse	34.211.136.192
	jihIfXyawu.elf	Get hash	malicious	Unknown	Browse	205.251.241.87
	1i6AYlf1Wy.elf	Get hash	malicious	Unknown	Browse	18.251.72.191
	t3ttQtxRbr.elf	Get hash	malicious	Unknown	Browse	54.76.210.60
	MGQwnoKsQp.elf	Get hash	malicious	Mirai	Browse	13.241.199.93
	ingxqWafxG.elf	Get hash	malicious	Unknown	Browse	54.112.215.90
	76jwdvsFu5.elf	Get hash	malicious	Mirai	Browse	52.194.21.172
	28Xb84iqN9.elf	Get hash	malicious	Unknown	Browse	52.195.249.21
	ywx70mxw3e.elf	Get hash	malicious	Mirai	Browse	35.163.216.9
	s7so8mnWZD.elf	Get hash	malicious	Unknown	Browse	54.250.37.225

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Documento de confirmacion de orden de compra OC 1580070060.exe.log

Download File

Process:	C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.357042452875322
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:yyjWSU4y4RQmFoUeWmfmZ9tK8NDE
MD5:	475D428E7231D005EEA5DB556DBED03F
SHA1:	3D603ED4280E0017D1BEB124D68183F8283B5C22
SHA-256:	1314488A930843A7E1A003F2E7C1D883DB44ADEC26AC1CA096FE8DC1B4B180F5
SHA-512:	7181BDCE6DA8DA8AFD3A973BB2B0BA470468EFF32FFB338DB2662FEFA1A7848ACD87C319706B95401EA18DC873CA098DC722EA6F8B2FD04F1AABD2AEBEA97CF9
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xkzmlbg.qpv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cslxg2va.3di.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z3krb0xd.obv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5ardnbx.tgh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9585582968798265
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Documento de confirmacion de orden de compra OC 1580070060.exe
File size:	620'544 bytes
MD5:	244606adb1918cd7f50048a8ec6f5d1c
SHA1:	4cac8a6114ec36b361f76510f8614408c8c091ae
SHA256:	8a75a7116ae80c077d8d4674fa044bd40670844116f200337bbbcef5ae3ee9a1
SHA512:	488d8829e170fda65fd6327b3088c1605764b0983280bf5935603cf87f12abb51f9e71a25a15b33b24dad3a9bd9f74627202c21ffeb1f017f80b517d6ef2ac5f
SSDEEP:	12288:j2eQ5vziHD5Tmew6hV6/lRNZPj9x6LEbOFMSgPTsuM:CriFT6ymzj9xuElSqsuM
TLSH:	93D4230E22087663C7CD09F994500A4273B9A76251CBE7C79F6750BD10BBFDE4662E47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*T.e.................n............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x498db6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CB542A [Tue Feb 13 11:36:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x98d5c	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0x5ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x96dbc	0x96e00	eaa644ff18a8b6a6ee9acee6277ea763	False	0.9617287826222038	OpenPGP Public Key	7.964658769466714	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9a000	0x5ec	0x600	071124c31f7641d1c3571907d068cabd	False	0.4459635416666667	data	4.222016903211497	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	74bf6c3f8b942d7dadf005a6a6ee9c62	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x9a0a0	0x398	OpenPGP Public Key			0.42391304347826086
RT_MANIFEST	0x9a438	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators			0.5642201834862385

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.10172.104.233.6949718802031412 02/15/24-12:08:33.578230	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49718	80	192.168.2.10	172.104.233.69
192.168.2.103.33.130.19049714802031412 02/15/24-12:07:10.035583	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49714	80	192.168.2.10	3.33.130.190
192.168.2.1091.195.240.11749717802031412 02/15/24-12:08:12.279647	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49717	80	192.168.2.10	91.195.240.117
192.168.2.10104.247.82.9249715802031412 02/15/24-12:07:31.796089	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49715	80	192.168.2.10	104.247.82.92
192.168.2.10103.224.212.21349719802031412 02/15/24-12:08:53.961818	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49719	80	192.168.2.10	103.224.212.213
192.168.2.10104.18.118.4149716802031412 02/15/24-12:07:52.346420	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49716	80	192.168.2.10	104.18.118.41
192.168.2.1013.248.169.4849720802031412 02/15/24-12:09:35.485729	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49720	80	192.168.2.10	13.248.169.48
192.168.2.103.33.130.19049721802031412 02/15/24-12:09:55.854946	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49721	80	192.168.2.10	3.33.130.190

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 15, 2024 12:06:50.764517069 CET	49712	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:06:50.972918987 CET	80	49712	91.195.240.117	192.168.2.10
Feb 15, 2024 12:06:50.973134995 CET	49712	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:06:50.973273993 CET	49712	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:06:51.181540966 CET	80	49712	91.195.240.117	192.168.2.10
Feb 15, 2024 12:07:09.933036089 CET	49714	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:07:10.035330057 CET	80	49714	3.33.130.190	192.168.2.10
Feb 15, 2024 12:07:10.035422087 CET	49714	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:07:10.035583019 CET	49714	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:07:10.137020111 CET	80	49714	3.33.130.190	192.168.2.10
Feb 15, 2024 12:07:10.154119015 CET	80	49714	3.33.130.190	192.168.2.10
Feb 15, 2024 12:07:10.154146910 CET	80	49714	3.33.130.190	192.168.2.10
Feb 15, 2024 12:07:10.154396057 CET	49714	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:07:10.154488087 CET	49714	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:07:10.160552025 CET	80	49714	3.33.130.190	192.168.2.10
Feb 15, 2024 12:07:10.160617113 CET	49714	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:07:10.255908012 CET	80	49714	3.33.130.190	192.168.2.10
Feb 15, 2024 12:07:31.520479918 CET	49715	80	192.168.2.10	104.247.82.92
Feb 15, 2024 12:07:31.657993078 CET	80	49715	104.247.82.92	192.168.2.10
Feb 15, 2024 12:07:31.658310890 CET	49715	80	192.168.2.10	104.247.82.92
Feb 15, 2024 12:07:31.795949936 CET	80	49715	104.247.82.92	192.168.2.10
Feb 15, 2024 12:07:31.796088934 CET	49715	80	192.168.2.10	104.247.82.92
Feb 15, 2024 12:07:31.933517933 CET	80	49715	104.247.82.92	192.168.2.10
Feb 15, 2024 12:07:31.933535099 CET	80	49715	104.247.82.92	192.168.2.10
Feb 15, 2024 12:07:31.933547020 CET	80	49715	104.247.82.92	192.168.2.10
Feb 15, 2024 12:07:31.933821917 CET	49715	80	192.168.2.10	104.247.82.92
Feb 15, 2024 12:07:31.933821917 CET	49715	80	192.168.2.10	104.247.82.92
Feb 15, 2024 12:07:32.071439981 CET	80	49715	104.247.82.92	192.168.2.10
Feb 15, 2024 12:08:12.070992947 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.279380083 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.279474974 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.279647112 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.528456926 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.538943052 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.538960934 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.538973093 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.539007902 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.539020061 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.539035082 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.539052010 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.539061069 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.539074898 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.539087057 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.539096117 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.539105892 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.539119959 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.539134026 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.539161921 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.747560978 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.747591972 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.747606039 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.747618914 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.747637987 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.747656107 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.747665882 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.747677088 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.747689009 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.747705936 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:12.747714043 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.747788906 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.747812986 CET	49717	80	192.168.2.10	91.195.240.117
Feb 15, 2024 12:08:12.956003904 CET	80	49717	91.195.240.117	192.168.2.10
Feb 15, 2024 12:08:33.356174946 CET	49718	80	192.168.2.10	172.104.233.69
Feb 15, 2024 12:08:33.577996969 CET	80	49718	172.104.233.69	192.168.2.10
Feb 15, 2024 12:08:33.578157902 CET	49718	80	192.168.2.10	172.104.233.69
Feb 15, 2024 12:08:33.578229904 CET	49718	80	192.168.2.10	172.104.233.69
Feb 15, 2024 12:08:33.782267094 CET	80	49718	172.104.233.69	192.168.2.10
Feb 15, 2024 12:08:33.891448021 CET	80	49718	172.104.233.69	192.168.2.10
Feb 15, 2024 12:08:33.891495943 CET	80	49718	172.104.233.69	192.168.2.10
Feb 15, 2024 12:08:33.891612053 CET	49718	80	192.168.2.10	172.104.233.69
Feb 15, 2024 12:08:33.891689062 CET	49718	80	192.168.2.10	172.104.233.69
Feb 15, 2024 12:08:34.095552921 CET	80	49718	172.104.233.69	192.168.2.10
Feb 15, 2024 12:08:53.811980009 CET	49719	80	192.168.2.10	103.224.212.213
Feb 15, 2024 12:08:53.961543083 CET	80	49719	103.224.212.213	192.168.2.10
Feb 15, 2024 12:08:53.961684942 CET	49719	80	192.168.2.10	103.224.212.213
Feb 15, 2024 12:08:53.961817980 CET	49719	80	192.168.2.10	103.224.212.213
Feb 15, 2024 12:08:54.123760939 CET	80	49719	103.224.212.213	192.168.2.10
Feb 15, 2024 12:08:54.123836040 CET	80	49719	103.224.212.213	192.168.2.10
Feb 15, 2024 12:08:54.124011040 CET	49719	80	192.168.2.10	103.224.212.213
Feb 15, 2024 12:08:54.124011040 CET	49719	80	192.168.2.10	103.224.212.213
Feb 15, 2024 12:08:54.273598909 CET	80	49719	103.224.212.213	192.168.2.10
Feb 15, 2024 12:09:35.381454945 CET	49720	80	192.168.2.10	13.248.169.48
Feb 15, 2024 12:09:35.485445023 CET	80	49720	13.248.169.48	192.168.2.10
Feb 15, 2024 12:09:35.485599995 CET	49720	80	192.168.2.10	13.248.169.48
Feb 15, 2024 12:09:35.485728979 CET	49720	80	192.168.2.10	13.248.169.48
Feb 15, 2024 12:09:35.587097883 CET	80	49720	13.248.169.48	192.168.2.10
Feb 15, 2024 12:09:35.607244968 CET	80	49720	13.248.169.48	192.168.2.10
Feb 15, 2024 12:09:35.607276917 CET	80	49720	13.248.169.48	192.168.2.10
Feb 15, 2024 12:09:35.607448101 CET	49720	80	192.168.2.10	13.248.169.48
Feb 15, 2024 12:09:35.607566118 CET	49720	80	192.168.2.10	13.248.169.48
Feb 15, 2024 12:09:35.612262011 CET	80	49720	13.248.169.48	192.168.2.10
Feb 15, 2024 12:09:35.612364054 CET	49720	80	192.168.2.10	13.248.169.48
Feb 15, 2024 12:09:35.709841967 CET	80	49720	13.248.169.48	192.168.2.10
Feb 15, 2024 12:09:55.749716043 CET	49721	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:09:55.851274967 CET	80	49721	3.33.130.190	192.168.2.10
Feb 15, 2024 12:09:55.851381063 CET	49721	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:09:55.854945898 CET	49721	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:09:55.956521988 CET	80	49721	3.33.130.190	192.168.2.10
Feb 15, 2024 12:09:55.973001957 CET	80	49721	3.33.130.190	192.168.2.10
Feb 15, 2024 12:09:55.973026037 CET	80	49721	3.33.130.190	192.168.2.10
Feb 15, 2024 12:09:55.973125935 CET	49721	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:09:55.973169088 CET	49721	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:09:55.980389118 CET	80	49721	3.33.130.190	192.168.2.10
Feb 15, 2024 12:09:55.980448008 CET	49721	80	192.168.2.10	3.33.130.190
Feb 15, 2024 12:09:56.076412916 CET	80	49721	3.33.130.190	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 15, 2024 12:06:50.534356117 CET	56835	53	192.168.2.10	1.1.1.1
Feb 15, 2024 12:06:50.763231039 CET	53	56835	1.1.1.1	192.168.2.10
Feb 15, 2024 12:07:09.752698898 CET	51223	53	192.168.2.10	1.1.1.1
Feb 15, 2024 12:07:09.932013988 CET	53	51223	1.1.1.1	192.168.2.10
Feb 15, 2024 12:07:31.330414057 CET	63711	53	192.168.2.10	1.1.1.1
Feb 15, 2024 12:07:31.519519091 CET	53	63711	1.1.1.1	192.168.2.10
Feb 15, 2024 12:07:51.517775059 CET	65359	53	192.168.2.10	1.1.1.1
Feb 15, 2024 12:08:11.908612013 CET	52306	53	192.168.2.10	1.1.1.1
Feb 15, 2024 12:08:12.070084095 CET	53	52306	1.1.1.1	192.168.2.10
Feb 15, 2024 12:08:33.187056065 CET	57356	53	192.168.2.10	1.1.1.1
Feb 15, 2024 12:08:33.354953051 CET	53	57356	1.1.1.1	192.168.2.10
Feb 15, 2024 12:08:53.564917088 CET	64150	53	192.168.2.10	1.1.1.1
Feb 15, 2024 12:08:53.811075926 CET	53	64150	1.1.1.1	192.168.2.10
Feb 15, 2024 12:09:35.209062099 CET	54169	53	192.168.2.10	1.1.1.1
Feb 15, 2024 12:09:35.380368948 CET	53	54169	1.1.1.1	192.168.2.10
Feb 15, 2024 12:09:55.567428112 CET	65146	53	192.168.2.10	1.1.1.1
Feb 15, 2024 12:09:55.748439074 CET	53	65146	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 15, 2024 12:06:50.534356117 CET	192.168.2.10	1.1.1.1	0xe09c	Standard query (0)	www.deespresence.com	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:07:09.752698898 CET	192.168.2.10	1.1.1.1	0xd332	Standard query (0)	www.first-solution.online	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:07:31.330414057 CET	192.168.2.10	1.1.1.1	0x5375	Standard query (0)	www.anti-theft-device-82641.bond	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:07:51.517775059 CET	192.168.2.10	1.1.1.1	0x9110	Standard query (0)	www.erxkula.shop	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:08:11.908612013 CET	192.168.2.10	1.1.1.1	0x864b	Standard query (0)	www.tobegoodlife.net	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:08:33.187056065 CET	192.168.2.10	1.1.1.1	0x7596	Standard query (0)	www.boostyourselftoday.com	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:08:53.564917088 CET	192.168.2.10	1.1.1.1	0x6b93	Standard query (0)	www.yassa-hany.online	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:09:35.209062099 CET	192.168.2.10	1.1.1.1	0x2699	Standard query (0)	www.gourmetfoodfactory.com	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:09:55.567428112 CET	192.168.2.10	1.1.1.1	0xacec	Standard query (0)	www.rdlva.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 15, 2024 12:06:50.763231039 CET	1.1.1.1	192.168.2.10	0xe09c	No error (0)	www.deespresence.com		91.195.240.117	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:07:09.932013988 CET	1.1.1.1	192.168.2.10	0xd332	No error (0)	www.first-solution.online	first-solution.online		CNAME (Canonical name)	IN (0x0001)	false
Feb 15, 2024 12:07:09.932013988 CET	1.1.1.1	192.168.2.10	0xd332	No error (0)	first-solution.online		3.33.130.190	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:07:09.932013988 CET	1.1.1.1	192.168.2.10	0xd332	No error (0)	first-solution.online		15.197.148.33	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:07:31.519519091 CET	1.1.1.1	192.168.2.10	0x5375	No error (0)	www.anti-theft-device-82641.bond		104.247.82.92	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:07:52.227705002 CET	1.1.1.1	192.168.2.10	0x9110	No error (0)	www.erxkula.shop	vip.imcart.shop		CNAME (Canonical name)	IN (0x0001)	false
Feb 15, 2024 12:07:52.227705002 CET	1.1.1.1	192.168.2.10	0x9110	No error (0)	vip.imcart.shop	vip.imcart.shop.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 15, 2024 12:08:12.070084095 CET	1.1.1.1	192.168.2.10	0x864b	No error (0)	www.tobegoodlife.net		91.195.240.117	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:08:33.354953051 CET	1.1.1.1	192.168.2.10	0x7596	No error (0)	www.boostyourselftoday.com	boostyourselftoday.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 15, 2024 12:08:33.354953051 CET	1.1.1.1	192.168.2.10	0x7596	No error (0)	boostyourselftoday.com		172.104.233.69	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:08:53.811075926 CET	1.1.1.1	192.168.2.10	0x6b93	No error (0)	www.yassa-hany.online		103.224.212.213	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:09:35.380368948 CET	1.1.1.1	192.168.2.10	0x2699	No error (0)	www.gourmetfoodfactory.com		13.248.169.48	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:09:35.380368948 CET	1.1.1.1	192.168.2.10	0x2699	No error (0)	www.gourmetfoodfactory.com		76.223.54.146	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:09:55.748439074 CET	1.1.1.1	192.168.2.10	0xacec	No error (0)	www.rdlva.com	rdlva.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 15, 2024 12:09:55.748439074 CET	1.1.1.1	192.168.2.10	0xacec	No error (0)	rdlva.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Feb 15, 2024 12:09:55.748439074 CET	1.1.1.1	192.168.2.10	0xacec	No error (0)	rdlva.com		15.197.148.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.deespresence.com

www.first-solution.online

www.anti-theft-device-82641.bond

www.tobegoodlife.net

www.boostyourselftoday.com

www.yassa-hany.online

www.gourmetfoodfactory.com

www.rdlva.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49712	91.195.240.117	80	3968	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 15, 2024 12:06:50.973273993 CET	174	OUT	GET /pz08/?mzrPV4R=mxdTlzLD7R2wREPHHt3at4Gpr92+eFouLLpunB54pJiVolXtAgiSpNVnugXBmdY6T59Y&Rl=8pFP0r98Chvt5p5P HTTP/1.1 Host: www.deespresence.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49714	3.33.130.190	80	3968	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 15, 2024 12:07:10.035583019 CET	179	OUT	GET /pz08/?mzrPV4R=etofVVeG6jH3REbkxKWYpV64ElMartPom1s3O4G0OaAMWkudRp1A+A5HBO7QLbRw3W/6&Rl=8pFP0r98Chvt5p5P HTTP/1.1 Host: www.first-solution.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 15, 2024 12:07:10.154119015 CET	322	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 15 Feb 2024 11:07:10 GMT Content-Type: text/plain Content-Length: 0 Connection: close Location: https://www.first-solution.online/pz08/?mzrPV4R=etofVVeG6jH3REbkxKWYpV64ElMartPom1s3O4G0OaAMWkudRp1A+A5HBO7QLbRw3W/6&Rl=8pFP0r98Chvt5p5P ETag: "65ca405c-0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49715	104.247.82.92	80	3968	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 15, 2024 12:07:31.796088934 CET	186	OUT	GET /pz08/?mzrPV4R=w4iQQzmLgtkynP17ZMB2mbFkkIU6TbnESYYIzY5jx7ngWWHQ4I+nKrEmnl21fB9XO+Mu&Rl=8pFP0r98Chvt5p5P HTTP/1.1 Host: www.anti-theft-device-82641.bond Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 15, 2024 12:07:31.933535099 CET	289	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 15 Feb 2024 11:07:31 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49717	91.195.240.117	80	3968	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 15, 2024 12:08:12.279647112 CET	174	OUT	GET /pz08/?mzrPV4R=rNKgyUfibZYi2jFMK108bKnky+14wNxwM8NnE8KsHa7VIqkijrw0P4oWcpuZrVGnm++1&Rl=8pFP0r98Chvt5p5P HTTP/1.1 Host: www.tobegoodlife.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 15, 2024 12:08:12.538943052 CET	1286	IN	HTTP/1.1 200 OK date: Thu, 15 Feb 2024 11:08:12 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_fQU0KYqnpO9Xn7m905f5lRaoC8+5E+lrEtJ5FGkS91szJQRnQ+g+igB66VDlBLriRwc/v/yBMkTSY4KSBj6pEw== last-modified: Thu, 15 Feb 2024 11:08:12 GMT x-cache-miss-from: parking-6db66cd898-zn76h server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 66 51 55 30 4b 59 71 6e 70 4f 39 58 6e 37 6d 39 30 35 66 35 6c 52 61 6f 43 38 2b 35 45 2b 6c 72 45 74 4a 35 46 47 6b 53 39 31 73 7a 4a 51 52 6e 51 2b 67 2b 69 67 42 36 36 56 44 6c 42 4c 72 69 52 77 63 2f 76 2f 79 42 4d 6b 54 53 59 34 4b 53 42 6a 36 70 45 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 74 6f 62 65 67 6f 6f 64 6c 69 66 65 2e 6e 65 74 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 74 6f 62 65 67 6f 6f 64 6c 69 66 65 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 6f 62 65 67 6f 6f 64 6c 69 66 65 2e 6e 65 74 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_fQU0KYqnpO9Xn7m905f5lRaoC8+5E+lrEtJ5FGkS91szJQRnQ+g+igB66VDlBLriRwc/v/yBMkTSY4KSBj6pEw==><head><meta charset="utf-8"><title>tobegoodlife.net - tobegoodlife Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="tobegoodlife.net is your first and best source for all of the information youre looking for. Fr
Feb 15, 2024 12:08:12.538960934 CET	1286	IN	Data Raw: 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 74 6f 62 65 67 6f 6f 64 6c 69 66 65 2e 6e 65 74 20 Data Ascii: om general topics to more of what you would expect to find here, tobegoodlife.net has it all. We hope you 1062find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates
Feb 15, 2024 12:08:12.538973093 CET	1286	IN	Data Raw: 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30 2e 35 65 6d 7d 61 75 64 69 6f 2c 76 69 64 65 6f 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c Data Ascii: cal-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif
Feb 15, 2024 12:08:12.539007902 CET	1286	IN	Data Raw: 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 62 75 74 74 6f 6e 3b 66 6f 6e 74 3a 69 6e 68 65 72 69 74 7d 64 65 74 61 69 6c 73 2c 6d 65 6e 75 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 6c 69 Data Ascii: ebkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#313131;text-align:center;padding:0 5px}.announcement p{
Feb 15, 2024 12:08:12.539020061 CET	1286	IN	Data Raw: 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 69 6d 61 67 65 7b 63 6f 6e 74 65 6e 74 3a 75 72 6c 28 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 Data Ascii: inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-ele
Feb 15, 2024 12:08:12.539061069 CET	571	IN	Data Raw: 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 7b 74 65 78 Data Ascii: ive-block__list-element-link:focus{text-decoration:underline}.container-buybox{text-align:center}.container-buybox__content-buybox{display:inline-block;text-align:left}.container-buybox__content-heading{font-size:15px}.container-buybox__conten
Feb 15, 2024 12:08:12.539074898 CET	1286	IN	Data Raw: 31 35 46 32 0d 0a 6c 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 69 6e 70 75 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 62 75 74 74 6f 6e 7b 62 6f 72 64 Data Ascii: 15F2l{display:none}.container-searchbox__input,.container-searchbox__button{border:0 none}.container-searchbox__button{cursor:pointer;font-size:12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-alig
Feb 15, 2024 12:08:12.539087057 CET	1286	IN	Data Raw: 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 6d 61 72 67 69 6e 3a 30 20 31 35 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f Data Ascii: ge__content-interactive{text-align:left;margin:0 15px;font-size:10px}.container-cookie-message__content-interactive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content-interactive-header{fon
Feb 15, 2024 12:08:12.539105892 CET	1286	IN	Data Raw: 74 69 6f 6e 3a 6e 6f 6e 65 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 6d 61 72 67 69 6e 3a 35 70 78 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 33 73 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a Data Ascii: tion:none;cursor:pointer;margin:5px;transition:.3s}.btn--success{background-color:#218838;border-color:#218838;color:#fff;font-size:x-large}.btn--success:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:x-large}.btn--su
Feb 15, 2024 12:08:12.539119959 CET	1286	IN	Data Raw: 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 30 25 7d 69 6e 70 75 74 3a 63 68 65 63 6b 65 64 2b 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 37 62 66 66 7d 69 6e 70 75 74 3a 66 6f 63 75 Data Ascii: order-radius:50%}input:checked+.switch__slider{background-color:#007bff}input:focus+.switch__slider{box-shadow:0 0 1px #007bff}input:checked+.switch__slider:before{-webkit-transform:translateX(26px);-ms-transform:translateX(26px);transform:tra
Feb 15, 2024 12:08:12.747560978 CET	1286	IN	Data Raw: 68 70 22 2c 22 73 65 61 72 63 68 50 61 72 61 6d 73 22 3a 7b 22 73 65 73 22 3a 22 59 33 4a 6c 50 54 45 33 4d 44 63 35 4f 54 55 79 4f 54 49 6d 64 47 4e 70 5a 44 31 33 64 33 63 75 64 47 39 69 5a 57 64 76 62 32 52 73 61 57 5a 6c 4c 6d 35 6c 64 44 59 Data Ascii: hp","searchParams":{"ses":"Y3JlPTE3MDc5OTUyOTImdGNpZD13d3cudG9iZWdvb2RsaWZlLm5ldDY1Y2RmMDljNjMxZGQ0LjQ4MjIxNzk4JnRhc2s9c2VhcmNoJmRvbWFpbj10b2JlZ29vZGxpZmUubmV0JmFfaWQ9MSZzZXNzaW9uPTMwYmRweVBwQVlaa3o0WUdxNW1tJnRyYWNrcXVlcnk9MQ=="},"imprintUrl":

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49718	172.104.233.69	80	3968	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 15, 2024 12:08:33.578229904 CET	180	OUT	GET /pz08/?mzrPV4R=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN2AdDBFU3yO&Rl=8pFP0r98Chvt5p5P HTTP/1.1 Host: www.boostyourselftoday.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 15, 2024 12:08:33.891448021 CET	449	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://boostyourselftoday.com/pz08/?mzrPV4R=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN2AdDBFU3yO&Rl=8pFP0r98Chvt5p5P content-length: 0 date: Thu, 15 Feb 2024 11:08:33 GMT server: LiteSpeed vary: User-Agent

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49719	103.224.212.213	80	3968	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 15, 2024 12:08:53.961817980 CET	175	OUT	GET /pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P HTTP/1.1 Host: www.yassa-hany.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 15, 2024 12:08:54.123760939 CET	439	IN	HTTP/1.1 302 Found date: Thu, 15 Feb 2024 11:08:54 GMT server: Apache set-cookie: __tad=1707995334.4071463; expires=Sun, 12-Feb-2034 11:08:54 GMT; Max-Age=315360000 location: http://ww25.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P&subid1=20240215-2208-541a-895d-81c3921a8390 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49720	13.248.169.48	80	3968	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 15, 2024 12:09:35.485728979 CET	180	OUT	GET /pz08/?mzrPV4R=YXUHyuzV9xL0ASV6xbcNd1qnDMoomLXuS1YqahB0JTuNzOlGIgIKnXH69pHGKPL64RNK&Rl=8pFP0r98Chvt5p5P HTTP/1.1 Host: www.gourmetfoodfactory.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 15, 2024 12:09:35.607244968 CET	166	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 15 Feb 2024 11:09:35 GMT Content-Type: text/plain Content-Length: 0 Connection: close ETag: "65ca405c-0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49721	3.33.130.190	80	3968	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 15, 2024 12:09:55.854945898 CET	167	OUT	GET /pz08/?mzrPV4R=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPFCVlt2AKTz&Rl=8pFP0r98Chvt5p5P HTTP/1.1 Host: www.rdlva.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 15, 2024 12:09:55.973001957 CET	310	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 15 Feb 2024 11:09:55 GMT Content-Type: text/plain Content-Length: 0 Connection: close Location: https://www.rdlva.com/pz08/?mzrPV4R=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPFCVlt2AKTz&Rl=8pFP0r98Chvt5p5P ETag: "65ca405c-0"

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE6
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE6
GetMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE6
GetMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE6

Target ID:	2
Start time:	12:06:03
Start date:	15/02/2024
Path:	C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
Imagebase:	0x680000
File size:	620'544 bytes
MD5 hash:	244606ADB1918CD7F50048A8EC6F5D1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1365377346.0000000003DCE000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:06:09
Start date:	15/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
Imagebase:	0xb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:06:09
Start date:	15/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:06:09
Start date:	15/02/2024
Path:	C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe
Imagebase:	0xa90000
File size:	620'544 bytes
MD5 hash:	244606ADB1918CD7F50048A8EC6F5D1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:06:09
Start date:	15/02/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609fd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.3788521267.0000000010F75000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:06:12
Start date:	15/02/2024
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0x830000
File size:	78'336 bytes
MD5 hash:	0D5F0A7CA2A8A47E3A26FB1CB67E118C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3769847094.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3769632843.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	12:06:16
Start date:	15/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\Documento de confirmacion de orden de compra OC 1580070060.exe"
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:06:16
Start date:	15/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.8%
Total number of Nodes:	234
Total number of Limit Nodes:	12

Executed Functions

Function 04FC476A Relevance: 5.4, Strings: 4, Instructions: 422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_, xrefs: 04FC4966
K, xrefs: 04FC49B6
#, xrefs: 04FC48C0
%, xrefs: 04FC4922

Memory Dump Source

Source File: 00000002.00000002.1367158544.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: #$%$K$_
API String ID: 0-2944855200
Opcode ID: 0d315b580326c6a458d098fe7c64e12c88d5a4eaf074863328708360b117ab1f
Instruction ID: 83887db8f28b8810cb30d0e345106e07c28b40499d3c9937e7fc4d27cb957fca
Opcode Fuzzy Hash: 0d315b580326c6a458d098fe7c64e12c88d5a4eaf074863328708360b117ab1f
Instruction Fuzzy Hash: 38127D34900705CFDB51DF64C880B9AB7B2FF85304F54C5A9D8096F266DBB1A98ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 04FC4778 Relevance: 5.4, Strings: 4, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_, xrefs: 04FC4966
K, xrefs: 04FC49B6
#, xrefs: 04FC48C0
%, xrefs: 04FC4922

Memory Dump Source

Source File: 00000002.00000002.1367158544.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: #$%$K$_
API String ID: 0-2944855200
Opcode ID: f24df58b28610b9b89bf88d0260e5168d6951e0fd0bd20e4d897b4099f170db7
Instruction ID: 683a5c2679f622ea794f299aa953f3e829287e02ec7930ec80796206107a60b0
Opcode Fuzzy Hash: f24df58b28610b9b89bf88d0260e5168d6951e0fd0bd20e4d897b4099f170db7
Instruction Fuzzy Hash: 00127D34A00705CFDB51DF64C880B9AB7B2FF85304F54C5A9D8096F266DBB1A98ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 01086FE0 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

B0p2, xrefs: 010871E3

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: B0p2
API String ID: 0-3554312780
Opcode ID: 4e082ac864f316a81cde86815d5aa7a42c26ca3c4270f66da05cf8a67e478e01
Instruction ID: 2a8292a0847eba979d6ae302a46892280056c37dc079b1984eb03724a7715149
Opcode Fuzzy Hash: 4e082ac864f316a81cde86815d5aa7a42c26ca3c4270f66da05cf8a67e478e01
Instruction Fuzzy Hash: 75711AB8E4010E9FDF54DFA9D584AAEBBF1FB89300F20A555D412EB294DB31A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01087318 Relevance: 1.0, Instructions: 959COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ae0ef05aaa4d0320b0045912d8fd6432d0b5de5d500c8f2de4442425787312
Instruction ID: e4b029f8f6b29e8d940651aa278866113039390f337e4b6b6447f88c619b83b0
Opcode Fuzzy Hash: 78ae0ef05aaa4d0320b0045912d8fd6432d0b5de5d500c8f2de4442425787312
Instruction Fuzzy Hash: 26829D75E042298FCB15DF69D8906ADBBF2FF88300F24C569E099EB359D734A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC7748 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367158544.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80cba50259912a0812268af5f6b3cd10b12dc2ea0057e7e7be624ec87f064b37
Instruction ID: 9ee3ea0189888033848578c27d112435c4861362a91b5e817fe907a1986dbe21
Opcode Fuzzy Hash: 80cba50259912a0812268af5f6b3cd10b12dc2ea0057e7e7be624ec87f064b37
Instruction Fuzzy Hash: 59221A31E0025A8FDB54DF69C9847ADB7B1FF89304F1485A9D44AEB255EB30AD86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01087306 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d39dec0a9734ff5c725558b5d723b47c48cabd11b41ff32ed5355477ee1c8c
Instruction ID: 902bf52bcfd68543921187ef9ac906c31a03795f79b1a30097cbb731839dd1a5
Opcode Fuzzy Hash: 20d39dec0a9734ff5c725558b5d723b47c48cabd11b41ff32ed5355477ee1c8c
Instruction Fuzzy Hash: 14D1AE75E001298FDB25DF79D8506AEB7F2BFC8300F118669E486EB359DB34A9018F90

Uniqueness

Uniqueness Score: -1.00%

Function 01087352 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d25f1443b0d1cc4e11ea0f8c68fda1f3154fab4501459d9fb8719402b7124c
Instruction ID: e18455465c7074ec379e0c28c90c37a993368c120f6b442474731da21c470755
Opcode Fuzzy Hash: 45d25f1443b0d1cc4e11ea0f8c68fda1f3154fab4501459d9fb8719402b7124c
Instruction Fuzzy Hash: C2D18C75E001298FDB25DFB9D8506AEB7F2BFC8300F118669E446EB359DB74A901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010883E2 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2debcb87b337a918bb037646e64745cf5d8fc9431758f3de397f4bd7b39eab95
Instruction ID: 98553b7bc386995d631dc885815aaaee71c8f6b914c4cef8d58bdc4cbb7387f8
Opcode Fuzzy Hash: 2debcb87b337a918bb037646e64745cf5d8fc9431758f3de397f4bd7b39eab95
Instruction Fuzzy Hash: 0B814B32F101249FD754EB6DD880A9EB7E3AFC8710B5AC1A9E459EB356DE74DC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 01088491 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c52793e372515dc47d0354c0089932db87474d17cb73c8a591a7c856ec1d84
Instruction ID: 6fcda661a12ce0f5bb1de8fba766de1e082ff6f6a2fc7e5c10f83bb367c27d61
Opcode Fuzzy Hash: f7c52793e372515dc47d0354c0089932db87474d17cb73c8a591a7c856ec1d84
Instruction Fuzzy Hash: B1612A32F105288FD754DB6DC880A5EB7E3AFC8710F5AC1A5E459AB35ADE74EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0703C699 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86796ce3a4f1d38592b7c5b158e91c2de7b16555fc064a7597d614e0909422ab
Instruction ID: cbf396ad0da07e5f2e129411ff39b9a4d2bc69384ae64006d845b41f4fb5ec76
Opcode Fuzzy Hash: 86796ce3a4f1d38592b7c5b158e91c2de7b16555fc064a7597d614e0909422ab
Instruction Fuzzy Hash: 5D711BB5D55219CBEB24CF66C8407EDB7FABF89300F10C2AAD409B6250EB705A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07035050 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c20bc881f06d65740dca08bbaed8d733236e1dccbb070eb735e36e5517e4970
Instruction ID: b56fe2844c05052631290862e19164946ce258804c73bd6f82db63db8132c097
Opcode Fuzzy Hash: 7c20bc881f06d65740dca08bbaed8d733236e1dccbb070eb735e36e5517e4970
Instruction Fuzzy Hash: 9331F6B0D04618CBDB08CFA6D8497EEBBFABF89300F04C52AD419AA264E7790945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0703503F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27e4f0eae330a5886d631957eb10a5990b6f8eeccea5455433c556690c72cba
Instruction ID: d85653ce52fe1f6f9a311f6ce14d009c005f2f7bab307f293be10f74fd51b5e6
Opcode Fuzzy Hash: a27e4f0eae330a5886d631957eb10a5990b6f8eeccea5455433c556690c72cba
Instruction Fuzzy Hash: 2C312AB1D04658CBDB09CFA6CC497DEBBF6BF89300F04C16AD419AA264EB790945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0108F9E8 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0108FA76
GetCurrentThread.KERNEL32 ref: 0108FAB3
GetCurrentProcess.KERNEL32 ref: 0108FAF0
GetCurrentThreadId.KERNEL32 ref: 0108FB49

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d828587f38d4e9a9fefdede8b9b369131b5c7de3ad467d6f14d3aa55a180d03c
Instruction ID: 9f9a7e6b929c0dbebb6d2f63d3225e19086e435027fa0346e8c643552aeb5cf7
Opcode Fuzzy Hash: d828587f38d4e9a9fefdede8b9b369131b5c7de3ad467d6f14d3aa55a180d03c
Instruction Fuzzy Hash: C25186B0D003498FEB14DFAAD548BEEBBF1EF88310F248459D089A7360D7B49944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0108F9F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0108FA76
GetCurrentThread.KERNEL32 ref: 0108FAB3
GetCurrentProcess.KERNEL32 ref: 0108FAF0
GetCurrentThreadId.KERNEL32 ref: 0108FB49

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f505d25c33c526761d9acd8803a3b27e56ac533aae3345624f7e9a7ce8d3d685
Instruction ID: 6a0e4ddc5813bc560196fbfc56b3a91353b197fce0d0e2de79d69316aa50d4fe
Opcode Fuzzy Hash: f505d25c33c526761d9acd8803a3b27e56ac533aae3345624f7e9a7ce8d3d685
Instruction Fuzzy Hash: 4D5165B1D003098FEB14DFAAD548BEEBBF1EF88314F248459E059A7360D7B46944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0703AC52 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0703AE8E

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cd69825378ba0da560a767ec53227bbb3856a24e7e04239aa1ded7af0a616dfe
Instruction ID: 18b2c9bdc3b268ec6dfa3fe81e1a5ec8b4ed912e17ae5deb3fe6cc2e18449d33
Opcode Fuzzy Hash: cd69825378ba0da560a767ec53227bbb3856a24e7e04239aa1ded7af0a616dfe
Instruction Fuzzy Hash: F0914CF1E007199FEB24CFA8C840BDDBBF6BB45310F148669E849A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0703AC58 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0703AE8E

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8725dfcd2e5e53ad4be4bde890fa61a1eacb7f9320c525016dfc812aa1ac24af
Instruction ID: a0ba8d2be44b24efebbb7dbeec58c62698dbde776844751700f371e5d04f3975
Opcode Fuzzy Hash: 8725dfcd2e5e53ad4be4bde890fa61a1eacb7f9320c525016dfc812aa1ac24af
Instruction Fuzzy Hash: 09915DF1E007199FEB24CF68C840BDDBBF6BB45310F148669E849A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0108D359 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0108D5BE

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e3b3fb03fdc3720c0f24df5d40c75b779373778821e82bb1c97fdd447bdb730a
Instruction ID: 762a9efdb7565d95f1e9b39229c4532f5e145806148a7783d24d853088f470c6
Opcode Fuzzy Hash: e3b3fb03fdc3720c0f24df5d40c75b779373778821e82bb1c97fdd447bdb730a
Instruction Fuzzy Hash: BB8146B0A04B058FE764EF69D04179ABBF1FF88304F008A6DD58AD7A90DB74E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010858EC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010859A9

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3fe0b52afd624c5f37884e6721aadb3ae8cb72a68b2a2ccf6880d5f44f212f5d
Instruction ID: c5f11e5e08de451ca29c066c32b34c3bd8d7546fbb89770a3d10d37cc0e66273
Opcode Fuzzy Hash: 3fe0b52afd624c5f37884e6721aadb3ae8cb72a68b2a2ccf6880d5f44f212f5d
Instruction Fuzzy Hash: A641E0B1C00719CBEB24DFA9C884BDEFBB5BF48304F20805AD449AB255DBB56945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010844C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010859A9

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a0c2d10cf54e40785e7a8cd174506fbc030b65c2acd1b596dc3610162efb3318
Instruction ID: 9efb7469ebfe51807cbdc42883165ead7949765c4834f424de0749e51b44bd2f
Opcode Fuzzy Hash: a0c2d10cf54e40785e7a8cd174506fbc030b65c2acd1b596dc3610162efb3318
Instruction Fuzzy Hash: B241E0B0C04719CBEB24DFA9C884BDEBBB5BF49304F20806AD449AB251DBB16945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0703A9C8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0703AA60

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0af534e9795ba82ca0bb93dbb56aeb7b6ca85beab6fca0aa058f9e5f2d4ff5ea
Instruction ID: 5e79e08e86576bc90621d3af94981ccca2c6c18fabb2ed504089dbe4d01610ee
Opcode Fuzzy Hash: 0af534e9795ba82ca0bb93dbb56aeb7b6ca85beab6fca0aa058f9e5f2d4ff5ea
Instruction Fuzzy Hash: 08216BB6D003199FDB10CFA9C881BEEBBF5FF48310F148429E958A7250D7799944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0703A9D0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0703AA60

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b6a2e2939c3395f0a6abf03d290a5430105b3c53b2304a7d19d24b9eb1ab283d
Instruction ID: e1b63851b699f16b436f53859b45d9b950777bf71bcc905c9e120674d8df4685
Opcode Fuzzy Hash: b6a2e2939c3395f0a6abf03d290a5430105b3c53b2304a7d19d24b9eb1ab283d
Instruction Fuzzy Hash: 402139B6D003199FDB10CFAAC980BEEBBF5FF48310F148429E958A7250D7799954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0703A830 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0703A8B6

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dbe8f3c84928abf3a2ae8259bd2748cb0208aeab0f93830ebb95a5361a14c135
Instruction ID: 28d2c8a3d60dfb30b13535cef16a605aebcff7515d9e96b47494dba0ef57a22d
Opcode Fuzzy Hash: dbe8f3c84928abf3a2ae8259bd2748cb0208aeab0f93830ebb95a5361a14c135
Instruction Fuzzy Hash: 662139B5D003098FDB10DFAAC4857EEBBF5EF48320F148429D459A7241C7789945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0703AABA Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0703AB40

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 79fc32547a389d426c94b10ba9a0238f42800d56f3f39d6853a2210afd3cc98a
Instruction ID: ee18947a1e429ed61c5f8aeb70f9f2ea47650865317f31c10211fc7cee395eb4
Opcode Fuzzy Hash: 79fc32547a389d426c94b10ba9a0238f42800d56f3f39d6853a2210afd3cc98a
Instruction Fuzzy Hash: 662139B2D003599FDB10DFAAC840BEEBBF5FF48310F148429E558A7250C7799940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0703AAC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0703AB40

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ba3cf72ad38a2531d02524fee08c67c405df0aacbc6a145dd61f5f4ac8961fc2
Instruction ID: 0a43b12de9ec9c84a020d7a5fb7ded893c50efc2d78c8c99ed52ee550019b96f
Opcode Fuzzy Hash: ba3cf72ad38a2531d02524fee08c67c405df0aacbc6a145dd61f5f4ac8961fc2
Instruction Fuzzy Hash: 482114B1D003599FDB10DFAAC880BEEBBF5FF48310F14842AE958A7251C7799944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0703A838 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0703A8B6

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e9e5bfe8b6be7236f7750af47f9983e1d06072d10f54309e0369a964b190acd4
Instruction ID: 1add58fbc6098cfe4f07e557eec016a0b6ca0192f87e55a072ed3bb2eb5c2409
Opcode Fuzzy Hash: e9e5bfe8b6be7236f7750af47f9983e1d06072d10f54309e0369a964b190acd4
Instruction Fuzzy Hash: 592137B1D003098FDB10DFAAC4847EEBBF5EF48320F148429D459A7240C7789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0108FC40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0108FCC7

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d4e46f1063ac4f37cabdf9d27d00ad223a1dbeb21e3216ec473c607739338f12
Instruction ID: c59b599cac840a63ed939fad053b36f7d970d3d9b247e5ff60c7d4ca3e3c0a83
Opcode Fuzzy Hash: d4e46f1063ac4f37cabdf9d27d00ad223a1dbeb21e3216ec473c607739338f12
Instruction Fuzzy Hash: 3A21E2B5D003099FDB10CFAAD984ADEBBF8FB48310F14841AE958A3350D375A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0703A90A Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0703A97E

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ba4db3925a5fe9d98be269c66746fc33193b40cafb29c90e0c2138275a19ca0a
Instruction ID: 97fd54c8b282424cc9edc58838c7c159045859c7892c8d3ddea74d39ad2c2a78
Opcode Fuzzy Hash: ba4db3925a5fe9d98be269c66746fc33193b40cafb29c90e0c2138275a19ca0a
Instruction Fuzzy Hash: 9B115CB69003499FDB20DFAAC844BDFBBF5EF48314F148419E555A7250C7759540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0108C728 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0108D639,00000800,00000000,00000000), ref: 0108D84A

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9302a1a8b2d893f0ac45c021cf6bdd47fa29e5fa4250292ce0fca3847e950eea
Instruction ID: 40dbc038b91e3082d763c63bdb35a869846a750eadc17d999dd64500ab4227d4
Opcode Fuzzy Hash: 9302a1a8b2d893f0ac45c021cf6bdd47fa29e5fa4250292ce0fca3847e950eea
Instruction Fuzzy Hash: 561133B6D043098FDB20DF9AD444BDEFBF4EB48310F10842AD959A7240C3B5A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0108D7D8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0108D639,00000800,00000000,00000000), ref: 0108D84A

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b9ccf17001c639e555a1bbbe61d0cad93d59d07a310415ac90585a8150fbbde2
Instruction ID: 689faec5513528ce1723a7b3d8d778afcd0b452c7581d886acc710df97e1e252
Opcode Fuzzy Hash: b9ccf17001c639e555a1bbbe61d0cad93d59d07a310415ac90585a8150fbbde2
Instruction Fuzzy Hash: B71112B6D003098FDB14DF9AD444BDEFBF5EB88320F10852AD969A7240C3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0703A910 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0703A97E

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 85dfb33567d914743c4f33407362ed0f223d2f5c7df0d6476095e7a4a2df2ef0
Instruction ID: 072b2578703c9836e80f4118689f8c4a6037a1144dfb959e434698c35655dd9f
Opcode Fuzzy Hash: 85dfb33567d914743c4f33407362ed0f223d2f5c7df0d6476095e7a4a2df2ef0
Instruction Fuzzy Hash: 8A113AB69003499FDB20DFAAC844BDFBBF5EF48310F148419E555A7250C7799944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0703A782 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0703A7EA

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5cb39b3d0e98b26b31d0ab33025971c996b54c56e94ce73f5a3f994e98041ad5
Instruction ID: b14a032876fb41777bbeecd979b56d0a55fcd3abf48e1f7fca4973c460ac188e
Opcode Fuzzy Hash: 5cb39b3d0e98b26b31d0ab33025971c996b54c56e94ce73f5a3f994e98041ad5
Instruction Fuzzy Hash: AD116DB5D003488FDB20DFAAC4457DEFBF5EF88324F248419D415A7240CB75A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0703A788 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0703A7EA

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ab2b82be3ab0f882ad7ae033db5788b5896e9f2cf49cddab78f9e6557a7a4ac7
Instruction ID: 8b3fa8d107c50bb321d7e52d344608c7feb28bbd4e961b4aed894805363e6d12
Opcode Fuzzy Hash: ab2b82be3ab0f882ad7ae033db5788b5896e9f2cf49cddab78f9e6557a7a4ac7
Instruction Fuzzy Hash: 74113AB5D003498FDB24DFAAC4447DEFBF9EF88320F248419D459A7250C7756945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0703BABC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0703D885

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0a135f1014ef76018b87b95c615e9fb4399425c4ccab4dcab7cae86cc36cff91
Instruction ID: 6b24159e67f20190f3c7a768b39fe299a3fb7c30879385de2fe3015f862f51ac
Opcode Fuzzy Hash: 0a135f1014ef76018b87b95c615e9fb4399425c4ccab4dcab7cae86cc36cff91
Instruction Fuzzy Hash: CB1106B59003499FDB10DF9AC844BEEBBF8EB48310F108459E558A7210D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108D558 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0108D5BE

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f852f75f33817a0e49d30ee4c83b65a3193a2d31127b5cfad55ab094e152863a
Instruction ID: 32f82d5869ffac8d23306bab1e750acef458147efcae7e23f10f327d5f73cec6
Opcode Fuzzy Hash: f852f75f33817a0e49d30ee4c83b65a3193a2d31127b5cfad55ab094e152863a
Instruction Fuzzy Hash: 021110B6C003498FDB20DF9AC444BDEFBF4EB88314F10852AD868A7650D375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0703D822 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0703D885

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8ef92c6ed3111c5728a3b3b33e053ac4f8081fe8c265b5dca54fbadb65a11c5d
Instruction ID: ef7c1920bb64a9139470f8ef5e63cda02a61a4d231824916edd98ad2a2e9a984
Opcode Fuzzy Hash: 8ef92c6ed3111c5728a3b3b33e053ac4f8081fe8c265b5dca54fbadb65a11c5d
Instruction Fuzzy Hash: 8E1106B68003499FDB10CF9AD845BDEBBF8EB48314F108419E558A7650C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1362574518.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ead000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71e1a7cbadf17b265347cb3bbd2f0872dfe4771fb2a9bb3b635009ce69ef9c4
Instruction ID: c30f581fc5c21b3462d16fdc6bab9d94565fa6ba8aa86e688816934f12b8bacb
Opcode Fuzzy Hash: f71e1a7cbadf17b265347cb3bbd2f0872dfe4771fb2a9bb3b635009ce69ef9c4
Instruction Fuzzy Hash: 19212571508300DFDB14DF10D9C0B16BBA6EB89314F24C56DD80B5F686C336E847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1362574518.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ead000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db3e0fa7a97b8e9f12b9166f428604050dcd8e26ad443058a12e4d29c6575ec
Instruction ID: 427e17d9c4f8d10da74321eeafbe3d78f6e16b3740fb8ae6896f94d87e9865cb
Opcode Fuzzy Hash: 7db3e0fa7a97b8e9f12b9166f428604050dcd8e26ad443058a12e4d29c6575ec
Instruction Fuzzy Hash: 4C21F575508304DFDB05DF50D9C0B25BBA5FB89318F24C56DD80A5F666C336E846CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1362574518.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ead000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414b28deed2c680ade347782eeb1542d87e2eedd1103a10d8f27902fe1f03b22
Instruction ID: e55bfe5c5c568a2324af5ff8281a23e5165c4f500d596343a140160057438734
Opcode Fuzzy Hash: 414b28deed2c680ade347782eeb1542d87e2eedd1103a10d8f27902fe1f03b22
Instruction Fuzzy Hash: AF21417550D3808FDB12CF24D9D4715BF72EB46214F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1362574518.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ead000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 0161c407e9636f5e17046852d28854c17f3f3453eeb79ff6e21d151142025cd1
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 9511BE75508240DFCB12CF50C9C4B15BB71FB89318F24C6A9D84A5F666C33AE81ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01088718 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

, xrefs: 0108882E
r, xrefs: 010888A9

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: $r
API String ID: 0-2297392708
Opcode ID: 7ecb9bc834c919b3ce007bf49128acbe1bea0735285c253ee4b74d2820e1ba94
Instruction ID: 33413e84f95aef29dff2fe6394743a327abbc3a18b7bd3b0911f57bbe1d57fe3
Opcode Fuzzy Hash: 7ecb9bc834c919b3ce007bf49128acbe1bea0735285c253ee4b74d2820e1ba94
Instruction Fuzzy Hash: AB513532F182558FCB11DB6DD8842EEBBB2EF85210B58C1ABC195CB20AE770E851C781

Uniqueness

Uniqueness Score: -1.00%

Function 07038480 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2148de767dda9d3c8b746b409512271283cc16cf90f1acd95bbf90de908704
Instruction ID: b4a0103bce8ac30a253237c538b82809930894e32eedc7706f550074d4ef1733
Opcode Fuzzy Hash: 1f2148de767dda9d3c8b746b409512271283cc16cf90f1acd95bbf90de908704
Instruction Fuzzy Hash: C7E1E9B4E102598FDB14DFA9D580AAEBBB6FF89304F24C299E414A7355D7309942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07038048 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6959a8b39b1ddbd94c8f04db2097bf27c5d95a31e576bf3ea61b34e06f47c10d
Instruction ID: 0f6aafd4903759db7be01290feb7e172aeb8cc8052a7cfd68369d87072415a39
Opcode Fuzzy Hash: 6959a8b39b1ddbd94c8f04db2097bf27c5d95a31e576bf3ea61b34e06f47c10d
Instruction Fuzzy Hash: 4FE1E9B4E002598FDB14DFA9D580AAEBBB6FF89304F24C2A9E414A7355D730A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07039F60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce067fce06c07a2bfff63abe0cbe1b067e8b4790128f4ba7c2e7e7ae8f63e458
Instruction ID: bae15c8e148790f19694792c94219a66edfc34af477dad523fb7c1e3ad8ed213
Opcode Fuzzy Hash: ce067fce06c07a2bfff63abe0cbe1b067e8b4790128f4ba7c2e7e7ae8f63e458
Instruction Fuzzy Hash: 81E108B4E002598FDB14DFA9C580AAEBBB6FF89304F24C259E454AB355C735A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07037C10 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7698665081ea8b455e4934ce518fc081b6c6864df092eeb87b83680a1e6ca29e
Instruction ID: 26f0ea0141ec76c7f0671ab5a807ad7f083c34f5d98542cf56a01f7e2b61440f
Opcode Fuzzy Hash: 7698665081ea8b455e4934ce518fc081b6c6864df092eeb87b83680a1e6ca29e
Instruction Fuzzy Hash: CBE11AB4E002598FDB14DFA9D580AAEFBF6FF89304F249269D414AB355C730A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07039B28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabcfe7b60d16229ca0f2aecdf6f2a6ff09bfae8244f8b47aa2c1b3ed8f8fd9c
Instruction ID: bd9ff84dd1fe939bfc89a332648c796e0c527ddd932e50c8ed9efb982883029b
Opcode Fuzzy Hash: aabcfe7b60d16229ca0f2aecdf6f2a6ff09bfae8244f8b47aa2c1b3ed8f8fd9c
Instruction Fuzzy Hash: ABE12DB4E102598FDB14DFA9D580AAEFBF6FF89304F248259D414A7355C770A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04FCBF48 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367158544.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea32421932d8a4b80fa82e63688dabbe0efd8b853bf98ea7759da83173a6c0fe
Instruction ID: 557655a95a0f6e853b33ece78b9321b024c47e5a373ed234425728861887836c
Opcode Fuzzy Hash: ea32421932d8a4b80fa82e63688dabbe0efd8b853bf98ea7759da83173a6c0fe
Instruction Fuzzy Hash: 22910A71E1025ACFDB54CF69C98069DF7B1BF89304F1482AAD419EB311EB71A986CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FCCE20 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367158544.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73cd93467da566152ca2e278ce2611196e669f703b0e1675012ec426697a4d20
Instruction ID: fa2da338f3b77bbb3fc5430f76521359729e765ebe019fb9475a3dae962508b2
Opcode Fuzzy Hash: 73cd93467da566152ca2e278ce2611196e669f703b0e1675012ec426697a4d20
Instruction Fuzzy Hash: 5C91EA71E1065A8FDB54DF69C98069DF7B1FF89304F1482AAE419EB311EB71A982CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FCBF54 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367158544.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4fc0000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38bf3dce9227d519878f66b590b37b829caa05ab44e9f346dd3148e33ed623c0
Instruction ID: 52a15f7bd6ab14e9fc34d33da7a4ab0ef2fb6604908d8d71903671503c50b2ac
Opcode Fuzzy Hash: 38bf3dce9227d519878f66b590b37b829caa05ab44e9f346dd3148e33ed623c0
Instruction Fuzzy Hash: 4691F971E1025A8FDB54CF69C98069DF7B1BF89304F1482AAE419EB311EB71A982CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07038038 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369197587.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1593d2863262d671d1a2990c4eb5bfb92b2b12e64f1657c039d7f1c9ed366b
Instruction ID: 709e6e7009fd2ba14a9aa67be7ec76db14b04f0623f3c9c7a7bbe16eb1517e8d
Opcode Fuzzy Hash: 9d1593d2863262d671d1a2990c4eb5bfb92b2b12e64f1657c039d7f1c9ed366b
Instruction Fuzzy Hash: 58510AB4E002198FDB14CFA9D9415AEBBF6FF89304F24C2AAD418A7355D7309941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108784D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1363253215.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1080000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd339b331caf1d7c180c536bc92fda96f89b4f1ac57e555d2f8d2165f0276d6b
Instruction ID: aef389b6fae9f4d0212c9803fe96ea710c9625dec8d6a123936380de8b190ea5
Opcode Fuzzy Hash: bd339b331caf1d7c180c536bc92fda96f89b4f1ac57e555d2f8d2165f0276d6b
Instruction Fuzzy Hash: 7A412678E5511A8FCF14CFA9E581AEDF3F1BF4C300B21E216E056EB295DB34A9048B40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Documento de confirmacion de orden de compra OC 1580070060.exePID: 8112, Parent PID: 7844COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.8%
Total number of Nodes:	555
Total number of Limit Nodes:	68

Executed Functions

Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
!JA, xrefs: 0041A41C, 0041A428
bMA, xrefs: 0041A43D, 0041A444

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A52A Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 228644025f840f7fee6e35e43d606d2cd65501fa599a09edf95dbb4ed57bdd68
Instruction ID: 5ffd9728610d5dd4d37788f4d0a412f800f0528348d8b23841a4b3b5204e8e6b
Opcode Fuzzy Hash: 228644025f840f7fee6e35e43d606d2cd65501fa599a09edf95dbb4ed57bdd68
Instruction Fuzzy Hash: 52F058B1200208ABCB18DF88CC91EE737ACAF88314F108148BE0C97252C630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A47C Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2a6e77dc6e63fa20358b6d1967c4757a1df7cb8c207af33ae23075fd2ab79126
Instruction ID: 74f325f6456e40746026e1435586509bfe7f73128666eae7e8e5cd7dfe80f1a7
Opcode Fuzzy Hash: 2a6e77dc6e63fa20358b6d1967c4757a1df7cb8c207af33ae23075fd2ab79126
Instruction Fuzzy Hash: 2EE012762402146FD714EBD4CC45FD77768EF44764F154499BA2C9B242C534E61087D0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4

Uniqueness

Uniqueness Score: -1.00%

Function 015F2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2B6A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e94bc6978d7fcc568a10d48fe21c38e570833ca53f7670247569262259202196
Instruction ID: b64dbe47552d3c2e1e1a40c0ae21df5f4360f82149cd560b2b0f79d717e63e8a
Opcode Fuzzy Hash: e94bc6978d7fcc568a10d48fe21c38e570833ca53f7670247569262259202196
Instruction Fuzzy Hash: 8D90026160280043410AB5584814617400E97E0201B55C421E50146D4EC52589D16225

Uniqueness

Uniqueness Score: -1.00%

Function 015F2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2BFA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f15efb3a4f2eb054f4a0bc7beb35dea225716827f3e7d6c2e27357dbf6661502
Instruction ID: 2c3a2abf13ef261b12ecd649e55fd3e9342be0b4a91d13bed952eec31965ae07
Opcode Fuzzy Hash: f15efb3a4f2eb054f4a0bc7beb35dea225716827f3e7d6c2e27357dbf6661502
Instruction Fuzzy Hash: A490023160180842D185B558480464B000997D1301F95C415A4025798ECA158B9977A1

Uniqueness

Uniqueness Score: -1.00%

Function 015F2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2ADA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 611ac73d04ce068f2f4f6a00455794d302600f195c4671ff3dab4bb13a7b53f3
Instruction ID: 81a0a1e407cc0f764e1bd30e66bf37f6745a782d5b224df142b35d541b646590
Opcode Fuzzy Hash: 611ac73d04ce068f2f4f6a00455794d302600f195c4671ff3dab4bb13a7b53f3
Instruction Fuzzy Hash: 1690022561180043010AF9580B04507004A97D5351355C421F5015694DD62189A15221

Uniqueness

Uniqueness Score: -1.00%

Function 015F2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2D1A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1146e333c59b167dc5c973c36dc40d798bddf5dc6d87c4ad0d35ffda5e5e2f76
Instruction ID: f29d9cb147b1299e9ed388af8bb981adb4ff33e62027679596491c623a4264c6
Opcode Fuzzy Hash: 1146e333c59b167dc5c973c36dc40d798bddf5dc6d87c4ad0d35ffda5e5e2f76
Instruction Fuzzy Hash: 4690022961380042D185B558580860B000997D1202F95D815A401569CDC91589A95321

Uniqueness

Uniqueness Score: -1.00%

Function 015F2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2D3A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6e12a73f6912f81c9589a60e3d6709ce9726f5feb832be095fca147fd4f4b6d
Instruction ID: b252f8dfedd922debd08ea486ac59a3ce73ff86df15f9086a9447fe8e5041d94
Opcode Fuzzy Hash: d6e12a73f6912f81c9589a60e3d6709ce9726f5feb832be095fca147fd4f4b6d
Instruction Fuzzy Hash: 9F90022170180043D145B55858186074009E7E1301F55D411E4414698DD91589965322

Uniqueness

Uniqueness Score: -1.00%

Function 015F2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2DDA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 884c37ede2eb0c14199c1dbd24b20bd15e2d84e5323d9302952837d4675e91e7
Instruction ID: d9fd1d61eaacbfc41f64f36fa190ea3ff48f64a9ec3aff660bf59423e3da807b
Opcode Fuzzy Hash: 884c37ede2eb0c14199c1dbd24b20bd15e2d84e5323d9302952837d4675e91e7
Instruction Fuzzy Hash: 8D90022164284192554AF5584804507400AA7E0241795C412A5414A94DC5269996D721

Uniqueness

Uniqueness Score: -1.00%

Function 015F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2DFA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 182846498aab5d4d12cbaedc258204a4a3abd4b9f77dbbb1a4a7814115d21bba
Instruction ID: ada2767d4f18b12f9287d19d3f00685b5c97d563010e68f672c3c4eb1ecfd120
Opcode Fuzzy Hash: 182846498aab5d4d12cbaedc258204a4a3abd4b9f77dbbb1a4a7814115d21bba
Instruction Fuzzy Hash: 9D90023160180453D116B5584904707000D97D0241F95C812A442469CED6568A92A221

Uniqueness

Uniqueness Score: -1.00%

Function 015F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2C7A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7766b5e006eeb572199c2641a4422dbf4964173cb02c3fdbb726f3616ed20743
Instruction ID: a59c9c112ed0f2eab7d5c7bf282212d4ae8fb7794649d325126c18afe38b29e9
Opcode Fuzzy Hash: 7766b5e006eeb572199c2641a4422dbf4964173cb02c3fdbb726f3616ed20743
Instruction Fuzzy Hash: 2B90023160188842D115B558880474B000997D0301F59C811A842479CEC69589D17221

Uniqueness

Uniqueness Score: -1.00%

Function 015F2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2CAA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04a7c1e94df7be4273b1d32c49b72b227ee0e519baa9399fb31bde6419ec72c0
Instruction ID: f596434c60f765f7a3b491a626a92500a966a6df93ab8e1a7e5851f718aa875a
Opcode Fuzzy Hash: 04a7c1e94df7be4273b1d32c49b72b227ee0e519baa9399fb31bde6419ec72c0
Instruction Fuzzy Hash: 4B90023160180442D105B9985808647000997E0301F55D411A9024699FC66589D16231

Uniqueness

Uniqueness Score: -1.00%

Function 015F2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2F3A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 72ed1b6c16073dd7d69b2a7f864780041783bb2356fb3cb4ea9e1e629bf2127d
Instruction ID: 4a8edee682b28bfcdc18c5f0fc3b0d300b55ab7f4adca36b1ff9982423ac9bc5
Opcode Fuzzy Hash: 72ed1b6c16073dd7d69b2a7f864780041783bb2356fb3cb4ea9e1e629bf2127d
Instruction Fuzzy Hash: 6190026174180482D105B5584814B070009D7E1301F55C415E5064698EC619CD926226

Uniqueness

Uniqueness Score: -1.00%

Function 015F2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2FEA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca69af56eebe7c84009df45704db7451bcc54b5c5a137dcc2bd9f643cde2f559
Instruction ID: b8eeecc0146d97aa98a4de58a4eaaff274c8af4c2b6aae9dcf7e5cc87928f840
Opcode Fuzzy Hash: ca69af56eebe7c84009df45704db7451bcc54b5c5a137dcc2bd9f643cde2f559
Instruction Fuzzy Hash: F6900221611C0082D205B9684C14B07000997D0303F55C515A4154698DC91589A15621

Uniqueness

Uniqueness Score: -1.00%

Function 015F2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2F9A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e17e4efc44982c8e0bc5535c6d2860e56556e3114b2bd128d64591fba1936c09
Instruction ID: 0793f1feb404cd33b50d30bd8b7badc297598dc7638f6ff820bf4dce1dfec169
Opcode Fuzzy Hash: e17e4efc44982c8e0bc5535c6d2860e56556e3114b2bd128d64591fba1936c09
Instruction Fuzzy Hash: DA900231601C0442D105B5584C1470B000997D0302F55C411A5164699EC62589916671

Uniqueness

Uniqueness Score: -1.00%

Function 015F2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2FBA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0f38afab8197c254d5e873e1840b54873b8fe6c4daca1a32bb96bbb9c677e9f
Instruction ID: 24f6ae4b669aaedfad90b5dce01dd9063e0f6a8fdfc9cf57ea7e298ced169110
Opcode Fuzzy Hash: c0f38afab8197c254d5e873e1840b54873b8fe6c4daca1a32bb96bbb9c677e9f
Instruction Fuzzy Hash: 5F900221A01800824145B5688C449074009BBE1211755C521A4998694EC55989A55765

Uniqueness

Uniqueness Score: -1.00%

Function 015F2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2E8A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e36ddb052724e737632c881a2106ca9ddaf3e43263494710531a629694de8fcb
Instruction ID: 4121fd0c93eeda1bee7b888aeb81690fd44df565e87e5d78a5951bdf5a63b472
Opcode Fuzzy Hash: e36ddb052724e737632c881a2106ca9ddaf3e43263494710531a629694de8fcb
Instruction Fuzzy Hash: 20900221A0180542D106B5584804617000E97D0241F95C422A5024699FCA258AD2A231

Uniqueness

Uniqueness Score: -1.00%

Function 015F2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2EAA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fbccaf481067e17c47b2a1716d128051848cd0003ff78e3ac06aa87ec6aaee7e
Instruction ID: ad2968dc8a6a37996796544eed1beb06d2773b12659c9c073acc5f56ce320aa3
Opcode Fuzzy Hash: fbccaf481067e17c47b2a1716d128051848cd0003ff78e3ac06aa87ec6aaee7e
Instruction Fuzzy Hash: 4790027160180442D145B5584804747000997D0301F55C411A9064698FC6598ED56765

Uniqueness

Uniqueness Score: -1.00%

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A693 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: AllocateExitHeapProcess
String ID: &EA
API String ID: 1054155344-1330915590
Opcode ID: 74718f39f73767e11d61d1e7c1d9dd5e3dec8e3c8a46534d5e077441bd196523
Instruction ID: 3442741909fd3ae836a7a9b636d4f3a5158cea82ca9ee53051834243c9db8715
Opcode Fuzzy Hash: 74718f39f73767e11d61d1e7c1d9dd5e3dec8e3c8a46534d5e077441bd196523
Instruction Fuzzy Hash: B4119DB5204248AFCB14EFA8DC80DEB77A8AF88314F15864DF95C97242C634E916CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0040830A Relevance: 1.6, APIs: 1, Instructions: 62
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c9fa9b717a73b89cfc8cb1096402c616e658baaf3a741ba5bf89e6e5482e68be
Instruction ID: 824987672ed01c09ee9b66fcdf58cf4c3352d779d31f09e622c7ebf533d05529
Opcode Fuzzy Hash: c9fa9b717a73b89cfc8cb1096402c616e658baaf3a741ba5bf89e6e5482e68be
Instruction Fuzzy Hash: 6B014931A8031876E720A6A59C03FFE775CAB40B54F05026EFF04FA1C1EAA9690542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7B1 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3dd8dddf95c5932f6aa1323c090e32eb977d90218e8a7b8369b87a08571e4ed2
Instruction ID: 01149328ab3043017a633e6cc8b1acc7fa4ac83b83ee51ed52c87f83440faf0c
Opcode Fuzzy Hash: 3dd8dddf95c5932f6aa1323c090e32eb977d90218e8a7b8369b87a08571e4ed2
Instruction Fuzzy Hash: DFF0E5B4604240AFC710DF54C845DD73BA8EF80314F00456EFC695B242C735D415CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5

Uniqueness

Uniqueness Score: -1.00%

Function 015F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015F2C24

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 562fd2a1b032732197b5db3c3d4c3c676c6bede5881ede20b8887e93ff702c68
Instruction ID: 6061486d4c6ce8fd5ab7705a82f68f67ec528a30fd10bbde28dba24627208a2f
Opcode Fuzzy Hash: 562fd2a1b032732197b5db3c3d4c3c676c6bede5881ede20b8887e93ff702c68
Instruction Fuzzy Hash: 09B09B71D019C5D5DA16E7644A0871B7904B7D0701F15C465D3030785F8738C1D1E275

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01632349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

ShutdownFlags, xrefs: 016324A1
UnloadEventTraceDepth, xrefs: 016324C0
MaxDeadActivationContexts, xrefs: 01632D82
@, xrefs: 01632B74
TracingFlags, xrefs: 01632549
FrontEndHeapDebugOptions, xrefs: 01632489
DisableHeapLookaside, xrefs: 0163246D
UseImpersonatedDeviceMap, xrefs: 0163251C
MaxLoaderThreads, xrefs: 016324EC
RaiseExceptionOnPossibleDeadlock, xrefs: 01632579
MinimumStackCommitInBytes, xrefs: 01632BB0
CFGOptions, xrefs: 01632967
GlobalFlag, xrefs: 01632F3F, 01633059
@, xrefs: 01632942
LdrpInitializeExecutionOptions, xrefs: 0163317D
minkernel\ntdll\ldrinit.c, xrefs: 01633187
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01633176
DisableExceptionChainValidation, xrefs: 0163275F
ExecuteOptions, xrefs: 016325A0
GlobalFlag2, xrefs: 01632FC0

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 87ab31519a228090f6ff25a03d71bd569311c5c833538526eab6cb3f7cf9b32b
Instruction ID: e6176d41bf12010c7f9897780b3f280e164d9eb8e7dbc4edec04880d1fa9b13c
Opcode Fuzzy Hash: 87ab31519a228090f6ff25a03d71bd569311c5c833538526eab6cb3f7cf9b32b
Instruction Fuzzy Hash: AB928B71608342AFE721DE29CC90B6BBBE8BBC4754F04492DFA959B350D770E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015E8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016254CE
undeleted critical section in freed memory, xrefs: 0162542B
Invalid debug info address of this critical section, xrefs: 016254B6
Critical section address, xrefs: 01625425, 016254BC, 01625534
Address of the debug info found in the active list., xrefs: 016254AE, 016254FA
Thread identifier, xrefs: 0162553A
Thread is in a state in which it cannot own a critical section, xrefs: 01625543
double initialized or corrupted critical section, xrefs: 01625508
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016254E2
Critical section address., xrefs: 01625502
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0162540A, 01625496, 01625519
Critical section debug info address, xrefs: 0162541F, 0162552E
corrupted critical section, xrefs: 016254C2
8, xrefs: 016252E3

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 112016fc5c067b170e9eecbe01dbda1dbe8997da9185d47951b074a676e84e1a
Instruction ID: 03f76fa31cba152f8f73f8611b107d398b397c5352935e5a41d9daf365725089
Opcode Fuzzy Hash: 112016fc5c067b170e9eecbe01dbda1dbe8997da9185d47951b074a676e84e1a
Instruction Fuzzy Hash: 9F819AB0A40759AFDF20CF99CC45BAEBBB5BB49704F104119E509BB240D371A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015E29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 0162259B
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01622498
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01622624
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016225EB
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01622506
RtlpResolveAssemblyStorageMapEntry, xrefs: 0162261F
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01622409
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01622412
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016224C0
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01622602
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016222E4

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 54385310f12f7614720aff4b72b9fa7f643b81ee9c2191840cfb7a88d48e0398
Instruction ID: 4400e64bfa0071926838c914d7d1b73bf9e5bcb13f9f820f869b76c825aaab31
Opcode Fuzzy Hash: 54385310f12f7614720aff4b72b9fa7f643b81ee9c2191840cfb7a88d48e0398
Instruction Fuzzy Hash: 26026FF2D006299BDB35DB54CC84B9AB7B8BB54304F4041EEE60DAB241EB709E94CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01658B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01658BD0
lsass.exe, xrefs: 01658BA1
smss.exe, xrefs: 01658B8B
csrss.exe, xrefs: 01658B80
runtimeuserer.exe, xrefs: 01658B73
DefaultBrowser_NOPUBLISHERID, xrefs: 01658D00
svchost.exe, xrefs: 01658B68
heapType, xrefs: 01658BCB
SegmentHeap, xrefs: 01658BE9
services.exe, xrefs: 01658B96

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimeuserer.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 8679e7b3540ced2fb5c7e148fe5dafd99ca1c103e56a1e4421f3324917307f9e
Instruction ID: c037ae6160ebb22f5a72bfbcef77d43eb5ce9835c8ff14525fad16f3ea24b15d
Opcode Fuzzy Hash: 8679e7b3540ced2fb5c7e148fe5dafd99ca1c103e56a1e4421f3324917307f9e
Instruction Fuzzy Hash: 0151BD725143069BD329DF1A8C44BABBBECFF98240F144A1DEE99C7641E770D604CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01660274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0166069F
RtlReAllocateHeap, xrefs: 016602BF, 01660362
Just reallocated block at %p to %Ix bytes, xrefs: 016605F1
HEAP: , xrefs: 016603A6, 016604B5, 016605DD, 01660682, 016606D9
HEAP[%wZ]: , xrefs: 01660399, 016604A8, 016605D0, 01660675, 016606CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 016606EA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 016604D3
About to reallocate block at %p to %Ix bytes, xrefs: 016603BA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: f223f675a2b4debc7342591ff6e2fa7fb3e94fd7b60d61558097e22cda8dfde6
Instruction ID: 52b3c683991fd782d9152de5e0f1ce78d42543f09f87cd7d24f3a483a2c5ef90
Opcode Fuzzy Hash: f223f675a2b4debc7342591ff6e2fa7fb3e94fd7b60d61558097e22cda8dfde6
Instruction Fuzzy Hash: 80D1BC35600686DFDB22DF68CC40AADBBF9FF89604F488069F4469B352DB74E981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 016389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDlls, xrefs: 01638CBD
AVRF: -*- final list of providers -*- , xrefs: 01638B8F
VerifierDebug, xrefs: 01638CA5
HandleTraces, xrefs: 01638C8F
VerifierFlags, xrefs: 01638C50
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01638A3D
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01638A67

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: f568dd88aa29bfacc6d1f1decec4efd9f5eeb60e9243564b7f8ccecc75854918
Instruction ID: 53242d816bd9c2f64a659910c5993e400d0014b099820151042299637d23de87
Opcode Fuzzy Hash: f568dd88aa29bfacc6d1f1decec4efd9f5eeb60e9243564b7f8ccecc75854918
Instruction Fuzzy Hash: 949104B2645702AFD721DF688C80B9BBBE9BBD4714F44465CFA426F241C770AC01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 015BEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 015BEB58
, xrefs: 015BF299
LdrpResSearchResourceInsideDirectory Exit, xrefs: 015BEB6C
T, xrefs: 015BEB4E
R, xrefs: 015BEB62
{, xrefs: 01614643

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: a9c10fe8ba47404e9b1fb5034ec74aa5f0cc40e39dbf55a4266f67196fe9ba00
Instruction ID: 77e2844de6e3487fc5cbf6ca1c617a87a3a5e01156f9ee36f4943dd4f9a4e495
Opcode Fuzzy Hash: a9c10fe8ba47404e9b1fb5034ec74aa5f0cc40e39dbf55a4266f67196fe9ba00
Instruction Fuzzy Hash: 48A21574A0562A8FDB64DF19CC887EDBBB5FB45304F1846EAD909AB254DB309E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 015E63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 0162413A
minkernel\ntdll\ldrinit.c, xrefs: 016240E9, 0162414B, 0162420F, 01624269
Delaying execution failed with status 0x%08lx, xrefs: 01624258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 016240D8
_LdrpInitialize, xrefs: 016240DF, 01624141, 01624205, 0162425F
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 016241FE

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: cae39761ab5d5305d4674e0fa0f884cfbcca5375e8e613fa0a596e07d869a573
Instruction ID: 2649d394ef14845cf6e15f4d8643037b10bcae98415b2ad400ec16ab0496cbea
Opcode Fuzzy Hash: cae39761ab5d5305d4674e0fa0f884cfbcca5375e8e613fa0a596e07d869a573
Instruction Fuzzy Hash: FA912471B017229BEB29EF59DC88BAE7BE2BF51B54F54402CD9016F381DB60A801CF95

Uniqueness

Uniqueness Score: -1.00%

Function 015A645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 01609A01
apphelp.dll, xrefs: 015A6496
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016099ED
minkernel\ntdll\ldrinit.c, xrefs: 01609A11, 01609A3A
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01609A2A
LdrpInitShimEngine, xrefs: 016099F4, 01609A07, 01609A30

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 69b7b3931449557066300c711eb3948c3c8b5d810316871a8377c05c32da041b
Instruction ID: 4ba773aa8181ce399158e37520080047e8437190e44714cbe6a395d9e2eec378
Opcode Fuzzy Hash: 69b7b3931449557066300c711eb3948c3c8b5d810316871a8377c05c32da041b
Instruction Fuzzy Hash: 6651C0712483059FD725DF24CC41BABBBE9FB84748F84091DF9899B2A1D770E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015E2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 01622160, 0162219A, 016221BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01622178
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01622180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016221BF
SXS: %s() passed the empty activation context, xrefs: 01622165
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0162219F

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 85519d17f261fc5476e42ea7cc31834592dbad1890064698e924479c41b1b320
Instruction ID: b0ebb9370ba802481b32ec12aeffe92c7c8c60a73c66d6f9e105c3719bbff637
Opcode Fuzzy Hash: 85519d17f261fc5476e42ea7cc31834592dbad1890064698e924479c41b1b320
Instruction Fuzzy Hash: 18313736F40221B7FB258A998C49F5B7BADFB94A50F15405DFB04AF244D7709A01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 015EC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01628181, 016281F5
Loading import redirection DLL: '%wZ', xrefs: 01628170
minkernel\ntdll\ldrinit.c, xrefs: 015EC6C3
Unable to build import redirection Table, Status = 0x%x, xrefs: 016281E5
LdrpInitializeImportRedirection, xrefs: 01628177, 016281EB
LdrpInitializeProcess, xrefs: 015EC6C4

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 7ced5e5a3848819e503536c332526946b46f2fd496562e7c795a62fff1f1772c
Instruction ID: 6d7a2e787b6a450c2396fad9acf5acb4ee6b02b62794a8e73cb5fb10c6e7700c
Opcode Fuzzy Hash: 7ced5e5a3848819e503536c332526946b46f2fd496562e7c795a62fff1f1772c
Instruction Fuzzy Hash: 0131F1B16447139BC324EA2CDD4AE2ABBD5FFD4B10F00052CF944AF291D620EC04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 015F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 015F2DF0: LdrInitializeThunk.NTDLL ref: 015F2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015F0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015F0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015F0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015F0D74

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: c2c7c75ff310cfe790f3d9758cabb1a1ced918a26a17061867bf613ff6dce403
Instruction ID: 1580be76159fbb22049e0d4280843d8b2b4b228af00713424b3425ccc8e9fd7c
Opcode Fuzzy Hash: c2c7c75ff310cfe790f3d9758cabb1a1ced918a26a17061867bf613ff6dce403
Instruction Fuzzy Hash: 54424B71900716DFDB21CF68C880BAAB7F5BF44314F1445ADEA89DB282D770A985CF60

Uniqueness

Uniqueness Score: -1.00%

Function 015C29A0 Relevance: 6.0, Strings: 4, Instructions: 966COMMON

Download Yara Rule

Strings

, xrefs: 015C31A3
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 015C327D
HEAP: , xrefs: 015C3264
HEAP[%wZ]: , xrefs: 015C3255

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: $HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-3126994380
Opcode ID: 683a6f46441fe54b186b6bfc82fc17299012c5e82242c8f6bd22914d95eaf58a
Instruction ID: 2a525bcfd44264f3dc6baa0d86e77e5d10a068a3748af0de8f2c617764a63d12
Opcode Fuzzy Hash: 683a6f46441fe54b186b6bfc82fc17299012c5e82242c8f6bd22914d95eaf58a
Instruction Fuzzy Hash: 60929A71A042499FDB25CFA8C8447AEBBF1FF48B04F18849DE85AAB351D735A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015BA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 015BA3E7
LdrResFallbackLangList Exit, xrefs: 015BA3FF
LdrResFallbackLangList Enter, xrefs: 015BA3EF
6, xrefs: 015BA3F7

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: f49ce1918c5d9b9497d9cffbcfff449804435f849405f69b7eb083758b2e3ef4
Instruction ID: 6a7ed52ea4fa36bd5de95b59ea6036f826c93bf866e2abb80c5ac13306d68a48
Opcode Fuzzy Hash: f49ce1918c5d9b9497d9cffbcfff449804435f849405f69b7eb083758b2e3ef4
Instruction Fuzzy Hash: 8BC18A74508386CFD721CF58C480BAAB7E4BF84704F04496EF9958B395E778CA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 015E8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 015E8421
LdrpInitializeProcess, xrefs: 015E8422
@, xrefs: 015E8591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 015E855E

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 25649242eb3befa6b551e7f03c233291d68fc3350ef1d96adc8202f1fb34bdde
Instruction ID: 321556afd26e62967af92316a34e88462f03a91e74c37d60adf82c9d90051a77
Opcode Fuzzy Hash: 25649242eb3befa6b551e7f03c233291d68fc3350ef1d96adc8202f1fb34bdde
Instruction Fuzzy Hash: D1919EB1908746AFD721DF65CC84EAFBAE8FF84744F40496EFA859A150E730D904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 015E273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 015E28D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016222B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016221D9, 016222B1
SXS: %s() passed the empty activation context, xrefs: 016221DE

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 32315c0842e08c9a9b56975d4652251870080a23c97d2083a72c40039e79a87b
Instruction ID: 814bad205633d02413e7afb8f3e09c147333f2a7048f1090e623dadc124b2822
Opcode Fuzzy Hash: 32315c0842e08c9a9b56975d4652251870080a23c97d2083a72c40039e79a87b
Instruction Fuzzy Hash: 7EA18B31D0122A9BDB28CF68CC88BA9B7F5BF59354F1545EAD908AB255D7309EC0CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015E4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01623456
RtlDeactivateActivationContext, xrefs: 01623425, 01623432, 01623451
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01623437
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0162342A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 860a25ae98b12430f71ab4d948a88653aedf7be8e72ae16c56ee789fa682227d
Instruction ID: 2646a259b5728aafde55fd41579bbaa1ace8ae4c2853837c1a6d5c655bc3ae64
Opcode Fuzzy Hash: 860a25ae98b12430f71ab4d948a88653aedf7be8e72ae16c56ee789fa682227d
Instruction Fuzzy Hash: 91612132A11B229BDB26CF18CC45B2AB7E5BF84B20F1485ADE995DF340D734E811CB95

Uniqueness

Uniqueness Score: -1.00%

Function 015B64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016110AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01610FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01611028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0161106B

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 117e7c09d24b8b007fb525bb925c4f173ee0b57a7aab4360b3d646cc64ded5fc
Instruction ID: db0eff460fa64a500426478afc6c49b58dfb3a9d59fc082594189db1bc068c38
Opcode Fuzzy Hash: 117e7c09d24b8b007fb525bb925c4f173ee0b57a7aab4360b3d646cc64ded5fc
Instruction Fuzzy Hash: C471BEB19043069FCB21DF18C8C4B9B7BA9BF95764F440468F9488F28AD734D598CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 015D245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0161A992
apphelp.dll, xrefs: 015D2462
minkernel\ntdll\ldrinit.c, xrefs: 0161A9A2
LdrpDynamicShimModule, xrefs: 0161A998

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: c79690ac9d7f67623c503bd592e58a7a8c6a5a7de585efa02b709b3031a8b9d6
Instruction ID: e324f9470406532cb611e498001656171255d40ccbee3c7000a65fea178a5742
Opcode Fuzzy Hash: c79690ac9d7f67623c503bd592e58a7a8c6a5a7de585efa02b709b3031a8b9d6
Instruction Fuzzy Hash: 61312872610242EBDB319F9DDC81AAEBBB5FB84B10F5A441DE9016F349C770A891CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015C0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 016150CA
HEAP: , xrefs: 016150BD
HEAP[%wZ]: , xrefs: 016150AE

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 34e88638f63fedd22245d8c4372dd3ae9ad51fa6210d66beed19057d877491c4
Instruction ID: 85be3d9d7b63eb84eece47814640c157f9d35cb196db64a3fc976d973f93e27d
Opcode Fuzzy Hash: 34e88638f63fedd22245d8c4372dd3ae9ad51fa6210d66beed19057d877491c4
Instruction Fuzzy Hash: F6F1CE35600606DFEB25CFA8C890BAAB7F5FF85704F1881ACE5169B385D734E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 015D6C24
, xrefs: 0161CA51

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 939a46c0f228f552a799ef530f8e41ff0ff7fb9f84f0d20d0286d2c4a414bced
Instruction ID: 6ddf402bda3abcbbf32463b446da40dfa2caec7323bb8f9fbc113236d31a45b8
Opcode Fuzzy Hash: 939a46c0f228f552a799ef530f8e41ff0ff7fb9f84f0d20d0286d2c4a414bced
Instruction Fuzzy Hash: 1CC25D716083419FE735CF28C881BAFBBE5BF88754F04892DE9898B251D774D845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015AA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 015AA1C1
\??\, xrefs: 0160C1E4
FilterFullPath, xrefs: 0160C2E6

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: ddd2a724b45f049bf3d20f6687a5feaac484e0ad4d775d54ea0cdb4a20046377
Instruction ID: edd8f599c83396be182ec56ebf2682aafd9d44ce6627ec6c35af8547836d3afe
Opcode Fuzzy Hash: ddd2a724b45f049bf3d20f6687a5feaac484e0ad4d775d54ea0cdb4a20046377
Instruction Fuzzy Hash: 0EA15F7191162A9BDB36DF68CC88BAEB7B8FF44700F1141E9E909AB250D7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015D0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0161A121
Failed to allocated memory for shimmed module list, xrefs: 0161A10F
LdrpCheckModule, xrefs: 0161A117

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 4f7a2203057ddb9df6be9e572248d419fe548108c8e01d3028388eb04d4cda00
Instruction ID: d5ff4bf728e8fdf37ff6cd4fdbabec66104d44887005571a5361edffe10f439a
Opcode Fuzzy Hash: 4f7a2203057ddb9df6be9e572248d419fe548108c8e01d3028388eb04d4cda00
Instruction Fuzzy Hash: 4471AC71A00206DFDB25EFACCD81ABEB7F4FB84604F58446DE906AB395E734A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015C0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0161534D
HEAP: , xrefs: 01615342
HEAP[%wZ]: , xrefs: 01615335

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 8d8a12552098ee892331719d1c7725ffbf915a5d0f99c73ae31240dbf20a2b58
Instruction ID: 6722131304a8d06bcfdcb509cf56552413bfd439e785355fec9a64b14454a1ae
Opcode Fuzzy Hash: 8d8a12552098ee892331719d1c7725ffbf915a5d0f99c73ae31240dbf20a2b58
Instruction Fuzzy Hash: 9661A274600306DFDB29DF68C880B6ABBE1FF45B08F18855DE4568F296D7B0E881CB95

Uniqueness

Uniqueness Score: -1.00%

Function 015EC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 016282E8
LdrpInitializePerUserWindowsDirectory, xrefs: 016282DE
Failed to reallocate the system dirs string !, xrefs: 016282D7

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 4cce1b22abcf6260aab0fec04ed748f9a816751bd3c9063609528659d4e0fc6e
Instruction ID: 089e3d7728da1dd593272f0a648ff358bab1479827e01dd2b128f3a2185e5aec
Opcode Fuzzy Hash: 4cce1b22abcf6260aab0fec04ed748f9a816751bd3c9063609528659d4e0fc6e
Instruction Fuzzy Hash: B241F371591312ABC720EFA8DC44B5B7BE8BF95750F45982EF944DB250E770E8108F92

Uniqueness

Uniqueness Score: -1.00%

Function 0166C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0166C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0166C1C5
@, xrefs: 0166C1F1

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 13011c648f4ca62be0a3122552abccc259448c49c6ec0355033248df604cb3ec
Instruction ID: 04290b00240a19114de0fce8e525fb540cad80e470e1416ac0b6636294a1a365
Opcode Fuzzy Hash: 13011c648f4ca62be0a3122552abccc259448c49c6ec0355033248df604cb3ec
Instruction Fuzzy Hash: 55416171E1060AEBDF11DAD8CC51FEEBBBCBB54704F14806AEA49B7240D7749A458B90

Uniqueness

Uniqueness Score: -1.00%

Function 01644144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01644225
LdrpResValidateFilePath Exit, xrefs: 01644172
LdrpResValidateFilePath Enter, xrefs: 01644160

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 609df1c0cc49ab3ccfed3cde4deb7fd118f8b3ee2e5336d93ac516ee4c6cddd8
Instruction ID: 4ba4b0a09f22c769f3ddb06ed9387e7bd4d052e54714f94478b52de22a35cb47
Opcode Fuzzy Hash: 609df1c0cc49ab3ccfed3cde4deb7fd118f8b3ee2e5336d93ac516ee4c6cddd8
Instruction Fuzzy Hash: C041FF71A00649CBEB26DBE9CC41BAEBBB8FF95340F14445AD901AF791DB359901CB11

Uniqueness

Uniqueness Score: -1.00%

Function 01634755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01634899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01634888
LdrpCheckRedirection, xrefs: 0163488F

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 92d6a46e372e87127b750ae24b306bf4b7a1835c4f68ebad6197f2c6c9110ce6
Instruction ID: 25319917502ef50a96664ddd2afc1d67a1d246b39f80b6b1e7e9e84c69eea331
Opcode Fuzzy Hash: 92d6a46e372e87127b750ae24b306bf4b7a1835c4f68ebad6197f2c6c9110ce6
Instruction Fuzzy Hash: 05419032A146519FCB22CE69DC40A36FBE9FFC9750B06056DED599B351DB30E810CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015C0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0161543E
HEAP[%wZ]: , xrefs: 01615431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01615449

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: eef5e219740088f8f006b4a9184d98f5288bb01972e78dc1c38350369b8fb3f8
Instruction ID: ab0de7de6882a8cbf67da2b1f9ecf7529e943611e2cdc0ecb6249f85f1b04660
Opcode Fuzzy Hash: eef5e219740088f8f006b4a9184d98f5288bb01972e78dc1c38350369b8fb3f8
Instruction Fuzzy Hash: 9211AC35396142DFDB29DE58C840B6AF3A5BB82B1AF18811DF4068F299DB34E881C795

Uniqueness

Uniqueness Score: -1.00%

Function 016320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 016320F3
minkernel\ntdll\ldrinit.c, xrefs: 01632104
LdrpInitializationFailure, xrefs: 016320FA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 5c2c4169a8d5a98565248cf6de284a0df85d51ee16aa3feee0dad859c6a84dac
Instruction ID: a50fe2ad224487472c71210f23cdf5e9962032389f2318e015f4bdf9c3974e40
Opcode Fuzzy Hash: 5c2c4169a8d5a98565248cf6de284a0df85d51ee16aa3feee0dad859c6a84dac
Instruction Fuzzy Hash: 2CF0C235640319BBEB24E64CCD52FAA7BA8FB80B54F50006DFB007F785D2B0B950CA95

Uniqueness

Uniqueness Score: -1.00%

Function 015C03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01614D8A

Strings

#%u, xrefs: 01614D82

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 59507a82331462aa4120cbaec19fa000cd55f4a1fc738d072ef762089897f564
Instruction ID: 984edb3d06bf4bfe218d75cf3b1ba58ba58bcd40a6aed75345923d363d71901e
Opcode Fuzzy Hash: 59507a82331462aa4120cbaec19fa000cd55f4a1fc738d072ef762089897f564
Instruction Fuzzy Hash: 74713972A0014A9FDB05DFA8C990BAEB7F8FF48744F144069E905EB251EB34AD01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 015BA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 015BAA25
LdrResSearchResource Enter, xrefs: 015BAA13

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 9e198bd4d2c71e806e3b05173f58bc9bca67abae1e14ec446c069d2dc5bfc543
Instruction ID: 2c6d7a1fef62aaaf5a3ffd81d6d472a95f08e7f16e1cdeb73d8f0ff4b52bf551
Opcode Fuzzy Hash: 9e198bd4d2c71e806e3b05173f58bc9bca67abae1e14ec446c069d2dc5bfc543
Instruction Fuzzy Hash: C6E15071E00219AFEB22CE9DCD90BEEBBB9BF44310F244529E911EB355E7749941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0167A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0167A44B
`, xrefs: 0167A551

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: bbeb9684ebe732bbf4e356c951da336f227b0ed088f8ed12b2439c90bd20e1b4
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 8AC1BD312043429BEB24CFA8CC45B6BBBE6AFC4718F084A2DF696CB290D775D545CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0162E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0162E751
Legacy, xrefs: 0162E75A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: bcc5af9aea961727d12d647373ebe8c79d9950b07da9371ef381f9f0a88568cd
Instruction ID: 2377b5045c6a7bc94d3dbb2c03f575d4de3b73f4d8c9bdd2f61bf4c0aacb6496
Opcode Fuzzy Hash: bcc5af9aea961727d12d647373ebe8c79d9950b07da9371ef381f9f0a88568cd
Instruction Fuzzy Hash: 1D613B71E00A299FDB14DFA9CC80AAEBBB5FB44700F15407EE649EB291D776A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 016543D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01654437
MUI, xrefs: 01654525

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 70c890f80a444fc22e73b5ec742e3e79cf75ff0a4b64d1d64b90ca443464a5c0
Instruction ID: 9b9a5dd9fd491f8605965750b17887ec1b97d1fae68f117ab8bb4249a094c384
Opcode Fuzzy Hash: 70c890f80a444fc22e73b5ec742e3e79cf75ff0a4b64d1d64b90ca443464a5c0
Instruction Fuzzy Hash: B7512DB1D4021EAEDB11DFA5CC84AEEBBB8FB44754F104569EA11BB250EB309D45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 015B04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 015B063D
kLsE, xrefs: 015B0540

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 1c6ca67274b5106ee4354ae5656ca6f00641d7c7c238024bbe8516a9d5a3a5b5
Instruction ID: d4b22eef7cf64188a3ee36611cf0c7490eef279ac4f64d36e667a021a23a82bf
Opcode Fuzzy Hash: 1c6ca67274b5106ee4354ae5656ca6f00641d7c7c238024bbe8516a9d5a3a5b5
Instruction Fuzzy Hash: 03518D715047428FD724EF68C5806EBBBF4BF84304F14483EE6AA8B681E770E545CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015BA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 015BA309
RtlpResUltimateFallbackInfo Enter, xrefs: 015BA2FB

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: b8e34631ed8f0e20e272b21cd5ac359df0d316513fed52ecb325a12a4ad6864f
Instruction ID: 7b3f83e596da90602d0ea2fb150b426a031d1f962aab05d9a70580e30e4ef414
Opcode Fuzzy Hash: b8e34631ed8f0e20e272b21cd5ac359df0d316513fed52ecb325a12a4ad6864f
Instruction Fuzzy Hash: 9D418930A0564ADBDB219F69C890BAE7BB4FF84704F2884A9E900DF395E7B5D900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015EA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 015EA5E4
Threadpool!, xrefs: 015EA5E9

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 343bb90c7cf862df98fc171561a49631ec2326b294994b2b58f6a7b529d54e2c
Instruction ID: fe8ba23cdb40cd39b23802712379014ae173c5b242be31c3d9fe181bc2ee57dd
Opcode Fuzzy Hash: 343bb90c7cf862df98fc171561a49631ec2326b294994b2b58f6a7b529d54e2c
Instruction Fuzzy Hash: C501DCB2A54700AFD321DF24CE49B2677E8F785B25F058979E659CB190E374E804CB46

Uniqueness

Uniqueness Score: -1.00%

Function 015BC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 015BC8C3, 015BCA40

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: a0febd0dc893c2d486bf4573c1bd8003da790bf4bae8870882c4ae4575898506
Instruction ID: 28bd9edd7ca504443ab83711afc8a992d1c0bd1782f9c49dc26fb5f30ae9b11d
Opcode Fuzzy Hash: a0febd0dc893c2d486bf4573c1bd8003da790bf4bae8870882c4ae4575898506
Instruction Fuzzy Hash: D7827975E002198FEB25CFA9C880BEDBBB1BF48314F14816AE919AF351D770AD81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0165A118 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

@, xrefs: 0165A68B

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5fd2abd83f0386f34bc07c06a64bbd7af045e35f3f026b901c871c92873fec72
Instruction ID: 4b76ddd8dc46d342b01b122f4e34dbca870d42a79dbfc601b3befad01cf62cf2
Opcode Fuzzy Hash: 5fd2abd83f0386f34bc07c06a64bbd7af045e35f3f026b901c871c92873fec72
Instruction Fuzzy Hash: 4C22C1742046618FEBA5CFADC894772BBF1AF44344F08865ADD868F386E735E452CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01636420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 016365C1

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 12da2f8515f72ce54dfb73e0ef59727bbfda68526a5286b992a46e67aac2c9f9
Instruction ID: 836f8d45af19fe814070217369564c581f24821263da08bff5daf4d2e39e8586
Opcode Fuzzy Hash: 12da2f8515f72ce54dfb73e0ef59727bbfda68526a5286b992a46e67aac2c9f9
Instruction Fuzzy Hash: EF9163B190021ABFDB21DF99CC85FAE7BB8FF95B50F154065F600AB291D774AA00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0165E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0165E1FA

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2036f890c59ef6a33c88494a2bf2d4a76f5a675b5739e0f06de84aa6cda69760
Instruction ID: 46d4d741b1275a3f2b79161596139e2398316023940bb13c6c38ebfef9d63c34
Opcode Fuzzy Hash: 2036f890c59ef6a33c88494a2bf2d4a76f5a675b5739e0f06de84aa6cda69760
Instruction Fuzzy Hash: 8B91913290060AAFDF66AFA5DC44FAFBB79FF85780F104019F905AB251D7769A01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015EA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 016267C9

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 1c54ee62350524f6c5f8f778708127e5fff462589b8a444705e49ebb8f403944
Instruction ID: eb562bcb8d5ce633ad3c7d951cea8ece39ce6fba3be8e1b03d4395f55c5c7c85
Opcode Fuzzy Hash: 1c54ee62350524f6c5f8f778708127e5fff462589b8a444705e49ebb8f403944
Instruction Fuzzy Hash: 41715DB5E0162A8FDF28DF9CD9906ADBBB1BF48700F14812AE905AB341E7759941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01654978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01654A7F

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 789277f6e716186297971f86f969ef11e5c799de3d540fe639ce91ba0400db92
Instruction ID: 13c3b8086bb0e0710130db5ff36ff36db04561f2d2c06c982429e4aa13c25cad
Opcode Fuzzy Hash: 789277f6e716186297971f86f969ef11e5c799de3d540fe639ce91ba0400db92
Instruction Fuzzy Hash: F2519672D0022A9BDB94DFA9DC40AEEBBB4BF44614F0541A9ED11BB344EB349D41CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 015CE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 015CE6A4

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 4db590b959332971eab73ecff6c59bbe235f708da448435c6933e2ddafc88d14
Instruction ID: 5ce4ab0b15c7c1a5b3c094f430bb3c446fb3c27eae569fb294e126c043f987b6
Opcode Fuzzy Hash: 4db590b959332971eab73ecff6c59bbe235f708da448435c6933e2ddafc88d14
Instruction Fuzzy Hash: 91416F725083429FD721DEA9C981B6FBBE8FF88A14F44092DBA84EF140E674D904C796

Uniqueness

Uniqueness Score: -1.00%

Function 0162C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0162C77F

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 186b6e9a16f36537d1b1bcee6c0bee3d85a5c0a96d5d73af6c6affe461296f58
Instruction ID: 3dada0907f80a9ccb55f41cf6740d41015e21e651badbd3313c37e7cb16a99f7
Opcode Fuzzy Hash: 186b6e9a16f36537d1b1bcee6c0bee3d85a5c0a96d5d73af6c6affe461296f58
Instruction Fuzzy Hash: 054135F1D0052DAADB21DA50CC84FDEB77DAB44714F0185E9EB08AB140DB749E898FA8

Uniqueness

Uniqueness Score: -1.00%

Function 01646B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01646B91

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2ba1c09bc32c1c08183dd11c368d53f705dbc4a206b24bc533c57c83c34044a4
Instruction ID: 5714209eae1aa47b2cdfc030735f7645a73ae44a7e85632ac3c5cb1eeeb00abb
Opcode Fuzzy Hash: 2ba1c09bc32c1c08183dd11c368d53f705dbc4a206b24bc533c57c83c34044a4
Instruction Fuzzy Hash: 3831F431A007199BEB22DF69CC50BEE7BA8EF46704F544068E941AF282D775EC45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0162CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0162CAA2

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: a43dd485acb5376edd62fe571dd4ec6ff35d03bd02b7e603a28fd8880d2ae62a
Instruction ID: 5d831812523f8c65f41709d16ac7b8b785ab0a4b70635c083ea3ee702af8c727
Opcode Fuzzy Hash: a43dd485acb5376edd62fe571dd4ec6ff35d03bd02b7e603a28fd8880d2ae62a
Instruction Fuzzy Hash: F531E37690092AAFEB15DA59CC55E6FBB74FF80760F014169E905AB250D7309E04DFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0163892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0163895E

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: ba557ce8871b04f64dfb4b7d9d98e5733ce76fed6bc2c0e44768c044881fd4a5
Instruction ID: 6bea787475ebb6a47a4649f9862e585ce1e2a2c104a768cb2e10c4332a4cb7c3
Opcode Fuzzy Hash: ba557ce8871b04f64dfb4b7d9d98e5733ce76fed6bc2c0e44768c044881fd4a5
Instruction Fuzzy Hash: 4301F7312102029FE724AE5D9CC4ADA7B69FFC1354B44122CF64217691CB206C41CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01652000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb954b65145d065c39f66f54d33b85ee913a60e97a69b78a75816141f56b0ac5
Instruction ID: dca3fa6d61d31dbd483626bf64429674865a152a8df32ec4d4f59f991a635c44
Opcode Fuzzy Hash: bb954b65145d065c39f66f54d33b85ee913a60e97a69b78a75816141f56b0ac5
Instruction Fuzzy Hash: 4142AE36608342DBD765CFA8CCA0A6BBBE5BB88740F09492DFE8297350D770D845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01648158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fda69b1e51e8f6e38d1e998135ff081d28783b944046181ac71cd5d0a730b48
Instruction ID: cbf7c1fbf473750be9c974792c50f9bd85c8c4dc9258c8d33b282fa53b25c593
Opcode Fuzzy Hash: 6fda69b1e51e8f6e38d1e998135ff081d28783b944046181ac71cd5d0a730b48
Instruction Fuzzy Hash: C0424D75A102198FEB25CFA9CC41BADBBF9BF88300F158199E949EB342D7349985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015C2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d5303709fee2f617e2f3b8af394897aca577ed8714cf66969af00478b7aa32
Instruction ID: b3798a40461b07ad2da3110ce44d4541579be8aae9be7afd5a7f6ee6f842e023
Opcode Fuzzy Hash: 52d5303709fee2f617e2f3b8af394897aca577ed8714cf66969af00478b7aa32
Instruction Fuzzy Hash: 4E329C78A006568FDB25CF69CC447BEBBF2BF84704F18851DD8469B389D7B5A842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015B6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651bc588455896b14d4f5a7d93ce75253d6ebd1de54fbe6cdaad600349b33baf
Instruction ID: a1ee95dad0d5fb7c81343d851f7863aa260a9d437529ac6c7c3a4152f7f93d80
Opcode Fuzzy Hash: 651bc588455896b14d4f5a7d93ce75253d6ebd1de54fbe6cdaad600349b33baf
Instruction Fuzzy Hash: 8C327B71A05215CFDB25CF68C880BAEBBF1FF48310F188569EA56AB395DB74E841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015D4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 6f06cbe83029b22a4e13ee80ccd316723d8ff0512a6d208517d6bd08e3130ba0
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: ADF15C70E0021A9BDB25DFADC980BAEBBF5BF48710F098529E905AB754E774D841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0164892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f1730fed5ebc8a5dca582cd52830df288456993fe608bdcc887033a1cce476
Instruction ID: f62cf63b9b26fa16c8ed910cef37300064049d2414c01ee0d1d1f2abc150e3df
Opcode Fuzzy Hash: 16f1730fed5ebc8a5dca582cd52830df288456993fe608bdcc887033a1cce476
Instruction Fuzzy Hash: 8CD1C172A0060A9FDF15CFA9CC41AFEB7F9BF88304F188169D955A7241E735E9068B60

Uniqueness

Uniqueness Score: -1.00%

Function 015B65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d55a9daf4f81103943272b2a3c1f4fbbb0e5a3231331049af4c00bc5cb24554
Instruction ID: cc983d73c33d512c3354f959f4b44a000bf1b43437bf5aba48d8b7d4eb510b18
Opcode Fuzzy Hash: 9d55a9daf4f81103943272b2a3c1f4fbbb0e5a3231331049af4c00bc5cb24554
Instruction Fuzzy Hash: CBE16E71608342CFC715CF28C5D0AAABBE1FF89314F15896DE9998B351EB31E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015A8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f26881e74ff63098af7f8b3111846ba053610a6e02cb286406b67dfe17a167
Instruction ID: 851832165fe2eb6be89bf81294352b34d7e11fa3e5dd1a5daa802811250f970e
Opcode Fuzzy Hash: 58f26881e74ff63098af7f8b3111846ba053610a6e02cb286406b67dfe17a167
Instruction Fuzzy Hash: 08D1CF75A406179BDB19DF68CC80ABF7BF5BF94205F48862DE9169F280EB30E950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01638243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 79192c505c147ea3638cdb04ef0b4f47e18fa71008a3b4572ec7964a6764ac56
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 3FB15E74A00605AFDF24DB99CD40AEBBBBABFC4304F10856DBA5297791DB34E905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015C0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 87282a10d9323ce85b4c4e64dc40f363481970a0e0e100c63dae302b769e8610
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 3AB1F135604646EFDB25CFA8C850BBEBBF6BF84700F184599E6529B385DB30E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015B83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcf792a8aa9186c137a905fa9914e637230def07506372d6ab4e70e423cadc7
Instruction ID: f7552c05496cef986bf9d89f979eb3bc12dea7be345e1e1b6ec6b0eebc5dcb8a
Opcode Fuzzy Hash: ddcf792a8aa9186c137a905fa9914e637230def07506372d6ab4e70e423cadc7
Instruction Fuzzy Hash: 44C158745083418FD764DF29C884BAAB7E9BF88304F44495DEA898B391E774E908CF92

Uniqueness

Uniqueness Score: -1.00%

Function 015AC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ca3802ec2d6381aaf97fc6942b8c2fbdf2ad0edac35762cb42b10ced7d794b
Instruction ID: a483b0532c4f42f3f57e15907dd889a79e334f4cb5af1f0f11ea72048d0efd57
Opcode Fuzzy Hash: 17ca3802ec2d6381aaf97fc6942b8c2fbdf2ad0edac35762cb42b10ced7d794b
Instruction Fuzzy Hash: 8BB17270A402568BDB65DF58C890BADB7F5FF48740F4485E9E54AAB281EB30DD85CB20

Uniqueness

Uniqueness Score: -1.00%

Function 015DE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c7d338169a516812a5f34b42bb6e0f1e89e6e01bb97fc05138efb3975d1452
Instruction ID: 8cff2803c402d9a3505db11a21679615ce461245b9128b11d85d3211b5d79fbc
Opcode Fuzzy Hash: c5c7d338169a516812a5f34b42bb6e0f1e89e6e01bb97fc05138efb3975d1452
Instruction Fuzzy Hash: E6A11231E0065A9FEB32DB9CCC45BAEBBB4FB00754F0901A5EA11AF295D774AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015F0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a3b4d23220a18ef99e52e07cb4dc8c4e756043639c4f8aa365eb1e056bc838
Instruction ID: 25961a4d7d0cf565414b5b9ca1ad4200dd3a4609a822b722da6084703d52fecf
Opcode Fuzzy Hash: a6a3b4d23220a18ef99e52e07cb4dc8c4e756043639c4f8aa365eb1e056bc838
Instruction Fuzzy Hash: 32A1B570B006269BEB25DF69C9947AA77E6FF44314F18402DEB059B2D2DB34E811CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01684500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ac60b6f6f23dd4a947c92fd147083233a1e7b8819ad888fb5642d1ef771aaf
Instruction ID: c0a30b2e9dbf0a258fe896436177394999dc6ec1537bd1175c7b8ae11cd6145f
Opcode Fuzzy Hash: b6ac60b6f6f23dd4a947c92fd147083233a1e7b8819ad888fb5642d1ef771aaf
Instruction Fuzzy Hash: 4FA1CCB2A102139FC711EF58CD80B6ABBE9FF98704F46462CE5869B750DB74E801CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01682B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 2e441bbeb28289d6ebac5a54ac94c32ead89de4d8ec8152eff1ff3e70749e302
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: A3B13A71E0061ADFDF25DFA9C890AADBBB5FF88310F14826DE914AB350D730A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016360E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece5d1b30341b4dbe135a13b22857d49ad35f5bfd27fdf0116710bc7e24a280d
Instruction ID: a3bab5cd38425fbbc1cbdf08f260bd8fe00520a51aefd5bf8bc74c94a4cd5bcf
Opcode Fuzzy Hash: ece5d1b30341b4dbe135a13b22857d49ad35f5bfd27fdf0116710bc7e24a280d
Instruction Fuzzy Hash: AF917071E00216BFDB15CFA8DC94BAEBFB5AF88710F154169E610EB341D734EA019BA4

Uniqueness

Uniqueness Score: -1.00%

Function 015CE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f212d624ffbcb1e956248f5d1f78edbc4fa4bce06533b6ff657f3ade708c57c
Instruction ID: 42f63e33cc145db130866646d0a6162e2c605cdc46a84d5836599dd8d5849ede
Opcode Fuzzy Hash: 3f212d624ffbcb1e956248f5d1f78edbc4fa4bce06533b6ff657f3ade708c57c
Instruction Fuzzy Hash: 4591E331A006168FEB249F99C895B7EBBA2FB94B14F09446DED059F384E734DD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01606ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ace560f13c1ae15c3cc52ee2ad6e1e3b490f644ac6bfbd89f161e62db2268f7
Instruction ID: ac98ddaf5436fe94ecc65ebfd10c3c772b0f29e7ee76c568f7fc705c2663f5f5
Opcode Fuzzy Hash: 7ace560f13c1ae15c3cc52ee2ad6e1e3b490f644ac6bfbd89f161e62db2268f7
Instruction Fuzzy Hash: 838194B1A006169FDB29CF69C840ABFBBF9FB48700F04852EE555E7680E334D951CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0167AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: bdd2eab030039fabfad7733bed12dbe358a92c812c0017305c29849a88f5a46e
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 31816E72A0020A9FDF19CF99CC90AAEBBB6FF84310F18856DD9169B385D734E901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 015EE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab5677e021be005613080fcecd940e78ec6ed706113f7e943d68c6cd6e62c65
Instruction ID: 353ca8d7c31074e40c8f7320cb4a97bc2187746e650bdbcf315fca48debde9e2
Opcode Fuzzy Hash: 7ab5677e021be005613080fcecd940e78ec6ed706113f7e943d68c6cd6e62c65
Instruction Fuzzy Hash: 2D817F71E00619AFDB25CFA9C885AEEBBFAFF88354F10442DE555AB250D730AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 015CC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5411c78b7e48868d64df5b077ef7d53a689ba44e2f613e00c45fe7148d7421
Instruction ID: ab0b119934848d566ade13100ebee6b970772c6be582af64cfb47e183ea45664
Opcode Fuzzy Hash: 6a5411c78b7e48868d64df5b077ef7d53a689ba44e2f613e00c45fe7148d7421
Instruction Fuzzy Hash: 3E71AC75D002299FCB258F99C9907BEBBF4FF48B10F58455EE946AB354D770A800CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016647A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 93c8f300c74570a09cbbe90744377dfedfbf0af5c6f69a2b803a01bc4319476f
Instruction ID: eb4856023166412dd866e639b4f4385fc584221ac6c53314e208202e2aedbe89
Opcode Fuzzy Hash: 93c8f300c74570a09cbbe90744377dfedfbf0af5c6f69a2b803a01bc4319476f
Instruction Fuzzy Hash: 00719071900205EFDB24DFA9DD40A9EBBF9FF90340F48915AEA11AB299CB31E940CF54

Uniqueness

Uniqueness Score: -1.00%

Function 015C260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4094a59a025e76fbea20f4f34c0c2d164dff9a11dc26bc7a1ba6ce2eb832bc7
Instruction ID: c80ade2bbb5becaa457622f2c0dc272bd8c91101a02e90c0473722d415769e5c
Opcode Fuzzy Hash: b4094a59a025e76fbea20f4f34c0c2d164dff9a11dc26bc7a1ba6ce2eb832bc7
Instruction Fuzzy Hash: E871AE356046428FD311DF6CC880B6AB7E5FF84714F0885AAE8998F356DB74D885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 52d7556ac1ea1c3a9a235744a24c35108ec09338b8a527d9e572202e3d88a4e2
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: D1718071A0060AEFDB10DFA9C984EDEBBB9FF88710F104569E505EB290DB30EA05CB54

Uniqueness

Uniqueness Score: -1.00%

Function 016462A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99a92d0eda6a0912cff74664d1cc365664fb757d774de0bcefc1d3092d0ec70
Instruction ID: e640f3619f5c573a3df0d45a8e234c971e341ca42efd840dae4c3bbb3aa01bf6
Opcode Fuzzy Hash: e99a92d0eda6a0912cff74664d1cc365664fb757d774de0bcefc1d3092d0ec70
Instruction Fuzzy Hash: DE71F172200702AFEB32DF58CC44F6ABBA6FF85720F14842CE6568B2A0D775E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01688324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d9e342ad51b39cdfe93b9e92b15805b79055289d35a1344dc5cbb8daa0cf16
Instruction ID: 300a5b3f0bd941e550c0bbf5b33b40bdf2471a6ecda847b0e3ee4940bd597584
Opcode Fuzzy Hash: 77d9e342ad51b39cdfe93b9e92b15805b79055289d35a1344dc5cbb8daa0cf16
Instruction Fuzzy Hash: 7D711BB1E0020AAFDB15DF94CC41FEEBBB9FB44350F504269E611AB290D774AA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0166A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40837e56821ad852212197e9815f8632e6c343b86fd5f444d5621fd42b453966
Instruction ID: 69b3c2638025672a6ff7ad9f7d5e8dad0fc34609171b512e4c4797fa9accbe86
Opcode Fuzzy Hash: 40837e56821ad852212197e9815f8632e6c343b86fd5f444d5621fd42b453966
Instruction Fuzzy Hash: 65517C72505612AFD711DEA8CC84B6BBBECEBC5750F01496DFA40EB250D770ED058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 01658350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf1cf0690193afac657e24ef8ba86b92c83d0fbb430ef322e5466e3b106335c
Instruction ID: 0908dd82ff6f3172ae4f738c6a5611e7b1a3fdc4e1645f854fe3affe21b299c1
Opcode Fuzzy Hash: caf1cf0690193afac657e24ef8ba86b92c83d0fbb430ef322e5466e3b106335c
Instruction Fuzzy Hash: 6A51BE70901705DFD761CF9AC880A6BFBFDBF94710F10461EEA9297AA1C770A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015EE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50b28aa631983d34e910ada131a2ab2629af6c9d1d87f75179d2874f4338deda
Instruction ID: 37c3849e2c0067d9a9359b826cbe6fc3c66bcde6b5173172294f566c00b185ee
Opcode Fuzzy Hash: 50b28aa631983d34e910ada131a2ab2629af6c9d1d87f75179d2874f4338deda
Instruction Fuzzy Hash: CD518C71610A16DFCB26EFA9C984EAAB7F9FF94744F40482EE5418B260E734ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01654180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ce5f76a0c1998c102b7269f5b6bec6a37f72eab96cf537e3fab9a354d35e82
Instruction ID: 4e635ca5c7befb9b7a9e3f0c7a0c28d3f0fbb08f7804a7c323652a767b20e77c
Opcode Fuzzy Hash: 71ce5f76a0c1998c102b7269f5b6bec6a37f72eab96cf537e3fab9a354d35e82
Instruction Fuzzy Hash: AF518A716083028FD794DF2AC880A6BBBE5BFC8244F44496DF989C7361EB30D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 015D45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 66e029cad4936b5e343d8f02086cab701f0651260184327241f0a9701efbd608
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 9F519C71E0021AABDF25DF98C880BEEBBB5BF44750F154069EA05AF340E734D945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0163E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 61c1c7fe3f6d915df03b26469341d507146ce6875b5fe70cd8a283c837706944
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 9251B871D0020AEFEF169E94CD80BAEBB75AB80314F154659DA13A72D0D7329E41CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 01678B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4376d528b365a2a5ca4a30f0ffa33bd18877f7c21b81bbaa3c3430dc7bc96e6d
Instruction ID: 6e04f4946af08ed8f0ebdd7fbf47aa5a1f1a6bb2949b8fe5408465e9eef5f14f
Opcode Fuzzy Hash: 4376d528b365a2a5ca4a30f0ffa33bd18877f7c21b81bbaa3c3430dc7bc96e6d
Instruction Fuzzy Hash: E441D5717016119BEB29DB2DCC98F7BBB9EEF90660F088219E95587381DB34DC41C791

Uniqueness

Uniqueness Score: -1.00%

Function 0163CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cedae3bbaecba96e3dfc9470f7ff2742a5bf13dfeaf5780d145abfb2559e81
Instruction ID: 78d1366a04d302ea48f342ceeb471830b64b7baba0cf665d0d01eb3c1ceda98b
Opcode Fuzzy Hash: 15cedae3bbaecba96e3dfc9470f7ff2742a5bf13dfeaf5780d145abfb2559e81
Instruction Fuzzy Hash: 0351887290022ADFCB20DFA9CD949AEBBB9FB88314B55551AE506B7300DB74A901CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015EA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61079b0c29409fd78b67ea23a31cccb46ad9c9081fd79994d1e302b68b13ba3
Instruction ID: dc262e0f2e7e548758a6ddc0a184f78d5b6511cd87f7e57e8e27326562092dff
Opcode Fuzzy Hash: c61079b0c29409fd78b67ea23a31cccb46ad9c9081fd79994d1e302b68b13ba3
Instruction Fuzzy Hash: A1410271A402129BDB2DEF78DC84B6E77A5FB94708F41542DEE029F241DBB1A8108FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0167A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 7bd14f297f928e7fddccdfa7d20e887171ad32ffdb40309e93651ad2ee3be54c
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 4941E6726017169FD725DFA8CD80A6EB7A9FF80210B09862EED528B340EB30ED15C794

Uniqueness

Uniqueness Score: -1.00%

Function 015E01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd0c6ef98db62037718b5d8e03d10bb5e59d5841ad46a943b382259339db2e1
Instruction ID: 7dd07893338d402390c68fae4ec761a91da16e6ddcd804a0a15730aedf15e1d3
Opcode Fuzzy Hash: 1fd0c6ef98db62037718b5d8e03d10bb5e59d5841ad46a943b382259339db2e1
Instruction Fuzzy Hash: 0141AD36E0121A9BDB19DF98C444AEEB7F4BF88710F14815AF815EB280D7B49C42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 015DEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019c5b9609ac9c401709cf7b8f2360d5fc79cb8e4d072b05a374956c7c45219b
Instruction ID: 5d19e560a79c51259d59b47573c2fb08d925cfa9515c167c3a789e05e884dbd3
Opcode Fuzzy Hash: 019c5b9609ac9c401709cf7b8f2360d5fc79cb8e4d072b05a374956c7c45219b
Instruction Fuzzy Hash: 3D41A0726043029FD720EF6CCC85A2BB7E5FB88214F44486DE556CF725DB71E8498B51

Uniqueness

Uniqueness Score: -1.00%

Function 015F2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 8a08d5200ccbb56a27d9b1368f33167fbe7c9683adfb93d9b17da3c8d46107eb
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 68513875A01A258FCB15CF98C880AADF7B2FF84710F2481A9D915EB751D770EE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015B6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d24a198c4edf7cc677900a71b2237a487d19da2f2f0b6ef126beb640b7adfb2
Instruction ID: 58ab4a6e75e11ea1d8483bfcac1cbbff5033307f02d6f3976d8dd4250f975c97
Opcode Fuzzy Hash: 4d24a198c4edf7cc677900a71b2237a487d19da2f2f0b6ef126beb640b7adfb2
Instruction Fuzzy Hash: 2651D4709002579FEB258B68CC40BEDBBB5FF55314F1882A9E5299F2D1DB74A981CF80

Uniqueness

Uniqueness Score: -1.00%

Function 015B0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ee4e3ae2ff4e93adee5b31ed7c5ffeb3afa45ac9f1ed9ac259db2116e616f2
Instruction ID: 2780b6e7f86cf3fd78026778578988b8fd8d660cb8e3d071542d4868c5aebce5
Opcode Fuzzy Hash: d8ee4e3ae2ff4e93adee5b31ed7c5ffeb3afa45ac9f1ed9ac259db2116e616f2
Instruction Fuzzy Hash: AD416136A402299EDB21DF68CD80BEEB7B4FF85750F0504A9E908AF281D7749E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0167866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 01454b5bcb97e5f340cf1fa9762a8a2ea2682d2f827018da44b2b469e65e93d0
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 1F41B475B10216ABEB15DF99CC88ABFBBBEAF88600F144069E905E7341DB70DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 015B0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff4783b3a8d92e95f4a573398bd180a065aa80aead54a58df74456112762917
Instruction ID: 257ca9602982e7e6ab4b58e759fe724c5896dfd20dd1e9f2cbae3d44a86beb72
Opcode Fuzzy Hash: dff4783b3a8d92e95f4a573398bd180a065aa80aead54a58df74456112762917
Instruction Fuzzy Hash: FD41B0B06007029FE725CF68C8C0A67B7F9FF89314B148A6DF5568BA90E731E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015DA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbe26892b1b690c92b291cd9db661bc66ae7d617c641b1d96c300a9b160f07a
Instruction ID: d708e144defd4cf6223432b4d3cff04ca17867a45a121a8ff620cd9bccef5bc1
Opcode Fuzzy Hash: cfbe26892b1b690c92b291cd9db661bc66ae7d617c641b1d96c300a9b160f07a
Instruction Fuzzy Hash: 8841CD32940205CFDF22DF6CDD847AE7BB4BB98350F981599D412AB295DB75E900CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 015B8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc34f15a4c96631ba8a6cd6c2f0c5055261e735284a93642f2af33aea336c9d9
Instruction ID: 753a81d7ae7ed5756412cbb25a7df3be57a40016773bee6a779ccd77e47115a7
Opcode Fuzzy Hash: cc34f15a4c96631ba8a6cd6c2f0c5055261e735284a93642f2af33aea336c9d9
Instruction Fuzzy Hash: 1C41D071A00202CFD7249F5CCC80B9ABBB9FBD4714F68A12ED5119F255DBB5A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015A8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6053cd21be18fea6026db616f2e77ef90f0a8b5c3eff08991fcc87ccda6bc6
Instruction ID: cb090560d38c6c44e185786e3e5aedc77c44674f3ec6683fd9e83a63592316ea
Opcode Fuzzy Hash: 5e6053cd21be18fea6026db616f2e77ef90f0a8b5c3eff08991fcc87ccda6bc6
Instruction Fuzzy Hash: C0414A755583069ED312DF69C840A6FF7E9BF84B54F80092AF984DB250E730DE058BA3

Uniqueness

Uniqueness Score: -1.00%

Function 015AA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 0cd06777d3282ae9741efe8dadb098782d3d4f637407a9df090766a9bfe3d1ce
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 52411B35A80212DBEB16DE5D8840BBFBBA1FB90754F55C06EE9459F380D7329D40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015B09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666888bbcba28b0e8233a4cc098fee7342deded861b414e60c83c19a2639980e
Instruction ID: a7342db5654e68696a820b65e4bbe86ed5054ed5a755947d9358dd5cc6730190
Opcode Fuzzy Hash: 666888bbcba28b0e8233a4cc098fee7342deded861b414e60c83c19a2639980e
Instruction Fuzzy Hash: 6F416A71600602EFD725CF58C880B6BBBF4FF94714F248A6AE4498F291E771E9428B90

Uniqueness

Uniqueness Score: -1.00%

Function 015E0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 90cfe3194d0c7799ee338edb6fcd1258b65af3eefbafd3ee7cede4905cc91191
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 66413871A04605EFDB28CF98C994AAABBF5FF18700B10496DE596DB291D370EA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015B262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079a91f134d5b2da200cae00bd35903fb6d6411ece813c343067161df21ae6cd
Instruction ID: e109735fe212d31f21c6a22632cf000c4453fdbf644036c8a1e43dd73f27bd6c
Opcode Fuzzy Hash: 079a91f134d5b2da200cae00bd35903fb6d6411ece813c343067161df21ae6cd
Instruction Fuzzy Hash: FD419D70901705DFC726EF28C980AAAB7B6FF94310F1585ADC5169F2A1DB30A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 015EC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a38fc57506185f86795ff9718c6c87b85b170b45b02a7dfefec7c4cc75b988
Instruction ID: dc392e238084289882c1d183285458ba45ed581252cd9af4717b9df97da76102
Opcode Fuzzy Hash: 20a38fc57506185f86795ff9718c6c87b85b170b45b02a7dfefec7c4cc75b988
Instruction Fuzzy Hash: 983166B1A01656DFDB16CFA8D840799BBF0FB48714F2085AED109EB291D336E902CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016307C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a94360181c0e0f38082a4c23d4438c144004617bc7bf9d309ced1ab21c22ba6
Instruction ID: 7998d1a192bfafaec39acb7bebc7a312276cc8a8744615ba12ba3ea35c5c6541
Opcode Fuzzy Hash: 4a94360181c0e0f38082a4c23d4438c144004617bc7bf9d309ced1ab21c22ba6
Instruction Fuzzy Hash: CC417C72504311ABD720DF29CC45B9BBBE8FFC8664F004A2EF598DB291D7709905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015A80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c97e68c3c0c6264f3c8306f38ae8f88f5f799e6fb2f8e190a9dcfc845232fd
Instruction ID: 7226d133f8fb65e70e35a2ad9551e97fc4b2e05776dca9d7f32284cc3667d7e9
Opcode Fuzzy Hash: 25c97e68c3c0c6264f3c8306f38ae8f88f5f799e6fb2f8e190a9dcfc845232fd
Instruction Fuzzy Hash: CC41F271A45616AFCB01DF18CC80AADBBB1FF84761F548629D816AF280DB34FD418BD0

Uniqueness

Uniqueness Score: -1.00%

Function 016305A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6ff0b2eec30e572eff29c2125a01308b5a72e0b8cb881ae015600dde5511e0
Instruction ID: 04467d8d13ae87f0406b828ee00fac21a82eefcc8a8d09bcfb9338d535fc77a9
Opcode Fuzzy Hash: ab6ff0b2eec30e572eff29c2125a01308b5a72e0b8cb881ae015600dde5511e0
Instruction Fuzzy Hash: BA41A0726046569FD320DF6CCC40A6AB7E9BFC9700F144A2DF9949B680E730E919C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 015B4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c066d1e65d10cbd1f01f270d395fd8ef93c60a4bae83a85644af13fbd25cf4
Instruction ID: da113f590dd752c3210f637f70c4194e790c269e2047ce9a68abe109308ab362
Opcode Fuzzy Hash: b5c066d1e65d10cbd1f01f270d395fd8ef93c60a4bae83a85644af13fbd25cf4
Instruction Fuzzy Hash: 9E41AF302003069BDB35DF28D8C4BAABBE9FF81754F14442DEA568F292DB70D951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015A8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83484545b1f9f2cb92e2c05681b0b5a1c762767ef26d49ee5aba0c2f81de6262
Instruction ID: 3becda1041fe41e8f8df3a1bdf220b3ff8b7140f0ad54f11e07a41d73f2a5f23
Opcode Fuzzy Hash: 83484545b1f9f2cb92e2c05681b0b5a1c762767ef26d49ee5aba0c2f81de6262
Instruction Fuzzy Hash: 4B41AD71E4160ACFCB15CF69C98099DBBF1FF88321B54862ED466AF2A0DB34A901CF40

Uniqueness

Uniqueness Score: -1.00%

Function 015C02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 5303ff478e349338f08dc4ea51e40aa27bbf993fa9beeb90ff740c452dee0ec2
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: D331F335A04245AFDB118FA8CC84BEABBE9BF54B50F0845A9F415DB392D7749844CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0165E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e55c5b7640884cc7b6ab25c6d601468f0fa547a46d0354bcbfa6ad6f92bc4f
Instruction ID: 27a5ea79784013780cf5b1b7a6f7b5c0046c50e4688ff0fb460a61dcdbc9e572
Opcode Fuzzy Hash: 51e55c5b7640884cc7b6ab25c6d601468f0fa547a46d0354bcbfa6ad6f92bc4f
Instruction Fuzzy Hash: 33319875751707ABDB229FA58C41F6FBAB8BB98B50F010068FA00AF291DAA5DD058790

Uniqueness

Uniqueness Score: -1.00%

Function 01664B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1199628c2fa8a6fe1f7d8c9399c61f917b4c0df34dd4cedb9094d6b696f576
Instruction ID: b0559f292d55a96e90117f5763fe3b3b77983f3d2468cbb203a71cd0e6e86b4b
Opcode Fuzzy Hash: 7c1199628c2fa8a6fe1f7d8c9399c61f917b4c0df34dd4cedb9094d6b696f576
Instruction Fuzzy Hash: 9F31C1322052019FC321EF2DDC80E26BBE9FF81360F49446DE9958B755DB30A851CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015B4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1fd66be4541e6c496c1ba7ebe879cb0062487cf8080c111229750474f0085f
Instruction ID: 12e60d1403d4bd77346d8cbf1a361ebb488689542fe472bcd243ae7734749bbc
Opcode Fuzzy Hash: 9e1fd66be4541e6c496c1ba7ebe879cb0062487cf8080c111229750474f0085f
Instruction Fuzzy Hash: 2C41AD31200B46DFDB22DF68C880BDA7BE5BF55714F18882DE69A8B251D774E880CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01664BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1604b289f4edeb824f45c384d541f04be85df444c74cb8ad710c3c9d5e6eb029
Instruction ID: 64f16c4b9312c1ef93b8759f04246b932f767305bfc07769a9467151d260c4ae
Opcode Fuzzy Hash: 1604b289f4edeb824f45c384d541f04be85df444c74cb8ad710c3c9d5e6eb029
Instruction Fuzzy Hash: CE318D716042019FD320EF29CC80A2ABBE9FB84760F09456DF9559B799EB30EC15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0162EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d183c65fdcc8914e6618d9488468ad8a2564188e700fc5ddb07c115da84881
Instruction ID: 678d378d37b0f10af17cfe5c816bd1e7b6e11982b1cb4c12e756c92235e9426b
Opcode Fuzzy Hash: a6d183c65fdcc8914e6618d9488468ad8a2564188e700fc5ddb07c115da84881
Instruction Fuzzy Hash: D631D631701AA69BF3225B9CCE48B557BD8BB44B80F1D00B4EE459B7D1DB69DC41CA30

Uniqueness

Uniqueness Score: -1.00%

Function 016761C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4414adf5cb1d65fbd4c83825013754a9eb48c87fb1d5f4b79496f7cb4d7334da
Instruction ID: a22e58777b0e29dd6020bb651629a860738bd8df1efff567ef3c2abd74c9e4bd
Opcode Fuzzy Hash: 4414adf5cb1d65fbd4c83825013754a9eb48c87fb1d5f4b79496f7cb4d7334da
Instruction Fuzzy Hash: 4031C175A0061AEFEB15DF98CC40BAEB7B9FB44B40F458168E910EB244D770ED41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0165483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50794cb56975074f4131dcc36b9f778ddea3676953b99d93b500cfb752d0924e
Instruction ID: 615716c19eaf164953d46bcce46d2379e1ac05d06a4fef4948e98ae45dad312e
Opcode Fuzzy Hash: 50794cb56975074f4131dcc36b9f778ddea3676953b99d93b500cfb752d0924e
Instruction Fuzzy Hash: 49315076A4012DABCF61DF54DC85BDEBBBABB98350F1000E5E908A7250DB30DE918F90

Uniqueness

Uniqueness Score: -1.00%

Function 015DEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e725c1a31e072f6f16c5ecd9aae3c94bcabb6a7d94ef8450670645b9d2aa374
Instruction ID: d57786e16dd7768e4ed23b1826dba44adb5de6a833681f3cf7505902068162dc
Opcode Fuzzy Hash: 5e725c1a31e072f6f16c5ecd9aae3c94bcabb6a7d94ef8450670645b9d2aa374
Instruction Fuzzy Hash: 48318472E00219AFEB31DFADCC41AAEBBF9FF44750F118565E515EF250D670AA008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 016760B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecc0a49c5cd9b33f1ed7a09e6a01d749c5d4ed113bd4e7a1272f5d4a758e04b
Instruction ID: d7f796abb0ff2cedb48056200d32f22d440d4e8a57942c8cf51d232dea0f4c04
Opcode Fuzzy Hash: 1ecc0a49c5cd9b33f1ed7a09e6a01d749c5d4ed113bd4e7a1272f5d4a758e04b
Instruction Fuzzy Hash: 7331A271A00A06EFEB129FADDC50B6AB7B9BF44755F04406DE506DB352DA70ED018B90

Uniqueness

Uniqueness Score: -1.00%

Function 015B07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9495d9fd544603abeced57dc1466ac9244519312eb970b97c2c248b787bc1b
Instruction ID: 55995e0eadd3ba0796bc115d1691485927d7d4daa2a18fcd5cc1a3e9815bb1b1
Opcode Fuzzy Hash: 9a9495d9fd544603abeced57dc1466ac9244519312eb970b97c2c248b787bc1b
Instruction Fuzzy Hash: 3131BF72A04616DBC712DE2888D0AAFBBF5BFD4650F014929FD56AF290DB30DD0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 015B8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e3e35845253dfdb61ecd61631f0a42383cc3c0e64db1203d41d3516e01a3c6
Instruction ID: ff31eb37f5c78dfd665b01ba8282b4438fda86e88176cae999ac85350d56560c
Opcode Fuzzy Hash: 09e3e35845253dfdb61ecd61631f0a42383cc3c0e64db1203d41d3516e01a3c6
Instruction Fuzzy Hash: 53318FB16093019FE720CF19CC80B6ABBE9FB98700F194A6DF9849B395D770E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015EA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: db79636736426a1ba09fe42716ff92c9368358c957b981f29993de67f56ef1ca
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: B43128B2B00B11AFD765CF79CE44B57BBF8BB48A50F04092DA99AC7650E730E9008B60

Uniqueness

Uniqueness Score: -1.00%

Function 0165EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366850ea8cf19fcb401ef712e791db86266367f0967fa1404cf52271fdcdedda
Instruction ID: 38959269f3bc00db0b027b86c4e8bb4ac2bcf03c0b4ea12b7b9277f01a1bb573
Opcode Fuzzy Hash: 366850ea8cf19fcb401ef712e791db86266367f0967fa1404cf52271fdcdedda
Instruction Fuzzy Hash: F13166716053428FCB11DF19C94086AFBF1FB89614F4449AEE8A89B351D732EE45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 015D438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59849a46ca9b431f4effc9d3ef0402ad2f9f4f2c1aa4505b1c65bbd06cffa5f
Instruction ID: 3c552dfa8ba77738eaf7682e83caa144e7be86f130f84685a8672772073b7362
Opcode Fuzzy Hash: d59849a46ca9b431f4effc9d3ef0402ad2f9f4f2c1aa4505b1c65bbd06cffa5f
Instruction Fuzzy Hash: A631C271B002469FDB20EFACCD81A6EBBF9BB94704F048529D515DBA54D730E981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015ACB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: efd08e5cf2040e97ecb595cf11c90302e5009e3b10c3044fc0c536b0b35d71e7
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: B0210432E4025BAADB159BF9C810BEFBBB5BF54780F0584759E15EB380E370C90087A0

Uniqueness

Uniqueness Score: -1.00%

Function 015AC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8118545c61b84eb8bfed1cc7f7d872be45b41b5352a5896d0fff66da97dc980
Instruction ID: 1fa0fc69b62d78a80a7bec6a45ac59dee985557224d6dea7c30960039c21ca67
Opcode Fuzzy Hash: c8118545c61b84eb8bfed1cc7f7d872be45b41b5352a5896d0fff66da97dc980
Instruction Fuzzy Hash: 223149715003118BDB26AF98CC40BBA77B4BF91314F9486ADD9459F3C2DB749986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0166C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 634c4d36956ae1d1a50c4a1afb0c82459c708186476ae7e81a982650e310925b
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: C4212B76600A57AACB15EB958C00ABEBBB9FF80750F40801EFAE58B691E734D950C360

Uniqueness

Uniqueness Score: -1.00%

Function 015AE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5391f0b06af148c9083b7b78f9d483031d4ecd88d9ceea1d09668a594e37d5
Instruction ID: 8060d92aff3517c9226362e28f30f2ab1b45e43b4aa5078933776f5a1a2a4fff
Opcode Fuzzy Hash: ef5391f0b06af148c9083b7b78f9d483031d4ecd88d9ceea1d09668a594e37d5
Instruction Fuzzy Hash: E931D431A8052D9BDB31DF18DC42FEE77B9FB55740F4104A5E645AF290E674AE808FA0

Uniqueness

Uniqueness Score: -1.00%

Function 015E4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: ba0b97ee34f6568cd6498f8467384b3dc176c1cf72afb96df7de0a7d15a18925
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 5E219135A00649EFCB19CF98C984A8EBBF9FF48714F108469EE55DF241D674EA058F90

Uniqueness

Uniqueness Score: -1.00%

Function 015E44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8374b308efdb5e8bee041d01ab15798067244c48baf9ba97c5edf20e77aca597
Instruction ID: ba52660148741e71472cfa30c28bf873932eed23b074a2dc1f1f2d7230ec8072
Opcode Fuzzy Hash: 8374b308efdb5e8bee041d01ab15798067244c48baf9ba97c5edf20e77aca597
Instruction Fuzzy Hash: 2C21AE72A047469BCB26CF58C884B6B77E4FB88760F01492AF9549F641D734E900CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 015AE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 0cda3f3fef7a69e272c059f5a370b911dea0662e1b323daa797cf0a2b67ec10b
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 65317A31640605EFD726CFA8C985F6AB7F9FF85354F1049A9E5528B290E770EE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0162E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea81b06795dbafca327de00edf2b5cd88de5e7a340157d52c9503384a75add0a
Instruction ID: b95507eee544cad4acdbeb936ce7da4052e5e634948cd690efe1577863568c4a
Opcode Fuzzy Hash: ea81b06795dbafca327de00edf2b5cd88de5e7a340157d52c9503384a75add0a
Instruction Fuzzy Hash: 18317C75A00626DFCB24CF1CCC849AEB7B6FF84304B194469E8099B391E772EA51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016306F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5605fbbb3de2ef48d3ce0f8065fc260cf254849807902834b487bac432b34f
Instruction ID: 52a47dff80545aa699aa72e4b39d2b97ac3b4dfd107fc654ab77d142c329f6f5
Opcode Fuzzy Hash: bc5605fbbb3de2ef48d3ce0f8065fc260cf254849807902834b487bac432b34f
Instruction Fuzzy Hash: FF21807190052A9BCF11DF59CC81ABEB7F4FF88740B510069F541AB240D778AD52CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833ae3800941b46eb834bd97488fa8026b367e238f7b47605a549c68dd5f2b8a
Instruction ID: 338c7344e688f23211b64c3e839ca5061deeb46835ec7c14ea39e3662683ee5f
Opcode Fuzzy Hash: 833ae3800941b46eb834bd97488fa8026b367e238f7b47605a549c68dd5f2b8a
Instruction Fuzzy Hash: F4218B71600646AFD715DFACCD40A6AB7A8FF88740F144069F904DB791D734ED40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 01630283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e3bed4df9a4f77448910d8396578c32a37e29b778c1c59dbc8be5efc8efac1
Instruction ID: 4d1610efd734bd90dcca1566585fa94a875c4167819bc34c1ad692b7cbb79e18
Opcode Fuzzy Hash: c8e3bed4df9a4f77448910d8396578c32a37e29b778c1c59dbc8be5efc8efac1
Instruction Fuzzy Hash: 0121AF729042479FE711EFA9CC44B9BBBECBFD1640F08445AB9808B251D734D909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 015D2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a22678c5a12e19e6b90eac6d96f1275fc401734cb6bc64c57546bc962bc0ec
Instruction ID: 405551c3320bac87852b697012320f88f09e1f2c77eac3c3392dfe40552f3029
Opcode Fuzzy Hash: 44a22678c5a12e19e6b90eac6d96f1275fc401734cb6bc64c57546bc962bc0ec
Instruction Fuzzy Hash: 1021D732A05BC69BE33257AC8D55B653BD5BF41B74F280368FA209F7D2DB68C8018350

Uniqueness

Uniqueness Score: -1.00%

Function 015EA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc195ee609f2db1e642443cd4e539cfad57ca6087c7c1de38b91901a5a2bfd3
Instruction ID: 0cf47f85ac5a84596f8a576601a387c0548efaa6291c516661e7bdaf7defb837
Opcode Fuzzy Hash: cdc195ee609f2db1e642443cd4e539cfad57ca6087c7c1de38b91901a5a2bfd3
Instruction Fuzzy Hash: 92219835600A129FC729DF69CC00B56B7F5BF48B04F248468E50ACBB61E371E842CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0166A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79afb863985ef96cea3dbc9961301068a389281f3f886e74e7e43221cfc1b3f0
Instruction ID: 2347950bd8afc15fc92ed604299399ea150b646d6eb2f0ec24fed649ad4542f5
Opcode Fuzzy Hash: 79afb863985ef96cea3dbc9961301068a389281f3f886e74e7e43221cfc1b3f0
Instruction Fuzzy Hash: CA112972380A12BFE32296999C41F6BB69DEBD4B60F510068F759EF280EB70DC0187D5

Uniqueness

Uniqueness Score: -1.00%

Function 01630946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f510ca54612da296234ac0830c5568e83f2d57dd25784c88b392dbb7c02585c
Instruction ID: 5598aaa4e2419ad6f8208cd1e28add484c6a1bc5c70c05b45279c320d6f36766
Opcode Fuzzy Hash: 0f510ca54612da296234ac0830c5568e83f2d57dd25784c88b392dbb7c02585c
Instruction Fuzzy Hash: 5B21E6B1E40259AFDB24DFAAD8809AEFBF8FF98610F10112EE505A7340D7709945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 016480A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 5927e9d33cc381ccb28b03fb98976d4092c00b3995b4fe760a93492d8cd97b6d
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 9C216A72A0020AAFDB129F98CC40BAEBBBAFF88715F20445AF901A7251D734D9519B50

Uniqueness

Uniqueness Score: -1.00%

Function 015E0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: aa479fe447c58e577a19dbbac3e9c65b033040645c7ac7942662349ffe509466
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 0B11B272A01606AFD72A9F94CC85F9EBBF9FB80764F104429F6049F190D6B1ED44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 015B8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e046d2704ea87f646b960927366253014a745a6f8d4b3ca8c2db7444b31522a
Instruction ID: 1ac5288975328ec64db2ab914f51f851452afb6f5a2ac4802331c279ec024e1c
Opcode Fuzzy Hash: 0e046d2704ea87f646b960927366253014a745a6f8d4b3ca8c2db7444b31522a
Instruction Fuzzy Hash: 7A11C1317016119BDB15CF4DC4C0AAABBEDBF8A715B1980BDEE089F205D6B2D902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015EAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 62950355dfafc0114b26c82a6a55dde73cc378b88b18f5b17ee1e7f1efb24821
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: B0218E72A00641DFDB3A8F69C548A6AFBEAFB94B50F14897DE9858B610C770EC01CF40

Uniqueness

Uniqueness Score: -1.00%

Function 015B80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8213228046961d8eda990d2feefce0e461e3100429b2f44515e46713fc853953
Instruction ID: 095630bb8a382db21eb51bc6835a5156abf4d19a5c6ec7b7ac71bfb79be0cc65
Opcode Fuzzy Hash: 8213228046961d8eda990d2feefce0e461e3100429b2f44515e46713fc853953
Instruction Fuzzy Hash: D7215B75A01206DFCB14CF98C591AAEBBF9FB88718F24416DD105AB351DB71AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015E674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c463bd3b2853c92339710066735fdbb72efb4b4b476e6a02bdeea81fba9543
Instruction ID: ce6e9c5c69c922cb75d170ea97f21ab983436d7e5a3c7321c6a72aa2fbc19191
Opcode Fuzzy Hash: a5c463bd3b2853c92339710066735fdbb72efb4b4b476e6a02bdeea81fba9543
Instruction Fuzzy Hash: D2216075A50A11EFD7248F69C841F66B7F8FF94690F44882DE59ACB250DB70B850CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01646870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749acfd3ce49c5a63f8ab5143437de39a75ce2ecaffcb925b34346bc1a676429
Instruction ID: f810736fb1ae7da78de465572a351e80858a1a38343b28f90a6ab929090ad9cd
Opcode Fuzzy Hash: 749acfd3ce49c5a63f8ab5143437de39a75ce2ecaffcb925b34346bc1a676429
Instruction Fuzzy Hash: 54118F36240616AFD722DA99CD40F9A77A8AB96B50F114069F205DB251DAB0E9018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 015DE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5e56109773a4b50b45fa698d140fe95d266661c47212e33d29b2979a32af18
Instruction ID: 714888cb368ca439eb4121fbb5225035b89d5654f8ea054cdec5a324a7fb64c5
Opcode Fuzzy Hash: bb5e56109773a4b50b45fa698d140fe95d266661c47212e33d29b2979a32af18
Instruction Fuzzy Hash: D71125326001159FCB1ACB29CC81A7B77A6EBD1270B284528E9228F280EA30CC02C790

Uniqueness

Uniqueness Score: -1.00%

Function 015E66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac02b958924b2117afdec37c5b0afe90c1783d9ec3d60bd85334af35f950ad60
Instruction ID: a4381bcd2bd102bd7ac25657419a5fbbddd5edb6cbef4c7ddde8e916a3329ca6
Opcode Fuzzy Hash: ac02b958924b2117afdec37c5b0afe90c1783d9ec3d60bd85334af35f950ad60
Instruction Fuzzy Hash: D2118F76E51215DFCB29CF99C984A5ABBE4BFA4690F054079D9059F311E630DD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0167A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 9963c61300c8674747e5fddc6df23634ce808307dc3c44c6f59e5cab42348c85
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 5811C436A10919AFDB19CB98CC05B9DBBF6FF84310F098269EC5597380E671AD51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 015B0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 3961c4fbd7ab202530db1481bc747824b922d01c8a2b7ce59b793165913edfeb
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: F321C3B5A40B459FD3A0CF29D581B56BBF4FB48B10F10492EE98ACBB50E371E854CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0163E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 3c743ba904db92b00775f93b60c49953ea31d2b38740eca79527041fc13b2da3
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 5011A331A00605EFE7219F48CC40B567BE5FFC5754F16842CEA0A9B290D732DC40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015D27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e432285038ca837dc72da837b16215544256e92c8d95bce6982a9613338171
Instruction ID: 0fc1cafaf3acbefb063228be10b3a579ca2bf449c134c10db2835286aadc6597
Opcode Fuzzy Hash: e8e432285038ca837dc72da837b16215544256e92c8d95bce6982a9613338171
Instruction Fuzzy Hash: F0010432606686AFE326A6AEDC85F676B9CFF80690F090065F9018F240DA54DC00C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 015B4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfb4566a468c4cbf73d841be5c64fb76bf98bff9e7ffd33df4ed5c152fec139
Instruction ID: b9560b8674467acefa7f21dea62174e7f9ee122809f7fe65fc6b4c23ad5afd00
Opcode Fuzzy Hash: 3dfb4566a468c4cbf73d841be5c64fb76bf98bff9e7ffd33df4ed5c152fec139
Instruction Fuzzy Hash: 0311CE36200645AFDB35CF59D9C4F9A7BA8FB86B64F14451AF9068F252C770E802CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01684B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e3adeb42982a4e29541ee0a447ec7b8bacfeea3ee1e7e843ccadf7ceb9db8e
Instruction ID: 3681cc52e0bbf086dc2b309eb99c35a267452514f711ed3383df3c3150894f2d
Opcode Fuzzy Hash: 61e3adeb42982a4e29541ee0a447ec7b8bacfeea3ee1e7e843ccadf7ceb9db8e
Instruction Fuzzy Hash: 2C1182362006129FD722AA6DDC44F66BBA6FFC5751F154629EA4687790DF30A802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015E6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3818082a2e35311eb59e59d6e1466fb074aed1b1a23a1aa32ba43e0b9bd8dc6
Instruction ID: 8932eaf6fd4c3f497f7df46db4080606ff007ab88296a5c640c762df95187359
Opcode Fuzzy Hash: c3818082a2e35311eb59e59d6e1466fb074aed1b1a23a1aa32ba43e0b9bd8dc6
Instruction Fuzzy Hash: 7A11A076E10616ABDB26DF59C984B5EFBF8FF94780F500458DA05AB200D730AD018F50

Uniqueness

Uniqueness Score: -1.00%

Function 015DEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6411f37a1b11d989df9abe752c73dd2ff9e87b77a8941df75d70f487115ad1c2
Instruction ID: 550b1ff4e9d185833d9cdbbc8d522b2a4d8d8262bf928d07c14c4d8b47efaa1b
Opcode Fuzzy Hash: 6411f37a1b11d989df9abe752c73dd2ff9e87b77a8941df75d70f487115ad1c2
Instruction Fuzzy Hash: 0401CC7150010AAFC325DF18D889E6ABBEAFBC1314F60816AE1068F265C7B0AC42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 015DE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: be05c8fdc43907730a8d983da4aa1e80a411cdfd12cbb5fd037ccbbb2a594a22
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 5411CE722016C69FE732AB6C8984B693BD4FB41B88F1D04E0EE418F782F729C846C351

Uniqueness

Uniqueness Score: -1.00%

Function 0163E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: f62575a947474fdb4f7522be95a1eb614d71b29431236ab1e70b93b09b17ed69
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 9E018036B00106AFE7229F58CC40B6A7AB9EFC5B50F158428EA059B260E772DD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015AA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 7cc9cfdc6bec59183cbb5394fbd6ef1c07caaf171e8e8809a3e6c5dddec4ad65
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: C1010032544B229BDB218F199840A2A7BE4FF95B607408A2DF9958F281D331D820CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01684940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07c0559a793e7473df654a98948455fdd605cb23fa7b84c2e79ca54d73f7271
Instruction ID: 7888a32b736b02ca076c309139d9b700f8dbdad9fa759e38f8cee7b018a87cd2
Opcode Fuzzy Hash: c07c0559a793e7473df654a98948455fdd605cb23fa7b84c2e79ca54d73f7271
Instruction Fuzzy Hash: 2D01C4725415129FCB32EF1CDC40F52B7A8EB91770B154359E9699B296DB30D801CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0162E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaadd1500a09a1cff8529a0511370f0ec6ce54c76407fbd3bc0e826bbdc08ee
Instruction ID: b527482220f5255ab2041e4266ffe84a17919b3660067016ae5e932ac887c2db
Opcode Fuzzy Hash: 8aaadd1500a09a1cff8529a0511370f0ec6ce54c76407fbd3bc0e826bbdc08ee
Instruction Fuzzy Hash: 0F117C31241642EFDB15AF19CD80F56BBB8FF94B44F140069E9069B651C235ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 015B6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c25418192fac99fffbb6a1bf466801a711fb28c2b6f9d62181c6b3fc0a072fe
Instruction ID: 03748499a7f24460a1e1e3eac929aaff896a76178acaf85dee7f0e8f95396949
Opcode Fuzzy Hash: 5c25418192fac99fffbb6a1bf466801a711fb28c2b6f9d62181c6b3fc0a072fe
Instruction Fuzzy Hash: 2E115E7154122EABEB65EF64CD41FE9B2B4BF44710F5041D8A714AA1E0D7709E81CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01636050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc08529fe08aab4d32d1805468279a038e9c9a378b9978baf306f62d48f5204
Instruction ID: a3b535ac8b23594d65b58dab92b4dd10d9a012e4f258fb41f178053b7dfeba30
Opcode Fuzzy Hash: 6cc08529fe08aab4d32d1805468279a038e9c9a378b9978baf306f62d48f5204
Instruction Fuzzy Hash: 5111177390001ABBCB15DB94CD84DDFBBBCFF98254F044166E906A7211EA34EA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 015B208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 6200a73f2824ed22e9089a24924e96bec8ea0edd508e91d25f9071852b76b81a
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 0801F1322011058BEF269A6DD8C0B977BA7BFC8600F1545A9ED058F286EB71AC81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01646500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd6633dd18c3851e64b79a3ce877eda1e4f7305e1b59fc267b2078310c6241a
Instruction ID: 3143b8f7b77311a749a4496c87a1714acf21eefe9f461db03534083310b983e9
Opcode Fuzzy Hash: dbd6633dd18c3851e64b79a3ce877eda1e4f7305e1b59fc267b2078310c6241a
Instruction Fuzzy Hash: FE11AD326441469FD715CF68D800BA6BBB9FB9A314F088159E8498B326D732EC81CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0163C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa0f09468f2b734163bc7219810b81870920bf2b4220b8373aa28a66320c4e0
Instruction ID: 392a88ebcf4428d75cf245a556afa0c1d4f63f0837d36bcb40027e859eab69bb
Opcode Fuzzy Hash: dfa0f09468f2b734163bc7219810b81870920bf2b4220b8373aa28a66320c4e0
Instruction Fuzzy Hash: 7711ECB1A0020A9FCB04DF99D545AAEBBF8FF58250F10406AB905E7351D674EE01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0165EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc77806ff0c090685b9ed9084204935cf083f115bba98527a3fc7cb7fd190828
Instruction ID: 8a8296e82b55b1a9e7b3cd8d1a3f7e9f82c05adab02f73d09d51f19e7acc4915
Opcode Fuzzy Hash: cc77806ff0c090685b9ed9084204935cf083f115bba98527a3fc7cb7fd190828
Instruction Fuzzy Hash: 28019E325402129FCB62AE398C4097BFBA9FF92A90F44442EED459F311CB22DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015AC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 6827b63856e748c3e2cc627e08d7d73750ccc202836825e83453ecf2a45dcdd5
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 2701B9321407069FDB2796A9C900BAB77E9FFC5650F44891DAA468F540DA71E401C750

Uniqueness

Uniqueness Score: -1.00%

Function 015F20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baafbcbb57463eff97487415a5aa4c027feb94ac45ef2a5af38168d8f7e85bb3
Instruction ID: 832f19f399e48c69f4fd97f3900b9a857ccd604161dbe4e8ca41e4686011d0d5
Opcode Fuzzy Hash: baafbcbb57463eff97487415a5aa4c027feb94ac45ef2a5af38168d8f7e85bb3
Instruction Fuzzy Hash: 7D115B75A0120EABCB05DFA4CC50EAE7BA5FB84650F104059EA019B290D635EE11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015EE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215169a571f1cf66604a06f238da556e677194a57c9df882e12f3b75805fc9ac
Instruction ID: 892b7f6285b35edd68a87bf0e86a6e779c0c60d5a8ef89b3592ce6f91d392866
Opcode Fuzzy Hash: 215169a571f1cf66604a06f238da556e677194a57c9df882e12f3b75805fc9ac
Instruction Fuzzy Hash: AA01F771211917BFC311AFB9CD80E57B7ACFFD5A54F000629B1058B660DB24EC01CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 016469C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaeb8a267ffc44c9519ddee0dc3a2d69d2a127d7d5ef07f4aea16bbec601bbf4
Instruction ID: a827c0435f6f7fbaf842f6e2de96a36e99461ecf7d6815f5449433ba6c802171
Opcode Fuzzy Hash: aaeb8a267ffc44c9519ddee0dc3a2d69d2a127d7d5ef07f4aea16bbec601bbf4
Instruction Fuzzy Hash: 1D01FC32214706DBD320DF6ADC489E7BBA8FF95660F114129ED598B380E7309951C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0163C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9b0ff06d67cafe8f91bdac14a5b9cfc294ce7a8d626d7b3bececb13e3a2e4e
Instruction ID: 6317a19b7544ce8957f1e037fb96768453a32bb63b9a29eedcf5801ee91a8352
Opcode Fuzzy Hash: 8e9b0ff06d67cafe8f91bdac14a5b9cfc294ce7a8d626d7b3bececb13e3a2e4e
Instruction Fuzzy Hash: 90115B71A0120DEBDB15EFA8C844EAE7BB5FF88340F00405AF901AB381DA35E911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0163C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2980cb637ceb06d7ee1b04fed6b86e91becf1f822626893057c0599b25fa8a
Instruction ID: 1691190dffec975ce934641ff555683e3c2884f42ae6afd752393f96cfd981c2
Opcode Fuzzy Hash: ed2980cb637ceb06d7ee1b04fed6b86e91becf1f822626893057c0599b25fa8a
Instruction Fuzzy Hash: 88112A716143099FC700DF69D84195BBBE8BF98650F00451EBA98D7391D630E901CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0163CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4f7defc93b5e09017f1ca4f97acba5de7019dd442d3ff584f6246bb7371456
Instruction ID: 352331ccbb388dff7a37347e5b45c4746f5af29134d05a51d9594e398ac451e1
Opcode Fuzzy Hash: fc4f7defc93b5e09017f1ca4f97acba5de7019dd442d3ff584f6246bb7371456
Instruction Fuzzy Hash: 76115A716083099FC300DF69C84195BBBE4BF99750F00851EB958D7354E630E901CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015CE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 692dee2aa38ee1968fb06a57360ecec999061ad3fea7dd1cdd9053a38ecccdd1
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 85017C322006849FE32B8A5DC948F2B7BD9FB84B54F0904A9F909DF6E2D768DC40C661

Uniqueness

Uniqueness Score: -1.00%

Function 015A826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2163583c355d3e2526c2ee38daa68b13793bfe2a4e20f8f87c20040c0f9c63d
Instruction ID: 089b9af0a467ef26b3e201309895ea83a3daa779897533ee41bb887c2e049985
Opcode Fuzzy Hash: d2163583c355d3e2526c2ee38daa68b13793bfe2a4e20f8f87c20040c0f9c63d
Instruction Fuzzy Hash: 4301A231B50505DFDB14EB69DC14ABFBBE9FF81220B9940699A01AF780EE60ED01C791

Uniqueness

Uniqueness Score: -1.00%

Function 0165EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e470911e8627388731d71dd3d356488ca128e035d0850ff69d70c7ebaf1262e7
Instruction ID: 6fa5c5996b315877466ce505e16898344ed6a789a18be2c0909bb21c9d150a22
Opcode Fuzzy Hash: e470911e8627388731d71dd3d356488ca128e035d0850ff69d70c7ebaf1262e7
Instruction Fuzzy Hash: 4501DF71680602AFD3315F59DD41B22FAA8AF95B90F00042EE60A8F390D7B1E8418B98

Uniqueness

Uniqueness Score: -1.00%

Function 015B2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5440c063f9768a24e35869df198dedc187877281e38e2b646aa8f88884ed3bb8
Instruction ID: 64a12cdfae708988ebfaea8a59988f384ebd2fe3564571bfb2c5be9a670955b7
Opcode Fuzzy Hash: 5440c063f9768a24e35869df198dedc187877281e38e2b646aa8f88884ed3bb8
Instruction Fuzzy Hash: 26F08632641615ABC7319A968D81F57BAA9FBC4A90F154469A6059B640D630ED01CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 015DC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: fb1a9462a5637b625f480499cc0eebfb748dc06b07c7624be63b80edd6ec7c4d
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 16F0A4B2600611ABD334CF4D9940E57F7EAEBD1A80F04812CA505CB220E631ED04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0168634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da32791f804cb7a1fcb388409c5444d849e2a21eb7e85d7883d84e39e876e4e
Instruction ID: c207f506874242d2a28cda9b368f6c23f2ea008ead19cb14602f259f220d47c1
Opcode Fuzzy Hash: 1da32791f804cb7a1fcb388409c5444d849e2a21eb7e85d7883d84e39e876e4e
Instruction Fuzzy Hash: B2012171A1060AEFDB04DFA9D951AAEB7F8FF98704F10405AE904EB350D6749A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 015AC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: e9585aaf17febcabf812fd74a2f237a0c5227d3d1bbdcf32a3903400302661e5
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 08F0FC332846279FD7325A9D8840B6FA595BFD1A65F590077E3059F240C9648D0197D0

Uniqueness

Uniqueness Score: -1.00%

Function 0168625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fd2c3c443cd321538cde2335b03cf76b36d286652374b77fcf0b87f19ab702
Instruction ID: 06285ca2970b1906554ccb607a36d329b2ca21790f48d96074b325356d03257a
Opcode Fuzzy Hash: 68fd2c3c443cd321538cde2335b03cf76b36d286652374b77fcf0b87f19ab702
Instruction Fuzzy Hash: 17012171A1021AEFDB04DFA9D851AAEB7F8FF58744F10805AF904EB351D674A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016862D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f0c43730bc39d67eb4b18088ce7258ba09919f542c936b9d6b35773623c9c5
Instruction ID: baa9008e8d4207e9add8bbd68c62274162b7c1b7307001d3fb0c17cef4217123
Opcode Fuzzy Hash: 43f0c43730bc39d67eb4b18088ce7258ba09919f542c936b9d6b35773623c9c5
Instruction Fuzzy Hash: 4E012171A0020AEFDB04DFA9D845AAEBBF8FF58704F50405AEA14EB350D6749D018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 015ECA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: a641e11829272992a82557aa7cf49371aef40f18145a1ad1ebb1e2318eaea52e
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 2601D132601A969BD326965DDD09F99BBDCFF91754F0884A9FA048F7A2D7B9C800C610

Uniqueness

Uniqueness Score: -1.00%

Function 016861E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b878737a3c7affdf36cca10c067e7bae3b126d8f32d43f144fea3429afaf16e1
Instruction ID: f29d91abb5504bbb00d495486a1793e13e042fe48cd6117b8e692fbcf5e5e51e
Opcode Fuzzy Hash: b878737a3c7affdf36cca10c067e7bae3b126d8f32d43f144fea3429afaf16e1
Instruction Fuzzy Hash: 85014F71A0024ADFDB04DFA9D955AEEBBF8BF58710F14405AE501EB390D774EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0163A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63de3d72b676c79738db43c7dc6315cd4befda13110b7bbbbf88d75aa8dd370
Instruction ID: f16e1742d395ecb4da777384de735c5f272598c487489fa75a460b0b667ed389
Opcode Fuzzy Hash: f63de3d72b676c79738db43c7dc6315cd4befda13110b7bbbbf88d75aa8dd370
Instruction Fuzzy Hash: 23018536100209ABCF129F84DC40EDA3F66FB8C7A4F068105FE19A6260C732E971EF81

Uniqueness

Uniqueness Score: -1.00%

Function 015AC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955e91c47de8e4bcd49f33ce228a49302a7c5b4e726c01c3c6b2ae75dedf78ec
Instruction ID: 80bbe4ea038d329e7499bfbc118508932179d6b5dfa28e277d524054d00959c7
Opcode Fuzzy Hash: 955e91c47de8e4bcd49f33ce228a49302a7c5b4e726c01c3c6b2ae75dedf78ec
Instruction Fuzzy Hash: 1EF024717843415BF754A6199C01B2A32D6F7C4650FA5842AEB098F6C1E970EC0183A4

Uniqueness

Uniqueness Score: -1.00%

Function 015E656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26bff37ad9791c4b133ae0f16c29d4ac38fc318bf6536256cef2c25465615b6
Instruction ID: a3802da3dab4b9f7806804ee42755c8a956c6dd11f86272111ef06cbd1dc8d6a
Opcode Fuzzy Hash: c26bff37ad9791c4b133ae0f16c29d4ac38fc318bf6536256cef2c25465615b6
Instruction Fuzzy Hash: 6F01A971701A859FE326AB6CCD4CB6937D4BB50B80F844595FA018F6D6DB28D4018A14

Uniqueness

Uniqueness Score: -1.00%

Function 0165437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 51b9c262cd7213ebe16bd8d04520d4019290dec406b42ab74d2b5946d0d4bee4
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 23F0E93134192347EBB5AB2F8C10B2AAA96AFD0D40F0505BC9D51CF761FF20D8818780

Uniqueness

Uniqueness Score: -1.00%

Function 0163E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: b09b875c4a1c7261b4c7c25dfc4c40dd63afa10899822cea380000f32035d293
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 0CF05432F515129FD3219E4DCC80F56B768FFD5A60F1A0169AA049B360C771EC0287E0

Uniqueness

Uniqueness Score: -1.00%

Function 0163C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d459be09ab4f2589cc5a3a3a457ae983c4865d6e1ba362ec4e97ca8add96cd
Instruction ID: efd4c46c26ba71bd38090fe2f5c14ef97516b35f3649ea79447b165b218c9223
Opcode Fuzzy Hash: d4d459be09ab4f2589cc5a3a3a457ae983c4865d6e1ba362ec4e97ca8add96cd
Instruction Fuzzy Hash: F3F0C2716053059FC310EF78C845A1BBBE4FF98710F405A5EB998DB390E634EA01CB96

Uniqueness

Uniqueness Score: -1.00%

Function 015E0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 3cf23687f04436c27faa670089aa83df0982ed22af1e0aadbbf9a90b6eeda6d9
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: BFF0B472B14205AFE718DF65CC05F56B6F9FF98740F148478A545DB1A0FAB0ED01C654

Uniqueness

Uniqueness Score: -1.00%

Function 0163C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a59639229b40aa3429ac2f6be373ddc6b00a2744a18ce0c8c6f6298b44b98ba
Instruction ID: 7ffa6fe6fd163f2c0ed873dc8abc3ffbcc335b62f9c3b66b77629ccc65ee9071
Opcode Fuzzy Hash: 9a59639229b40aa3429ac2f6be373ddc6b00a2744a18ce0c8c6f6298b44b98ba
Instruction Fuzzy Hash: 0CF06270A0124EDFDB04EFA9C915AAEB7B4FF58300F00805AB955EB385DA74EA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 015B47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d42ca3e22b48321b6ad4a4f9dbaec61583139b4e7d5ae39c25a5120d30766a
Instruction ID: d340d62813435fb865698b43fd2ec7581f599893ca46f8b737d72fd9d33e5f13
Opcode Fuzzy Hash: 83d42ca3e22b48321b6ad4a4f9dbaec61583139b4e7d5ae39c25a5120d30766a
Instruction Fuzzy Hash: 17F0B4319166E19FE732DB5CC4D4BA57BE4FB00620F084D6AF58B8F543C724D880C691

Uniqueness

Uniqueness Score: -1.00%

Function 01670115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef53b56d66985912f718dbba009738bc3b14c4f4d518385e8d0ae106e05b0f5
Instruction ID: a894d8568e6a06c8fe6df34b60d2f45918eca54e76883a5f1ce509a6efe8462a
Opcode Fuzzy Hash: cef53b56d66985912f718dbba009738bc3b14c4f4d518385e8d0ae106e05b0f5
Instruction Fuzzy Hash: 6EF0276B4156810ACB326B7CFC602D16B59A752114F4D3089E4A057305C774A893CB75

Uniqueness

Uniqueness Score: -1.00%

Function 015EC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f727bfc0c5fa7048c4c6d3d3e383a9ff5e1845bf49a27a22c5cdf27be5cd650d
Instruction ID: d3c11040af076fb0ea2700b812acb1bd5679a836da34180c6681f7387f98f7ed
Opcode Fuzzy Hash: f727bfc0c5fa7048c4c6d3d3e383a9ff5e1845bf49a27a22c5cdf27be5cd650d
Instruction Fuzzy Hash: 43F0E271D116519FE72A9B1CC18CB1B7BE4BB817A0F089925D40A8F552C664E880CE50

Uniqueness

Uniqueness Score: -1.00%

Function 015F2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 2ccc77c77a261466c909105c242ff182ad3713faf68cc0d5cec3fdf7c3dc4420
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 0FE0D872300A022BE7119E598CC0F477B6EFFD6B10F04407DB6045F251CAE2DC0986A4

Uniqueness

Uniqueness Score: -1.00%

Function 01646030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 0639c4cfbb509d04fccee60836511e587302772474dca826ab5fce21759c9d9f
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: E1F0E572200204DFE3209F49DE40F52B7F8EB06B64F01C029E6088B260D379EC40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 015B0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 2003d0cef33691cd9901d157e71e174d66936c7e7a241ed158985a6e655abe81
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 88F0E53A2047559FDB1ACF19C490AD6BBF8FB51350F000498F8468F381D732E982CB54

Uniqueness

Uniqueness Score: -1.00%

Function 015E49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 3f2b2c038fa8054680ff8a1e1eb8eb3a8b56183cc59faa046cc81b49b3881653
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 8FE09232A54146AFD3251E598808B7A77E7BBD07B0F150429E200CF150DBF0DC40C798

Uniqueness

Uniqueness Score: -1.00%

Function 01684164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee49f9deafca26630ae4f2f49a0b8125d536918b7327e2848874fde3108d0a59
Instruction ID: 36cafd155268c84b7b588cb1b3642b3f4a31b838df32a7d951a46143e9f94dd5
Opcode Fuzzy Hash: ee49f9deafca26630ae4f2f49a0b8125d536918b7327e2848874fde3108d0a59
Instruction Fuzzy Hash: EDF06531A25A938FE772F72CD984B657BE4AF50631F5A0654D4858BA52CB24DC40C650

Uniqueness

Uniqueness Score: -1.00%

Function 0165678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: e6b058748ddaddd1e8218659a78813dafad92494cc8160ebdd7f70b77654e5b2
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 07E0DF72A00110BFEB219799CE05FAABEBCEB90EA0F050194FA01EB190E530EE00C690

Uniqueness

Uniqueness Score: -1.00%

Function 016808C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: ec42399b2e99c592e15e39a2882e58fe53f263c00987f1974cb0804e9b2cbe98
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: C1E02B716403408BCF20AA1DC900A53B7ECDF91620F16856DE90407312C370F887C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 015B25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4e1b1b6f7ef06e3e9dd33150cdb8766b5f9be64143e4d0a24257b33ff783dd8
Instruction ID: 882ec1491c15d3bb88fdc4d1ed1b523b71fa5ed01a784e13192c670f07458b06
Opcode Fuzzy Hash: d4e1b1b6f7ef06e3e9dd33150cdb8766b5f9be64143e4d0a24257b33ff783dd8
Instruction Fuzzy Hash: D4E092721009559BC321BF29DD41FCA7B9AFFA0760F014519B1565B190CB30B810CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0166A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: fcedc36e6b257804a6b2314d99d2a02516d0b6987e5ed1d4f969c7a4fa8b324a
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: F6E06D31011612DFE7366F6ACC08B527AE4BF90711F14882DA1962A6B0C7B5D880CA40

Uniqueness

Uniqueness Score: -1.00%

Function 01634000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: e2012d67c2725ea3688fce517097a4db19f519e92de0c9c05245d8c65b3e4fa1
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 84E0C2383003058FE715CF19C440B62BBB6FFD5A10F28C068A9488F305EB32E842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 015ECA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e081e59ed3f1f99027682c5ff636800fc8995e01b68b57536d586da57cbe99d9
Instruction ID: b41028a5361c1045e437a797b77466ebdbb6e2739b0af43cf2f7ba72d7a3d61e
Opcode Fuzzy Hash: e081e59ed3f1f99027682c5ff636800fc8995e01b68b57536d586da57cbe99d9
Instruction Fuzzy Hash: 25D02B329920216ECB39E568BC08F973AD9BB80760F018860F1089A010D594DC8187D4

Uniqueness

Uniqueness Score: -1.00%

Function 015A823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 289a5a1d84dda8aad2fe774422bcdd1cb8fd46c861395b81a0e347f14381ebae
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: FDE0C231080A16EFDB322F15DC00F6A7AE1FF94B11F108C6DE2811E1A487B1AC81CB44

Uniqueness

Uniqueness Score: -1.00%

Function 015B2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f454862ab56c2874086e793d794964c6bfac00725aa2912c483fb8d7047aaa
Instruction ID: 83dcc2db74b853d84433688cd5f63d5e682a12ce1d3ddc4fc881fdb6ce7bbd69
Opcode Fuzzy Hash: 13f454862ab56c2874086e793d794964c6bfac00725aa2912c483fb8d7047aaa
Instruction Fuzzy Hash: EDE08C321004656BC321FE5DDD50E8A739AFFE4660F044225B1518B290CA60BC00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015E8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 592ec381d3e173e6f13b5bcc469335747d692e241a2421ed534d3b974a29f021
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 37E08633511A1487C728DE18D515B7677E5FF45730F09463EA6134B790C574E544C794

Uniqueness

Uniqueness Score: -1.00%

Function 01606AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 120845ff6cfa151bff97f1837572beaddc246cc3723cac227bef00b5c0c80d7e
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 2DD05E36511A50AFC3329F1BEE00C53BBF9FFC4F207050A2EA54683A20C770A846CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00417312 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1421910980.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005aa1a9355414f3a12429ce7ab098b8187bb15b7130122fab01a4847116c164
Instruction ID: a85fa2c2e0ed940b7f3a1964a94cd656819bd7c32ecadaf81e60066b16622562
Opcode Fuzzy Hash: 005aa1a9355414f3a12429ce7ab098b8187bb15b7130122fab01a4847116c164
Instruction Fuzzy Hash: C5C08C37F5705CAACA20CE5D74811B4F330E683622F112AE2DD8CF30008813E05A4699

Uniqueness

Uniqueness Score: -1.00%

Function 015EE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 597b1160607ae07e148b3611edf2a319f3a054463a0f4895aceaccb949a6b1a2
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 92D0A932224A20AFD772AA1CFC00FC333E8BB88B20F064459F008CB150C360AC81CA84

Uniqueness

Uniqueness Score: -1.00%

Function 0162E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 3beff6f272af56d04c257eb369e71fd8662ff13ae411028b327c87eaccf95daa
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 08E0EC35A50A859FDF52DF99CA40F9EBBB5FB94B40F190058E5085F660C725A900CB40

Uniqueness

Uniqueness Score: -1.00%

Function 015AA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 74173bc73816950818823981cf22477f9967e2ed5f8fa0046618b8720ea01219
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 87D02232262031A7CB285A95A800FAF6905BFC0A90F0A002D340A9B800C1048C42C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 015EA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: a4441d734726581dc1d7dd4fb23c5ce360e4b6b8d7c03c95a4dd081bde6545aa
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: C9D012371E054DBBCB119FA6DC01F957BA9FBA4BA0F448020B5048B5A0C63AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 015ECA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a01e54bae6c388291e35b77fa2f86448d32f0e8f7436fe2073a98371e6272ab
Instruction ID: 49e77be856ae96fd05e24060f775823caa8453b589ef83910e728704d6bf7ced
Opcode Fuzzy Hash: 2a01e54bae6c388291e35b77fa2f86448d32f0e8f7436fe2073a98371e6272ab
Instruction Fuzzy Hash: F0D0A730912412CFDF1ADF4CCE14D6E36F4FF10640B40006CE70156920D364DC11CE00

Uniqueness

Uniqueness Score: -1.00%

Function 015C02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: e6734dcdb3045b8de56d6a3100dab2d5457dbdda437aa69d1b87606b16f6e629
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: ABD0C939216E80CFD61BCF4CC9A4B1933A4BB44F44F850494F402CBB62E76CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 015EC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: dc9316cde83baa98f645a867166378e50c15366b71f530a09e25295bfcc78a9d
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: BBC012322A0648AFC712AE99CD01F467BA9FBA8B40F004021F2048B670C631E820EA84

Uniqueness

Uniqueness Score: -1.00%

Function 015D0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 81b2bfcf6a5ca09e8a628390cbec3ef8c09447c84a473503cfa9739a7d6cea2c
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: B3D01236100249EFCB11DF45C890D9A772AFBD8710F108019FD190B6508A31ED62DB50

Uniqueness

Uniqueness Score: -1.00%

Function 015B0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 815d9665216c7fe48cc248060b336f67ab60d5a6f4820f9858c1555b303fed0a
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 17C04C757015468FCF16DF59D694F4577E4F754740F155894E805CB721E725EC01CA10

Uniqueness

Uniqueness Score: -1.00%

Function 015F4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd8f01174f6c724f528a535b4e6e211b7bc27fdb5040f9d78e3a7093f26f74f
Instruction ID: d37b22b98255a2513614214e078afd8d6f08783ca10919d91634c4e2164bf8fe
Opcode Fuzzy Hash: bfd8f01174f6c724f528a535b4e6e211b7bc27fdb5040f9d78e3a7093f26f74f
Instruction Fuzzy Hash: 81900231A05C00529145B5584C845474009A7E0301B55C411E4424698DCA148A965361

Uniqueness

Uniqueness Score: -1.00%

Function 015F4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66abed3c15a7ffbd8ccc0b27f22bf0a20b029108753de28138999ca7c9f2d52f
Instruction ID: c03c3c091620cef25d5f3ec51060bc461e02bb15365727f1e7c1e222bb7a479a
Opcode Fuzzy Hash: 66abed3c15a7ffbd8ccc0b27f22bf0a20b029108753de28138999ca7c9f2d52f
Instruction Fuzzy Hash: ED900261A01900824145B5584C044076009A7E1301395C515A45546A4DC61889959369

Uniqueness

Uniqueness Score: -1.00%

Function 015F2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901d7972e3b3288c94c97cc0dffbdf4ba6687939b1789a2e7d1c454bae7f99da
Instruction ID: c235cc36f7ef50eec74e98cf4fceeb0cbaa1bcaa03d25fdda39c8de147d4d742
Opcode Fuzzy Hash: 901d7972e3b3288c94c97cc0dffbdf4ba6687939b1789a2e7d1c454bae7f99da
Instruction Fuzzy Hash: 0590023160584882D145B5584804A47001997D0305F55C411A40647D8ED6258E95B761

Uniqueness

Uniqueness Score: -1.00%

Function 015F2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247184a20c1534184d1807438036b58c71fe22bc82d08e32d84d5e4083dd564a
Instruction ID: 923aa41f79f9cb08605e15fd0b68d32e513b0bb38fd809ebd3409c42075dc385
Opcode Fuzzy Hash: 247184a20c1534184d1807438036b58c71fe22bc82d08e32d84d5e4083dd564a
Instruction Fuzzy Hash: 5E90023160180842D109B5584C04687000997D0301F55C411AA024799FD66589D17231

Uniqueness

Uniqueness Score: -1.00%

Function 015F2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf78032dfccb14f2275cab4078cf69746793be4833e21d130c5b14da8734be0d
Instruction ID: 58a63b639fa0f30d70bb8df7a2c23cd10d3b5b07a2a0509f3c59c2425350b7a1
Opcode Fuzzy Hash: cf78032dfccb14f2275cab4078cf69746793be4833e21d130c5b14da8734be0d
Instruction Fuzzy Hash: 7F900231A0580842D155B5584814747000997D0301F55C411A4024798EC7558B9577A1

Uniqueness

Uniqueness Score: -1.00%

Function 015F2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13372ca09ffba5a0622140444ca8c8b54d6ac4eb1fa9911b3e45dcf46afbdde3
Instruction ID: ee0cf1db117df40127c98df26ee6521bee16663503fe44a526ff3691d891d9f4
Opcode Fuzzy Hash: 13372ca09ffba5a0622140444ca8c8b54d6ac4eb1fa9911b3e45dcf46afbdde3
Instruction Fuzzy Hash: D590022562180042014AF9580A0450B0449A7D6351395C415F54166D4DC62189A55321

Uniqueness

Uniqueness Score: -1.00%

Function 015F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5dd824d02da9d2be3f370bbbafd1c3e8c6fa2a8cf286a164551a1a4ca5963a
Instruction ID: 7e4d1c06fd75d99ef874b0f48186ed50d6a70338e09bf8f21d0cba824acfb661
Opcode Fuzzy Hash: 6f5dd824d02da9d2be3f370bbbafd1c3e8c6fa2a8cf286a164551a1a4ca5963a
Instruction Fuzzy Hash: 019002A1601940D24505F6588804B0B450997E0201B55C416E50546A4DC52589919235

Uniqueness

Uniqueness Score: -1.00%

Function 015F2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543c83fefa353c1a492390e704e3024f4509cd35545c7eb192652527a85a63db
Instruction ID: e7f4c35389c6a41420931635f369ea942c116c6a2d980ab12e4ec2cdd88479c1
Opcode Fuzzy Hash: 543c83fefa353c1a492390e704e3024f4509cd35545c7eb192652527a85a63db
Instruction Fuzzy Hash: 1790022160584482D105B9585808A07000997D0205F55D411A50646D9EC6358991A231

Uniqueness

Uniqueness Score: -1.00%

Function 015F2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a13f13a3ae1804edc44ff77b35384c0a70274e7b24989d1866cf196952c7e7
Instruction ID: ce4b88ba402a4daf31daec9655f2389ea417c47a7404441e7dc52f35e01fa647
Opcode Fuzzy Hash: e2a13f13a3ae1804edc44ff77b35384c0a70274e7b24989d1866cf196952c7e7
Instruction Fuzzy Hash: 9D90023164180442D146B5584804607000DA7D0241F95C412A4424698FC6558B96AB61

Uniqueness

Uniqueness Score: -1.00%

Function 015F2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24eda908ac30e4c442e26d7fb8ce38427968d0360e8fa79b9967a89b0d5ff7fc
Instruction ID: 65061e5f5cbe6d5649fc01060710bf90e08ca5a3f1c1f8cefd37263dea233b43
Opcode Fuzzy Hash: 24eda908ac30e4c442e26d7fb8ce38427968d0360e8fa79b9967a89b0d5ff7fc
Instruction Fuzzy Hash: FB90023160180882D105B5584804B47000997E0301F55C416A4124798EC615C9917621

Uniqueness

Uniqueness Score: -1.00%

Function 015F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28a125e5b3c7983c47c271b262dfbfaac9e8ccfb3fb82b8226614e1a9ca8910
Instruction ID: e60d879f3b50dd4bd82511af252ed3874754a2086396666dd6529fa01ec20a5f
Opcode Fuzzy Hash: e28a125e5b3c7983c47c271b262dfbfaac9e8ccfb3fb82b8226614e1a9ca8910
Instruction Fuzzy Hash: 51900221A0580442D145B5585818707001997D0201F55D411A4024698EC6598B9567A1

Uniqueness

Uniqueness Score: -1.00%

Function 015F2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e371b7a3a94f06c10ca84c22fd77ad1dd5cb3526a3bff275ac049af84a3e03c
Instruction ID: 7d484cde0a29eba9573320ba998d674c6a0b2c997a67d6b9216de4178e673aaf
Opcode Fuzzy Hash: 4e371b7a3a94f06c10ca84c22fd77ad1dd5cb3526a3bff275ac049af84a3e03c
Instruction Fuzzy Hash: 5790023160180443D105B5585908707000997D0201F55D811A442469CED65689916221

Uniqueness

Uniqueness Score: -1.00%

Function 015F2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0d5fadc57dc9ab3b8e044afbf58fc25cfa4e371c4bbe4a0db14ef9cc8d7578
Instruction ID: 0772055cd8aaf214c8f5249e827d6b953fdc90854fb926bb69397e8a8f4bdc96
Opcode Fuzzy Hash: 5b0d5fadc57dc9ab3b8e044afbf58fc25cfa4e371c4bbe4a0db14ef9cc8d7578
Instruction Fuzzy Hash: 2D90026161180082D109B5584804707004997E1201F55C412A6154698DC5298DA15225

Uniqueness

Uniqueness Score: -1.00%

Function 015F2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddaeca01cdb7778bc15c0d0c43cb62bab1873fdcf3c28aa94a58f60642788566
Instruction ID: c553789e56d4508f0c9b6620819911ac6aeaeef8990ed4b41e84b55fc74f55b3
Opcode Fuzzy Hash: ddaeca01cdb7778bc15c0d0c43cb62bab1873fdcf3c28aa94a58f60642788566
Instruction Fuzzy Hash: 21900231601C0442D105B5584C08747000997D0302F55C411A9164699FC665C9D16631

Uniqueness

Uniqueness Score: -1.00%

Function 015F2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff77a6af9cea1a92bc0a437c37d2c8d9bddb2bf89ee0c132365d73283e825419
Instruction ID: 61e020fe903e74065578b699bd91eb4635724102ceb84c4e5adc9720d0cf051c
Opcode Fuzzy Hash: ff77a6af9cea1a92bc0a437c37d2c8d9bddb2bf89ee0c132365d73283e825419
Instruction Fuzzy Hash: 4790022170180442D107B5584814607000DD7D1345F95C412E5424699EC6258A93A232

Uniqueness

Uniqueness Score: -1.00%

Function 015F2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66c2f71b0c1734321406359ea5d9d423c15aafb35d784b4517333e08aadb802
Instruction ID: a1fc36b9b08b3f2ad154947d476e5e8cdcad001caba918c107b25d5a8bc5028a
Opcode Fuzzy Hash: b66c2f71b0c1734321406359ea5d9d423c15aafb35d784b4517333e08aadb802
Instruction Fuzzy Hash: 9A900261601C0443D145B9584C04607000997D0302F55C411A6064699FCA298D916235

Uniqueness

Uniqueness Score: -1.00%

Function 015F3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343c5d6b6c37a8aa5098ebf6568cb3ca7de459d5f23d196d34f92efb7ceef6ad
Instruction ID: 5c48f0c70c346e622c1b718943fbf9359d0cfba5545e6a5f370e263da0a0dbec
Opcode Fuzzy Hash: 343c5d6b6c37a8aa5098ebf6568cb3ca7de459d5f23d196d34f92efb7ceef6ad
Instruction Fuzzy Hash: 4C900221601C4482D145B6584C04B0F410997E1202F95C419A8156698DC91589955721

Uniqueness

Uniqueness Score: -1.00%

Function 015F3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0cd9546f0819b2d0f33a9638371fde28ad0fe40c8e3f039a8ac72d3764f156c
Instruction ID: 341a4cdfb0002b435b9bab2cb43d650811d4555ac3a0b92c6d4a1583f95712ab
Opcode Fuzzy Hash: b0cd9546f0819b2d0f33a9638371fde28ad0fe40c8e3f039a8ac72d3764f156c
Instruction Fuzzy Hash: E290022164180842D145B5588814707000AD7D0601F55C411A4024698EC6168AA567B1

Uniqueness

Uniqueness Score: -1.00%

Function 015F35C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82de95e9640697c35620daccbb899c2eb3a6020e18d9af7528f60227933143e3
Instruction ID: 04740445208a0367bea1166d17e2f99cf4d28277e79a32126c243bb879c5cc75
Opcode Fuzzy Hash: 82de95e9640697c35620daccbb899c2eb3a6020e18d9af7528f60227933143e3
Instruction Fuzzy Hash: 4C900231A0590442D105B5584914707100997D0201F65C811A44246ACEC7958A9166A2

Uniqueness

Uniqueness Score: -1.00%

Function 015F39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7708565c63007bed625c50085948a1c3414ed25a820668be6060e892f3db3310
Instruction ID: 9bd62fef2b2842e20d4f6a65ee16d2853fc301b85c68adeb753ca44a87d95da7
Opcode Fuzzy Hash: 7708565c63007bed625c50085948a1c3414ed25a820668be6060e892f3db3310
Instruction Fuzzy Hash: A690022164585142D155B55C48046174009B7E0201F55C421A48146D8EC55589956321

Uniqueness

Uniqueness Score: -1.00%

Function 015F3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80348d88e23c09b7cae2ae03427b44df7f18ad31050525232d28a0c445b5e43d
Instruction ID: 2960bc10dedb7a89003d2c04f549f66dca1fac330819f2573fadee83f4583b3e
Opcode Fuzzy Hash: 80348d88e23c09b7cae2ae03427b44df7f18ad31050525232d28a0c445b5e43d
Instruction Fuzzy Hash: 5290023560180442D515B5585C04647004A97D0301F55D811A442469CEC65489E1A221

Uniqueness

Uniqueness Score: -1.00%

Function 015F3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bec3172be7b962b2c8ff8171abf7cde841e5b7675c6654b343adffa6743c86
Instruction ID: 1314f51cccee7f6e0df78fa443ebcc218415f3073e7cbcfa870d1c7c88361887
Opcode Fuzzy Hash: 06bec3172be7b962b2c8ff8171abf7cde841e5b7675c6654b343adffa6743c86
Instruction Fuzzy Hash: B8900231602801829545B6585C04A4F410997E1302B95D815A4015698DC91489A15321

Uniqueness

Uniqueness Score: -1.00%

Function 015F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 7de3d4e768e5b69d6d68d393a81832bea69c87ecf2353fb717d24a4947dd8f3a
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 015F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 015F293C
___swprintf_l.LIBCMT ref: 015F295E
___swprintf_l.LIBCMT ref: 015F29A3
___swprintf_l.LIBCMT ref: 0162A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0162A527
:%u.%u.%u.%u, xrefs: 0162A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0162A54E
ffff:, xrefs: 0162A504

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 782c59c389900392aeb8a7e2dd03b6de0dc45202d48a886c0a7e897419d07c99
Instruction ID: 0dc63853fb64a337f20a63be5993dcb46c1404a43569caed47fcf8b04186f24d
Opcode Fuzzy Hash: 782c59c389900392aeb8a7e2dd03b6de0dc45202d48a886c0a7e897419d07c99
Instruction Fuzzy Hash: 5551E6B5A00656AFCB11DB9C8D8097FFBB8BB48240F54816DF565DB641D374DE408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01662410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016624A6
___swprintf_l.LIBCMT ref: 016624E2
___swprintf_l.LIBCMT ref: 0166257D
___swprintf_l.LIBCMT ref: 016625A3
___swprintf_l.LIBCMT ref: 016625C8
___swprintf_l.LIBCMT ref: 01662608

Strings

::%hs%u.%u.%u.%u, xrefs: 0166249E
::ffff:0:%u.%u.%u.%u, xrefs: 016624DA
ffff:, xrefs: 0166247D, 0166249D
:%u.%u.%u.%u, xrefs: 016625FF

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9e25a3a62c70193c5a2d6c06a9b4659e4e0f6414264e8c202c210e587c1f49c3
Instruction ID: 515656f7fb7d249608880c41108016d635b1666fa42b63928036f811128a54ab
Opcode Fuzzy Hash: 9e25a3a62c70193c5a2d6c06a9b4659e4e0f6414264e8c202c210e587c1f49c3
Instruction Fuzzy Hash: A351F371A00646AFCB31DF9CCCA097FBBFDAB44200B44846DE4D6D7681E774DA408760

Uniqueness

Uniqueness Score: -1.00%

Function 015E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01624655
CLIENT(ntdll): Processing section info %ws..., xrefs: 01624787
ExecuteOptions, xrefs: 016246A0
Execute=1, xrefs: 01624713
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016246FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01624742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01624725

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 494a878e7194767db1bc5f52341c1b07cded1e70ba03230ab1ba6f2a3b01a6e2
Instruction ID: bb5e14c218e41985a7bfeeed6603285a21340a681d20b904ca2bc838c91cef44
Opcode Fuzzy Hash: 494a878e7194767db1bc5f52341c1b07cded1e70ba03230ab1ba6f2a3b01a6e2
Instruction Fuzzy Hash: 3C512C31E4021AAAEF15ABA8DC89FAE77E8FF58304F0400DDD605AF190DB709A458F91

Uniqueness

Uniqueness Score: -1.00%

Function 01686940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 1056873abc38bcde8d8ae39c4e927f580792bb185e34db5311306935a1e9e5f6
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: D2022671508342AFD305EF18C894A6BBBE5FFC8704F148A2DFA855B264DB71E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 015FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 015FB6BF

Strings

0, xrefs: 015FB695
0, xrefs: 015FB66F
+, xrefs: 015FB65A
-, xrefs: 015FB650

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 79de276309ee4ee3267b14be682321d6c9488e69a43650a784cb0f68cdabde51
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 1481C170E46249DEEF258E6CC8917FEBBB2BF85360F18461DDA51AF291C7349840CB51

Uniqueness

Uniqueness Score: -1.00%

Function 016620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0166214F
___swprintf_l.LIBCMT ref: 01662172

Strings

%%%u, xrefs: 01662146
[, xrefs: 0166212B
]:%u, xrefs: 01662169

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: fcc43c8c3f5a0120c3473f765451f569d50d4648e5610d16b4ab6227fcf16841
Instruction ID: 0b6f7fbf3ee88ae2e5e7ace5de679d26288b80357bf42ad809cc606c3e3ac604
Opcode Fuzzy Hash: fcc43c8c3f5a0120c3473f765451f569d50d4648e5610d16b4ab6227fcf16841
Instruction Fuzzy Hash: E42151BAE0011AABDB11DF69DC50AEFBBEDBF54645F44011AEA05E7240E730DA118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 015DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016202BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016202E7
RTL: Re-Waiting, xrefs: 0162031E

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 4ecb7074cc44e09bb52d00f67d2e4dc7683743cb3175cf43efd694234f4fe2ed
Instruction ID: 234d3eeec08242cc3e63da33c1c1ba1ea52ba8100b2278546b99e750bfe29d6a
Opcode Fuzzy Hash: 4ecb7074cc44e09bb52d00f67d2e4dc7683743cb3175cf43efd694234f4fe2ed
Instruction Fuzzy Hash: DEE19C70608B429FD725CF2CC884B6ABBE0BB85314F144A5EF5A6CB2E1D774D846CB42

Uniqueness

Uniqueness Score: -1.00%

Function 015EBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01627B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01627B7F
RTL: Re-Waiting, xrefs: 01627BAC

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 1c194e47da1e71ec01760a990f5df4d6c765fa5cb48b4f61cdaa2d52bc19c0e1
Instruction ID: b5dd98fc3be62b7ee8decdc90eb168a9a5cb6116cca0b3c7a4734412a6519b1b
Opcode Fuzzy Hash: 1c194e47da1e71ec01760a990f5df4d6c765fa5cb48b4f61cdaa2d52bc19c0e1
Instruction Fuzzy Hash: FB41C231B017029FDB25DE29CC40B6AB7E5FB98712F100A1DEA66DB680DB71E8058B91

Uniqueness

Uniqueness Score: -1.00%

Function 015EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0162728C

Strings

RTL: Resource at %p, xrefs: 016272A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01627294
RTL: Re-Waiting, xrefs: 016272C1

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 7a774a7f68fd5e30033a487cd5d5787e4884d6b5071b23508899ed7be2930503
Instruction ID: 082478e7f2f5775e4fcad25c80731291b9219b718143a3f1e733df23476f103f
Opcode Fuzzy Hash: 7a774a7f68fd5e30033a487cd5d5787e4884d6b5071b23508899ed7be2930503
Instruction Fuzzy Hash: 34412F31A01627ABCB25CE29CC41F6AB7E6FBA5711F104619F945EB280DB21E8128BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01662300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0166238D
___swprintf_l.LIBCMT ref: 016623B3

Strings

]:%u, xrefs: 016623AA
%%%u, xrefs: 01662384

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 16e8b1748dcc49ae2477efc22fdf226d86c124138e68f42f225df27355b0eb6e
Instruction ID: 8704dbcb56d5c17cea993a10c8709ac7e4ce44577704b0728d1e27b363a25d14
Opcode Fuzzy Hash: 16e8b1748dcc49ae2477efc22fdf226d86c124138e68f42f225df27355b0eb6e
Instruction Fuzzy Hash: 5F316472A002199FDB21DE2DCC50BEFB7FCFB54650F84455EE949E7240EB30AA558BA0

Uniqueness

Uniqueness Score: -1.00%

Function 015F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 015F7E8B

Strings

-, xrefs: 015F7DDD
+, xrefs: 015F7DE8

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: c2d6fb5763e6656a40312e07d7a9206659b9f5ca873565fe83f752f7c7d0e74c
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: D0917471E002169EEB24DF6DC881ABEBBA5BF88720F54451EEB65EF2C0D73099418751

Uniqueness

Uniqueness Score: -1.00%

Function 015B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 015B9191
@, xrefs: 015B9175

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 59316161dde27329b05bec0caccab7ffbc4f37731d891414f151715a1a97b7ee
Instruction ID: 69bcafe6fa7b449c731825176badc45028a63fbc7544affb5f43b2f8240ebe69
Opcode Fuzzy Hash: 59316161dde27329b05bec0caccab7ffbc4f37731d891414f151715a1a97b7ee
Instruction Fuzzy Hash: 62811BB1D0026A9BDB31CF54CC55BEEBAB4BF48714F1445DAAA19B7280D7305E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0163CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0163CFBD

Strings

@4rw@4rw, xrefs: 0163CFD5, 0163CFDA, 0163CFF1
@, xrefs: 0163CF0A

Memory Dump Source

Source File: 00000006.00000002.1422903263.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1580000_Documento de confirmacion de orden de compra OC 1580070060.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4rw@4rw
API String ID: 4062629308-2979693914
Opcode ID: 30d4ba55b21ad907066f99ec055f5d8b352470dfbd915276a0474db095381a89
Instruction ID: 57e68cd5500303230fb3a95895dfa2d2f44efc6ffb0b73860813e34a3605cd5c
Opcode Fuzzy Hash: 30d4ba55b21ad907066f99ec055f5d8b352470dfbd915276a0474db095381a89
Instruction Fuzzy Hash: 9F41577190021A9FDB219FA9CC40AAAFBB9FF95B50F44402EEA15EB354E774D801CB61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 3968, Parent PID: 8112COMMON

Non-executed Functions

Function 0E0D2D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

kern, xrefs: 0E0D2F5A
M, xrefs: 0E0D3082
dll, xrefs: 0E0D2F4C
wini, xrefs: 0E0D2F72
ll, xrefs: 0E0D2F13
32.d, xrefs: 0E0D2F0B
user, xrefs: 0E0D2F03
S, xrefs: 0E0D3073
el32, xrefs: 0E0D2F27
.dll, xrefs: 0E0D2F2F
net., xrefs: 0E0D2F44

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 833a7c492dbfe219aab8a280501dcbfae4b423a8d601f78102bea088f4eefc84
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 50E16A74618F488FC7A5EF68C8947EAB7E0FB58300F404A2E959BC7245DF34A945CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D5792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

itUR, xrefs: 0E0D585D
form, xrefs: 0E0D584D
swor, xrefs: 0E0D58EA
d, xrefs: 0E0D58F2
name, xrefs: 0E0D587D
e, xrefs: 0E0D58BD
guid, xrefs: 0E0D57CE
Fiel, xrefs: 0E0D5884
encr, xrefs: 0E0D58D2
dUse, xrefs: 0E0D58AD
ypte, xrefs: 0E0D58DA
dPas, xrefs: 0E0D58E2
ypte, xrefs: 0E0D58A5
encr, xrefs: 0E0D589D
user, xrefs: 0E0D5876
Subm, xrefs: 0E0D5855
rnam, xrefs: 0E0D58B5

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 2be5fe59b5128ded193c77fecbfcc65fecf6993966d32e45cfa35490422ab041
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: C9B15B70518B488EDB55EF68C485AEEBBF1FF98300F504A1ED49AC7251EF709909CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D3622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

2, xrefs: 0E0D3674
n, xrefs: 0E0D36C1
d, xrefs: 0E0D36CF
t, xrefs: 0E0D36C8
i, xrefs: 0E0D369E
w, xrefs: 0E0D36B3
l, xrefs: 0E0D36D6
l, xrefs: 0E0D36AC
d, xrefs: 0E0D36A5
e, xrefs: 0E0D366D
u, xrefs: 0E0D3661
d, xrefs: 0E0D367B
c, xrefs: 0E0D3697
s, xrefs: 0E0D3689
l, xrefs: 0E0D3682
p, xrefs: 0E0D3690
n, xrefs: 0E0D36BA

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: f842e83d07436df1d6b9b0f3ad731ec13e19f4391b8b6bcd2cd8f30b473f26b3
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: BD41B1B0B1CB088FDB18DF88A4456BDBBE2FB48740F00026ED409D3245DBB59D498BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0E0DAAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 0E0DACCD
c, xrefs: 0E0DAC0B
[, xrefs: 0E0DAC2D
n, xrefs: 0E0DAC98
], xrefs: 0E0DAC3D
l, xrefs: 0E0DACE2
b, xrefs: 0E0DAC73
e, xrefs: 0E0DACA0
[, xrefs: 0E0DABF6
[, xrefs: 0E0DAC66
l, xrefs: 0E0DAC35
], xrefs: 0E0DACA8
[, xrefs: 0E0DAC90
D, xrefs: 0E0DACDA

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: cb39ee25920aa3184ff68a4398604fb200c7d5ccf7a7c7f9b51bb69f4df497b5
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: CDC14970218B099BC758EF64C895AEAF7E5FF94304F404B2E949AC7250DF70A919CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0E0DAF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0E0DAF98
r, xrefs: 0E0DAF88
., xrefs: 0E0DAF63
r, xrefs: 0E0DAFA8
c, xrefs: 0E0DAFC8
n, xrefs: 0E0DAF6B
r, xrefs: 0E0DAFB8
r, xrefs: 0E0DAF90
r, xrefs: 0E0DAFB0
0, xrefs: 0E0DAF5B
r, xrefs: 0E0DAFA0
r, xrefs: 0E0DAFC0

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 278843dd7eb3ef826e06eb807c2972569270a0e8e51b6534c1eec04d0eca9c05
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 2D51BF3121C7488FD719DF58C8816EAB7E5FB85700F501A2EE8DBC7241DBB4990ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D42F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 0E0D4327
sspi, xrefs: 0E0D4320
l, xrefs: 0E0D44E2
4.dl, xrefs: 0E0D44DB
dll, xrefs: 0E0D432E
opera_browser.dll, xrefs: 0E0D4629
nspr, xrefs: 0E0D44D4
dragon_s.dll, xrefs: 0E0D4614

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 830f8bfa6598da878bad511fee4c149ec1111ff214a675a080ad220c0a05fd3d
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 64C18C7061CB198FC758EF68D495AEAF3E1FF98300F814729944AC7255DF70AA0ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D42F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 0E0D4327
sspi, xrefs: 0E0D4320
l, xrefs: 0E0D44E2
4.dl, xrefs: 0E0D44DB
dll, xrefs: 0E0D432E
opera_browser.dll, xrefs: 0E0D4629
nspr, xrefs: 0E0D44D4
dragon_s.dll, xrefs: 0E0D4614

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 1537284926da65c8cee72e27dd45e691c62fc6478c07e9fca114d16f755c61c5
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 5EC18B7061CB198FC758EF68D495AEAF3E1FF98300F814729944AC7255DF70AA0ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D5CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

Pass, xrefs: 0E0D5D97
UR, xrefs: 0E0D5D5F
User, xrefs: 0E0D5DAB
2, xrefs: 0E0D5DE1
name, xrefs: 0E0D5DB2
L: , xrefs: 0E0D5D66
word, xrefs: 0E0D5D9E

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 5970a9523a0b22310bc144fdb6fcde5bd1938170b01cae12c3142c05e3baab9c
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: C7A1727061C74C8BDB19EFA89444BEEBBE1FF98300F404A2DD48AD7251EF7499498789

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D5CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

Pass, xrefs: 0E0D5D97
UR, xrefs: 0E0D5D5F
User, xrefs: 0E0D5DAB
2, xrefs: 0E0D5DE1
name, xrefs: 0E0D5DB2
L: , xrefs: 0E0D5D66
word, xrefs: 0E0D5D9E

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: cc29f0e49899286adcab5b0e901d8f90bab7db439595cc21f404e1cd3df8efd3
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 26917F7061C74C8BDB19EFA89444BEEBBE1FF98300F40462DD44AD7251EB70994A8B89

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D5352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

n, xrefs: 0E0D53E7
., xrefs: 0E0D53B0
v, xrefs: 0E0D54A0
e, xrefs: 0E0D548E
, xrefs: 0E0D547C

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: edef9b9e609c605e937ad8bf1fc354f1dc05492217ddbcb1ea461ce867d517e8
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 587182316187488FD759EFA8C4847EAB7F1FF94304F000A2ED44AC7261EB7199498B85

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D0C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

shel, xrefs: 0E0D0C90
l32., xrefs: 0E0D0C97
dll, xrefs: 0E0D0C9E
ole3, xrefs: 0E0D0C5D
2.dl, xrefs: 0E0D0C64

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 5ea9abe09af5cad6b3313158fcc5dfa44c3ae2922ddbb651e8026fecfbe16468
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 8E513AB0918B4C8BDB65EFA4C445AEEB7F1FF58300F404A2E949AE7214EF709545CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D186F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 0E0D18F4
ion., xrefs: 0E0D18EC
4, xrefs: 0E0D19E9
\, xrefs: 0E0D19E0
vers, xrefs: 0E0D18E4

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 1c23fcde29fd041fca51e2df807163fa3dc523c333f918a8fdd3514453b00bca
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: F641433061DB888BDBA5EF6898557EAB7E4FB94301F50462E985EC7240DF30D9458782

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D34B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

32.d, xrefs: 0E0D34DA
cli., xrefs: 0E0D3515
dll, xrefs: 0E0D351C
sspi, xrefs: 0E0D350E
user, xrefs: 0E0D34D3

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: d04100bc3554bcaf2bf54663246628b02c7e78754b2e2b0f1b3c4f54b9b5e580
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 7F417C30A1CF0D8FCB98EF6880957AD77E1FFA8340F50456AA80ED7204DA75C9488B86

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D1432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 0E0D153F
h, xrefs: 0E0D151F
kern, xrefs: 0E0D152A
el32, xrefs: 0E0D1537

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 1b46311471709d0ac9a6a355dff79a0a8607b5716f6a9fa11bacd93146cf7077
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 50417F7060DB498FD7A9DF2984843AAB7E1FB98340F144B2E949EC3255DF70C949CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D80B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E0D813D
om:, xrefs: 0E0D8146
Snif, xrefs: 0E0D8154
, xrefs: 0E0D8184

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: ca5a55f608a33b76ab37ecfc2a9b6a5c68453ba90641c5db60fb7febf9ba4eab
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: BA31C37150CB886FD71AEB28C4846EAB7D4FB94300F504D1EE49BD7251EE30A94ECB42

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D80C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E0D813D
om:, xrefs: 0E0D8146
Snif, xrefs: 0E0D8154
, xrefs: 0E0D8184

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 60585aa068305408d5760e364b8b17c95f050d8c31fcd5902ae5a821cee9fd91
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 3831CF7150CB486FD72AEB28C484AEAB7D4FB94300F504D1EE49BD7255EE30E90ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D3FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

me_c, xrefs: 0E0D3FEE
chro, xrefs: 0E0D4023
.dll, xrefs: 0E0D3FFE
hild, xrefs: 0E0D3FF6

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 779b3c32bf6f93221662213d2df6e74672aa910e32bdcd368e4bdfa7f642c740
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 31313A7011CB594FCB85EF688494BAAB6E1FF98300F844A6DA44ACB255DF30DD09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D3FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

me_c, xrefs: 0E0D3FEE
chro, xrefs: 0E0D4023
.dll, xrefs: 0E0D3FFE
hild, xrefs: 0E0D3FF6

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 393772d648927022bc76b2d8d95c117f2144ad92f811bc26e3b248766044827f
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 7B315C7011CB494FC794EF688494BAAB7E1FF98300F844A2D944ACB255DF30DD09CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D68C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 0E0D691E
urlmon.dll, xrefs: 0E0D6959
User-Agent: , xrefs: 0E0D6935, 0E0D6948
on.d, xrefs: 0E0D6902

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 2ba81f41ee3a2084798f6628c1d8aeafe56321e8e340fc35d00d65139d9b8323
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 5631D431614B0C8BCB45EFA8D8847EEBBE0FB58205F40062AD44ED7240DE748A49C789

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D68BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 0E0D691E
urlmon.dll, xrefs: 0E0D6959
User-Agent: , xrefs: 0E0D6935, 0E0D6948
on.d, xrefs: 0E0D6902

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 1e84d0e5b40dcd6ea821e9a7e73587f0475d63264defe710ef56a907d6d68c85
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 9521E670618B4C8BCB45EFA8C8847EDBBE4FF58205F40461AD45AD7244DF748A09C789

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D7E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 0E0D7F1F
l, xrefs: 0E0D7F26
t, xrefs: 0E0D7EF4
l, xrefs: 0E0D7F03

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: d630c9f1aabd5d613fc3038249f051302d4f5b52fb0509f57f7335690b743712
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: C4216B70A28B0D9BDB48EFA8D044BEDBBF1FB58314F504A2ED049D3600DB749955CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D7E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 0E0D7F1F
l, xrefs: 0E0D7F26
t, xrefs: 0E0D7EF4
l, xrefs: 0E0D7F03

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 97c2e43a7ad890c64816071cd8acd224e615f308eeb6bb605ed46bb31f319ba3
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 3D214B70A28B0D9BDB44EFA8D0447E9BAF1FB58314F504A2ED049D3610DB749955CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0E0D7FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 0E0D802F
pass, xrefs: 0E0D8022
user, xrefs: 0E0D8015
logi, xrefs: 0E0D803C

Memory Dump Source

Source File: 00000007.00000002.3786842235.000000000E020000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e020000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 3b427c0bf6bb5698e5d933816a57e254c615508f58c018255f3b0dbbe100adbb
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: D821C030618B0D8BCB45DF9998906EEB7F2EF98344F014A19D40AEB244D7B0D9188BD2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wlanext.exePID: 7244, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	591
Total number of Limit Nodes:	76

Executed Functions

Function 0286A350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02864BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02864BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0286A39D

Strings

.z`, xrefs: 0286A38D, 0286A398

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: ef5a927986e7f261302ba0e7070d3a0a6531313af2e2543617483def70164631
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: AFF0B2B6200208AFCB08CF88DC84EEB77ADAF8C754F158248BA1D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0286A400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02864D62,5EB65239,FFFFFFFF,02864A21,?,?,02864D62,?,02864A21,FFFFFFFF,5EB65239,02864D62,?,00000000), ref: 0286A445

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 6bf70c7571249b117bd397efcf4a1b6aad2e2ba39539a0be9f0983bd1c3302e9
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 04F0A9B6200108AFCB14DF89DC84DEB77ADAF8C754F158248BA1D97241D630E8118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0286A52A Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02852D11,00002000,00003000,00000004), ref: 0286A569

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 33da857c462814b0e4859ef38ad2c50ccbd1735164ec33851ee6405a57418289
Instruction ID: f60efb04b7047b307be7d996126b4adb8e44af0fbf16d18675aa4e5568751ae4
Opcode Fuzzy Hash: 33da857c462814b0e4859ef38ad2c50ccbd1735164ec33851ee6405a57418289
Instruction Fuzzy Hash: EFF0F8B6204208AFDB19DF98DC91EE777ADAF88354F158558BE1CA7251C630E810CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0286A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02852D11,00002000,00003000,00000004), ref: 0286A569

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: f8dc39b062514c7faf28944658dac383ee8efdce64f4939254a40ac23d20fa48
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 52F015B6200208AFCB18DF89CC80EAB77ADAF88754F118148BE1CA7241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0286A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02864D40,?,?,02864D40,00000000,FFFFFFFF), ref: 0286A4A5

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 1490f43e9468524686889df1a49628d4ddc8e036b29a92bd794b9d78980b4b09
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 0FD012762002146FD714EB98CC45EA7775DEF44754F154455BA1C9B241C570F50086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0286A47C Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02864D40,?,?,02864D40,00000000,FFFFFFFF), ref: 0286A4A5

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 594407e538b1f9566720a9a90d53dc7d757fc1ab6a3dc681645b6378f76722ac
Instruction ID: b290169f87b035bd2f10c1666a7b39941415233c8a7708217e3301f3a5eac715
Opcode Fuzzy Hash: 594407e538b1f9566720a9a90d53dc7d757fc1ab6a3dc681645b6378f76722ac
Instruction Fuzzy Hash: 41E0C2762402006FD714EBD8CC49FA77768EF44714F044494BA2C9B241C130E60087D0

Uniqueness

Uniqueness Score: -1.00%

Function 02F42AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42ADA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af61ca1a2128d9fcc94e0e8e0bb595328249b752bd96a816ca6b4b98c2607c2c
Instruction ID: f49a52728d5c63f7e31ae74b0db35c16d9f2ddb783ef21372b701c731c325bd5
Opcode Fuzzy Hash: af61ca1a2128d9fcc94e0e8e0bb595328249b752bd96a816ca6b4b98c2607c2c
Instruction Fuzzy Hash: A3900435311410130105F55C47045070047C7D53D1355C031F7015550CD731CDF15531

Uniqueness

Uniqueness Score: -1.00%

Function 02F42BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42BFA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 166577f478099251a5e57ef9630a457c1a2298d964fa14abbc180c7f21c11cab
Instruction ID: 1e11049c1e3527c322c951d2adc1bc79b86b64dabd75b231abf3dcd9a57f5953
Opcode Fuzzy Hash: 166577f478099251a5e57ef9630a457c1a2298d964fa14abbc180c7f21c11cab
Instruction Fuzzy Hash: 5890023120141812D1807158840464B000587D1381F95C015B6025654DCA158B997BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F42BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42BEA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 72068c6cb1241829ce6bebaffc1fa3429a9fb47b1396f9a02d2193543a190998
Instruction ID: 1a07a13214d830485acbb74f61c7e80a7541a723668b6299b9c7802217283471
Opcode Fuzzy Hash: 72068c6cb1241829ce6bebaffc1fa3429a9fb47b1396f9a02d2193543a190998
Instruction Fuzzy Hash: F390023120545852D14071588404A47001587D0385F55C011B6064694D96258E95BA61

Uniqueness

Uniqueness Score: -1.00%

Function 02F42B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42B6A

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a47096770060c2df6f69041659c79946115533c01fdafe5a6519e27b83831f44
Instruction ID: 0b55e15561ea84d84ee6540a69cb0eae070d46b24e34c8d540d2dfecfc2c80c1
Opcode Fuzzy Hash: a47096770060c2df6f69041659c79946115533c01fdafe5a6519e27b83831f44
Instruction Fuzzy Hash: E490026120241013410571588414617400A87E0281B55C021F7014590DC52589D16525

Uniqueness

Uniqueness Score: -1.00%

Function 02F42EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42EAA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88f16039b11050df41645ee8fbedf47a449c659c2b5fa7fd85b6b066cc7093a6
Instruction ID: fdf5e65611347ffe9329cb350a11773c332e214a5216504b36c5dcf315da9e41
Opcode Fuzzy Hash: 88f16039b11050df41645ee8fbedf47a449c659c2b5fa7fd85b6b066cc7093a6
Instruction Fuzzy Hash: 3A90027120141412D14071588404747000587D0381F55C011BB064554E86598ED56A65

Uniqueness

Uniqueness Score: -1.00%

Function 02F42FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42FEA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f32d7f0bef1ab15e42e911a42e5605a7f247f551c62e445d3510573be2cd672b
Instruction ID: e740dfc358f1af50205b1d7432d34257e16f53f8007fe4c5a25ac93f9147e889
Opcode Fuzzy Hash: f32d7f0bef1ab15e42e911a42e5605a7f247f551c62e445d3510573be2cd672b
Instruction Fuzzy Hash: B5900221211C1052D20075688C14B07000587D0383F55C115B6154554CC91589A15921

Uniqueness

Uniqueness Score: -1.00%

Function 02F42F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42F3A

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e234307aa1e758e945ca3c0948e8bf4313796ac27ac3d92c22e17f3e853d8781
Instruction ID: e767744e69d40566f8126c284cd2068f4c0b9dcddef133b41acb8dbfba38a65e
Opcode Fuzzy Hash: e234307aa1e758e945ca3c0948e8bf4313796ac27ac3d92c22e17f3e853d8781
Instruction Fuzzy Hash: 2190026134141452D10071588414B070005C7E1381F55C015F7064554D8619CD926526

Uniqueness

Uniqueness Score: -1.00%

Function 02F42CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42CAA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7820fbaeb883d4286124f395b41eb8817980222e083b012a121cee659650c70
Instruction ID: 9fcab61b5b19aac39ea92ee82017a577bced1a28b93f39a1f1ddd4e458a9bdef
Opcode Fuzzy Hash: e7820fbaeb883d4286124f395b41eb8817980222e083b012a121cee659650c70
Instruction Fuzzy Hash: 8C90023120141412D10075989408647000587E0381F55D011BB024555EC66589D16531

Uniqueness

Uniqueness Score: -1.00%

Function 02F42C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42C7A

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfe1b8a9a4bb845eede17a1483da4c5570d47051655480f6a0e88733b4b6c67a
Instruction ID: 66a7d911011ec062c50531052c6fd4744c0a025ea529159981f04cf8dd251848
Opcode Fuzzy Hash: dfe1b8a9a4bb845eede17a1483da4c5570d47051655480f6a0e88733b4b6c67a
Instruction Fuzzy Hash: 4D90023120149812D1107158C40474B000587D0381F59C411BA424658D869589D17521

Uniqueness

Uniqueness Score: -1.00%

Function 02F42C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42C6A

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2125ac7168c131327fdb0af10ce7c1a94247551f31a6468f4cebfb3f648b34e3
Instruction ID: 2620636a46dcf872a2b77633fb600a4c1178286a66310c443cceaf4b418f54a3
Opcode Fuzzy Hash: 2125ac7168c131327fdb0af10ce7c1a94247551f31a6468f4cebfb3f648b34e3
Instruction Fuzzy Hash: EC90023120141852D10071588404B47000587E0381F55C016B6124654D8615C9917921

Uniqueness

Uniqueness Score: -1.00%

Function 02F42DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42DFA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4142cc78df3871395338d562e46220169e1d1e3b68d4b5205ea95688e17a4b5e
Instruction ID: 497d4439cfed9527a5f7e566996b78885c59a76f11f5bbf9530aa396681efd2b
Opcode Fuzzy Hash: 4142cc78df3871395338d562e46220169e1d1e3b68d4b5205ea95688e17a4b5e
Instruction Fuzzy Hash: 4690023120141423D11171588504707000987D02C1F95C412B6424558D96568A92A521

Uniqueness

Uniqueness Score: -1.00%

Function 02F42DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42DDA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 623225b02a13cbbbb7d61c1f55570371639a1d811689e299230ae93c18360c34
Instruction ID: ae9310e16db1cb89075024a3b87be0ac76223a8f1be133c4a29f7ba3c3851955
Opcode Fuzzy Hash: 623225b02a13cbbbb7d61c1f55570371639a1d811689e299230ae93c18360c34
Instruction Fuzzy Hash: 33900221242451625545B1588404507400697E02C1795C012B7414950C85269996DA21

Uniqueness

Uniqueness Score: -1.00%

Function 02F42D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42D1A

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae1a0973e8c4a55ab18848764b8a21b7b61bc2a600cbaf35857aa0fb58d731b7
Instruction ID: 29c4b4844cba301334d740ca9066f13225c4d283b1a1c764ad8528a7d4d9fb04
Opcode Fuzzy Hash: ae1a0973e8c4a55ab18848764b8a21b7b61bc2a600cbaf35857aa0fb58d731b7
Instruction Fuzzy Hash: AF90022921341012D1807158940860B000587D1282F95D415B6015558CC91589A95721

Uniqueness

Uniqueness Score: -1.00%

Function 02F435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F435CA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e1868d3bd44eccd7f0d6bc7065ce8377aa680bc5fbf7889f06c089c21fff6c0
Instruction ID: a40dd88b888d46757256eb1a4d53b3a5fac1669ec44ee68a8cd1d879f0641f78
Opcode Fuzzy Hash: 5e1868d3bd44eccd7f0d6bc7065ce8377aa680bc5fbf7889f06c089c21fff6c0
Instruction Fuzzy Hash: 2790023160551412D10071588514707100587D0281F65C411B6424568D87958A9169A2

Uniqueness

Uniqueness Score: -1.00%

Function 02869070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02869118

Strings

net.dll, xrefs: 028690E1, 02869167, 0286913F, 0286914B, 02869173
wininet.dll, xrefs: 028690CE, 028690D7

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: e773f1914aa23e5d8e2c8714fcb6b67dffc9a99888348a415ca37abd419f054d
Instruction ID: c5c62648f98cfc20e1ef4cba824a01af026b094a4488ba065e34f796d2367cbf
Opcode Fuzzy Hash: e773f1914aa23e5d8e2c8714fcb6b67dffc9a99888348a415ca37abd419f054d
Instruction Fuzzy Hash: A13192BA500604BBC724DF68C889F77B7B9BB48704F10851DF62E9B284D734A550CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02869066 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02869118

Strings

net.dll, xrefs: 028690E1, 0286913F, 0286914B
wininet.dll, xrefs: 028690CE, 028690D7

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 3de3377a26850a16a9043ad8ed22ed6b42e5fa6aec472a2515154fdabbefed5d
Instruction ID: 2dcabc335c26a127b5c9050c2804fb52219a6addf2554fe14bb6b6bbd4ed83ec
Opcode Fuzzy Hash: 3de3377a26850a16a9043ad8ed22ed6b42e5fa6aec472a2515154fdabbefed5d
Instruction Fuzzy Hash: E021B4B9900304BBC714DF68C889F77B7B5FB48704F10805DE62DAB285D774A560CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0286A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02853AF8), ref: 0286A68D

Strings

.z`, xrefs: 0286A67C, 0286A688

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: c048bbce72a80076bfc61598a15ba8fef3102837422024cfdc07973f3b6443d8
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: EFE01AB52002046FD718DF59CC48EA777ADAF88754F014554B91C57241C631E9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0286A693 Relevance: 3.1, APIs: 2, Instructions: 71
memoryprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(02864526,?,02864C9F,02864C9F,?,02864526,?,?,?,?,?,00000000,00000000,?), ref: 0286A64D
CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0286A724

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: AllocateCreateHeapInternalProcess
String ID:
API String ID: 2739015735-0
Opcode ID: 5b025f88ea3bda87434fa5d71af327bfb2fa51a71bf5852b116d0f3eb41bb745
Instruction ID: b6fb77adc7851b0059a0f3854ecb9e8332d9df76d7b5b214b0bb9fa43a3bc2db
Opcode Fuzzy Hash: 5b025f88ea3bda87434fa5d71af327bfb2fa51a71bf5852b116d0f3eb41bb745
Instruction Fuzzy Hash: A51190BA204248AFCB14DFACDC84DEB77A9EF88354F118649F95C97242D231E915CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0285830A Relevance: 3.1, APIs: 2, Instructions: 62
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0285836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0285838B

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 75c0333f4e8811449e778bf86d2944959085ac809e20de6e00b3c094412458cd
Instruction ID: f6179ee8e244ae9e4ec734fae5f30a1093777b25d7922d95804bc92c4375ecb2
Opcode Fuzzy Hash: 75c0333f4e8811449e778bf86d2944959085ac809e20de6e00b3c094412458cd
Instruction Fuzzy Hash: 67016139A4132C37E720A6A89C02FFE775D5F40B64F04031AFF04FA1C0D695690547E2

Uniqueness

Uniqueness Score: -1.00%

Function 02858310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0285836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0285838B

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9f6b7254b568deafea19610ad2f149634f201f71034e907c959efec66b5b2edc
Instruction ID: 21bde114085dfd0ac9a7c19813e4ae8ba4caeabd6aa75f52b4acf5269078d5d5
Opcode Fuzzy Hash: 9f6b7254b568deafea19610ad2f149634f201f71034e907c959efec66b5b2edc
Instruction Fuzzy Hash: BD012639A8022877E721A6988C42FFF772C6B00F54F080219FF04FA1C1E6A469064BF6

Uniqueness

Uniqueness Score: -1.00%

Function 0285ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0285AD52

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d56cbe47f04d0646c5d40ba3e834a1352e846f705a60e6df941155f382eebe52
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: A2010CBDE4020DABDB14EAA4DC85FADB3799B54308F108295A90CE7240FA31E7148B92

Uniqueness

Uniqueness Score: -1.00%

Function 0286A6D0 Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0286A724

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 88f64a7e36f23177f30e5f756a153a5a535d7aff17d2d5ecd92aa0e774e02596
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 4301AFB6210108AFCB58DF89DC80EEB77ADAF8C754F158258BA0DA7240C630E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 028691A0 Relevance: 1.5, APIs: 1, Instructions: 36
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0285F040,?,?,00000000), ref: 028691DC

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 99fcb9b7b30df4d86e90b5a4a83c6d9f27f324d9dc8e82fa5e5eb4eedb0108d3
Instruction ID: 26bf2e51ebeb1f355407a0eb1b229b0db244e1b6a33840e03c6a0dcdeb6531de
Opcode Fuzzy Hash: 99fcb9b7b30df4d86e90b5a4a83c6d9f27f324d9dc8e82fa5e5eb4eedb0108d3
Instruction Fuzzy Hash: BAE06D7B3902043AE630659DAC02FA7B39C8B91B21F140026FB0DEB2C1D595F40146A5

Uniqueness

Uniqueness Score: -1.00%

Function 02869193 Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0285F040,?,?,00000000), ref: 028691DC

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1a206c8d9fcdfea0510d65a40b9c2929398dddbd67c1927ca782344703e3b693
Instruction ID: f72d66ccbb28af8f9c7f3527a5542872a019a8fa2c85b1128fbbdf726a10aa22
Opcode Fuzzy Hash: 1a206c8d9fcdfea0510d65a40b9c2929398dddbd67c1927ca782344703e3b693
Instruction Fuzzy Hash: 66F0E57E2443402AE73016A85C06FBB7B988F91B14F280469FA8AEB1C2C594F5018765

Uniqueness

Uniqueness Score: -1.00%

Function 0286A7B1 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0285F1C2,0285F1C2,?,00000000,?,?), ref: 0286A7F0

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 146d5d7056201c599327c081de4fb7bf43f31d08d31235cc8598b721e0cb3f52
Instruction ID: c691754cc48fd9697dd996ed87bac73a276ffd43f05a7f3f348390e658e8a6cf
Opcode Fuzzy Hash: 146d5d7056201c599327c081de4fb7bf43f31d08d31235cc8598b721e0cb3f52
Instruction Fuzzy Hash: E3F0E5B9604240AFC710DF54C844DA73BA8EF80304F00456EFC696B642C731D405CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0286A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02864526,?,02864C9F,02864C9F,?,02864526,?,?,?,?,?,00000000,00000000,?), ref: 0286A64D

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 0b2d787e56f89e82800b1119e80790462b9da60636a2900e40b0106e2f9d3bc9
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: FCE012B6200208AFDB18EF99CC44EA777ADAF88654F118558BA1CAB241C631F9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0286A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0285F1C2,0285F1C2,?,00000000,?,?), ref: 0286A7F0

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: e4055b62f117380ad478e5a97c4dd76552c04a0e6b5682f899393d9847f93244
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: DFE01AB52002086FDB14DF49CC84EE737ADAF88654F018154BA0C67241C931E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0285F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02858D14,?), ref: 0285F6EB

Memory Dump Source

Source File: 00000009.00000002.3767745024.0000000002850000.00000040.80000000.00040000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2850000_wlanext.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 01b117b6bf59d8439c50934f6865f8ec0493a5dc9d8e95bf14821132ef25dcb3
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: A9D05E6A6503042BEA10BAA89C06F2732C95B55A14F490064FA48D73C3D954E0004565

Uniqueness

Uniqueness Score: -1.00%

Function 02F42C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F42C24

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69199c228e4ad1dcab4d33781ec9997b6d358dffe5561134c55ef611fd02f752
Instruction ID: 3db449a7fe245d30e45656ccfa776be4538290e0c23155362c92011c248dc79b
Opcode Fuzzy Hash: 69199c228e4ad1dcab4d33781ec9997b6d358dffe5561134c55ef611fd02f752
Instruction Fuzzy Hash: B3B09B71D015D5D5DA11E7604A087177D0067D0791F15C071F7030641E4778C1D1E575

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02F42890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02F4293C
___swprintf_l.LIBCMT ref: 02F4295E
___swprintf_l.LIBCMT ref: 02F429A3
___swprintf_l.LIBCMT ref: 02F7A52E

Strings

:%u.%u.%u.%u, xrefs: 02F7A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 02F7A54E
::%hs%u.%u.%u.%u, xrefs: 02F7A527
ffff:, xrefs: 02F7A504

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7e169530da7e02d428c553f2f395427423316f825279997f3eb17bf04c155519
Instruction ID: 0b17d1b4238c2a621a37293d40f82ff051fc545129cddd0e113af270adeab87f
Opcode Fuzzy Hash: 7e169530da7e02d428c553f2f395427423316f825279997f3eb17bf04c155519
Instruction Fuzzy Hash: E851D9B6E00156BFDB10DF68889097EFBB8BB08380B50817AFA55D7641DB74DE40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02FB2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02FB24A6
___swprintf_l.LIBCMT ref: 02FB24E2
___swprintf_l.LIBCMT ref: 02FB257D
___swprintf_l.LIBCMT ref: 02FB25A3
___swprintf_l.LIBCMT ref: 02FB25C8
___swprintf_l.LIBCMT ref: 02FB2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 02FB24DA
:%u.%u.%u.%u, xrefs: 02FB25FF
::%hs%u.%u.%u.%u, xrefs: 02FB249E
ffff:, xrefs: 02FB247D, 02FB249D

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 66c116e4c24271362050492da82994890e55f20a108723da6795fd2474e3360f
Instruction ID: 9f75e1883a86ccf33eaf7b80c369cf0a1b4497e7c19e75eb1c9f51eaba90015a
Opcode Fuzzy Hash: 66c116e4c24271362050492da82994890e55f20a108723da6795fd2474e3360f
Instruction Fuzzy Hash: 35511471A00645AEDB31DE5DCD909BFB7F9AF48380B008459EA96C7781EB74EA00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02F37630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02F74742
Execute=1, xrefs: 02F74713
CLIENT(ntdll): Processing section info %ws..., xrefs: 02F74787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02F74655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02F74725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02F746FC
ExecuteOptions, xrefs: 02F746A0

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: bce142d373458280fa67c2d6e65708ac6c6c85007004336961ea02c39ff4e589
Instruction ID: ef87818242ab16e72fe826337b3495626876b65664944b7c6e74650212c17555
Opcode Fuzzy Hash: bce142d373458280fa67c2d6e65708ac6c6c85007004336961ea02c39ff4e589
Instruction Fuzzy Hash: F35109B1B4021D7AEF11BBA4DC95FADB7B9AF04384F0400A9D705AB190DB709E45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 645250fc57b166e8341dbfce3f79bb754c9976a2af77dfbe0a7d77b82cecb773
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 8B0229715083419FC305DF18D890A6FBBEAEFC8784F088A2DFA859B254DB71E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02F4B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02F4B6BF

Strings

0, xrefs: 02F4B66F
+, xrefs: 02F4B65A
0, xrefs: 02F4B695
-, xrefs: 02F4B650

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: ea0505ab4a765b351703ad332dd73a052c82dcfb61ad11877749e3b3ff33b69b
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: FA81B270E052499EDF248F68C891BFEBFB2AF4539CF184159DA51A7292CFB4D841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02FB20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02FB214F
___swprintf_l.LIBCMT ref: 02FB2172

Strings

%%%u, xrefs: 02FB2146
]:%u, xrefs: 02FB2169
[, xrefs: 02FB212B

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 09f1e63fabdf71d61c721ab518a776829d74ead5fe8a7396dc13980ac02148db
Instruction ID: a205838a80208f8ff224c118f0899faed55eaba1f6aae5eaf40d9550e70111a5
Opcode Fuzzy Hash: 09f1e63fabdf71d61c721ab518a776829d74ead5fe8a7396dc13980ac02148db
Instruction Fuzzy Hash: DA213376E00119ABEB11DE69DC40AEEBBE9AF58784F440116EE05E3240EB7099028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F2F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02F702E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02F702BD
RTL: Re-Waiting, xrefs: 02F7031E

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 9866bd25b9e1361d76be8914cb698c40871e4a5b12f309827892361dd4bf3032
Instruction ID: 6ef4dac2ec35faebd79a1d30a5578bc2c30634f2d4553856b41cb45172c87e2e
Opcode Fuzzy Hash: 9866bd25b9e1361d76be8914cb698c40871e4a5b12f309827892361dd4bf3032
Instruction Fuzzy Hash: 85E19F31A187419FD724CF28C884B2AB7F1AF45798F140A6EF6958B6E1DB74D848CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02F3BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 02F77B8E
RTL: Re-Waiting, xrefs: 02F77BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02F77B7F

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 3b58d98c582416579e1514181e3e6720aa46689c1e0d240361b03aa7401a8979
Instruction ID: f3c94b984e6363f90e4e824f62740757493d1385af949322bac61ad312b39183
Opcode Fuzzy Hash: 3b58d98c582416579e1514181e3e6720aa46689c1e0d240361b03aa7401a8979
Instruction Fuzzy Hash: 2341E2317007029FD721DE29CC50B6AB7E5EF887A5F000A1EEA5ADB680DB70E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02F3B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02F7728C

Strings

RTL: Resource at %p, xrefs: 02F772A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02F77294
RTL: Re-Waiting, xrefs: 02F772C1

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 6358ec633d1d6101df6303f74ab3752ecf49cc3fc0123a0e7085513748ef478e
Instruction ID: e55f6d968965f1d85bf98f15b5dbf8a7454f031c51923a246f05c5b6bfa733b9
Opcode Fuzzy Hash: 6358ec633d1d6101df6303f74ab3752ecf49cc3fc0123a0e7085513748ef478e
Instruction Fuzzy Hash: 1E41D432B00242ABD711EE25CC41F66B7A5FF547A8F100619FB55EB340DB21E852CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 02FB2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02FB238D
___swprintf_l.LIBCMT ref: 02FB23B3

Strings

%%%u, xrefs: 02FB2384
]:%u, xrefs: 02FB23AA

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 051bec4a23f8ced1063b4528abe4c457580ffea6db4404876e7968f57ef96f39
Instruction ID: a180c64f92c88b106c71ca42d4fa928c23e72a504984bcb313ffffacede72f0e
Opcode Fuzzy Hash: 051bec4a23f8ced1063b4528abe4c457580ffea6db4404876e7968f57ef96f39
Instruction Fuzzy Hash: 3C318672A002199FDB61DF29CC40BEEB7B8EF44794F484555EE49E3240EB309A458FA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F47D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02F47E8B

Strings

-, xrefs: 02F47DDD
+, xrefs: 02F47DE8

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 8cc6194372cc13100600db34e2ae2fb8c9be194e9ff6c69c62085dac3273849d
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 2C91A471E002169ADB24EE69C8807BEFFB5AF447A4F54471AEA55E72C0EFB09940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F09126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 02F09175
$, xrefs: 02F09191

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: c8cb781986eda30777e7e02c668780fdef24173c49484254673e66ed5e8b8b29
Instruction ID: da6803d00e3b80ee7e4800cba99924789e0ab4ce7866e6fbc8f18b18838bd8b5
Opcode Fuzzy Hash: c8cb781986eda30777e7e02c668780fdef24173c49484254673e66ed5e8b8b29
Instruction Fuzzy Hash: DE810E71D012699BDB35DF54CC44BEEB7B9AF08794F0441EAAA19B7280E7705E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F8CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 02F8CFBD

Strings

@, xrefs: 02F8CF0A
@4rw@4rw, xrefs: 02F8CFD5, 02F8CFDA, 02F8CFF1

Memory Dump Source

Source File: 00000009.00000002.3769991663.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true

Associated: 00000009.00000002.3769991663.0000000002FF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.0000000002FFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3769991663.000000000306E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2ed0000_wlanext.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4rw@4rw
API String ID: 4062629308-2979693914
Opcode ID: 6edd83f0d49570c9fc0aa6d7172f45df5d460bc74ef206d2f16a79d0d1390bf4
Instruction ID: 2df79e7107ebbce6241f03bdb5bb9cb8e87c6629c9cfb6047404bcc6b9bafdbb
Opcode Fuzzy Hash: 6edd83f0d49570c9fc0aa6d7172f45df5d460bc74ef206d2f16a79d0d1390bf4
Instruction Fuzzy Hash: A9419071D00258DFDB21AFA5CD40A6EFBB9EF44B84F00456AEB15EB2A4D734D801CB61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Documento de confirmacion de orden de compra OC 1580070060.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Documento de confirmacion de orden de compra OC 1580070060.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xkzmlbg.qpv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cslxg2va.3di.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z3krb0xd.obv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5ardnbx.tgh.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Documento de confirmacion de orden de compra OC 1580070060.exe

Function 04FC476A Relevance: 5.4, Strings: 4, Instructions: 422
COMMON

Function 04FC4778 Relevance: 5.4, Strings: 4, Instructions: 417
COMMON

Function 0108F9E8 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 0108F9F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON